How can I use CNI host-device in a podman container

[seanrmurphy]

Hi,

I'm trying to checkpoint a container with a somewhat complex configuration. I encountered some issues which are (somehow) at the intersection of podman and criu and relate to networking.

Essentially, I had a configuration in which I created a tun/tap within a container and passed this to qemu which picked it up correctly. I then performed a checkpoint on the container but was unable to restore. The crux of the problem was that I created the tun/tap within the container and this was not known to either podman or criu so it was not captured during the checkpointing operation. (More detail here: checkpoint-restore/criu#1499)

I'm now considering an approach in which I create the tun/tap on the host and pass it to the container via CNI mechanisms - I'm hoping that this way podman will know about it and it will get set up correctly in the restore operation; however, it's quite unclear to me how this can be done. I see this issue #2070 which ends up focusing more on net=none than explicit support for host-device.

So, does podman support host-device connections and, if so, how can they be set up?

Thanks for any pointers...

[mheon]

Podman has no support for creating CNI host-device networks via podman network create, but if you manually create a CNI host-device config, we will happily let you create containers using said network via --net=$NAME where $NAME is the name you've given to the network. This should work with CRIU as long as the network config is present on the system you restore on (I don't believe it's packaged in the CRIU checkpoint).

Please note that this only works with root containers - rootless containers lack adequate permissions to access devices on the host.

[seanrmurphy]

Thanks for that @mheon - for anyone else who is unclear about this, here's an example - I used podman network create to create a test network, the file test-network.conflist appeared in /etc/cnd/net.d and I modified it as follows:

fedora@ip-10-0-2-204 /e/c/net.d> cat test-network.conflist 
{
   "cniVersion": "0.4.0",
   "name": "test-network",
   "plugins": [
      {
         "type": "host-device",
         "device": "tap",
	"ipam": {
            "type": "static",
            "addresses": [
                {
                    "address": "192.168.100.2/24",
                }
            ]
         }
      },
      {
         "type": "dnsname",
         "domainName": "dns.podman",
         "capabilities": {
            "aliases": true
         }
      }
   ]
}

Then I was able to launch the container and it picked up the interface (it had a different name inside the container but the alias was correct, as was the MAC addr); interestingly, CNI disconnected it from a bridge I had set up in the root netns.

[RobertWojtowicz]

I have some problem with a similar configuration, specifically with multicasts on multiple sr-iov, maybe you can help ?
containernetworking/plugins#787

[DiesIstMeinGitName]

The above "test-network.conflist" doesnt appear as network in user environment. I think:
"rootless containers lack adequate permissions to access devices on the host"

But:
I defined tap0 in advance with user and group

gerhard@G14:/sys/devices/virtual/net> ls -l
insgesamt 0
drwxr-xr-x 7 root root 0 24. Mär 13:32 br0
drwxr-xr-x 7 root root 0 24. Mär 13:32 br1
drwxr-xr-x 5 root root 0 24. Mär 13:32 lo
drwxr-xr-x 6 gerhard users 0 24. Mär 13:39 tap0
drwxr-xr-x 6 root root 0 24. Mär 13:32 vlan102

i think, my user has "adequate permissions to access" tap0.
In old times before libvirt i connected quemu-machines with tap's without root-rights in this manner.
Can i circumvent this problem? or
"It's not a bug, it's a feature"
(answer from support of a big software company in 1990s)