Rootless podman with own network namespace or networking

[electrofloat]

Hi!

I'm trying to find a way where I can start a rootless podman container and attach it to an already existing netns and/or interface.
I can create the required interfaces and set them up the way I want as root, then I'd like to use those from rootless podman. (maybe I configure 1 bridge and some containers would be part of it so that they can communicate with each-other, maybe I want a different interface for every container with different ip addresses, route them/firewall them the way I want)

The approach written here is almost ok: https://lists.podman.io/archives/list/[email protected]/thread/W6MCYO6RY5YFRTSUDAOEZA7SC2EFXRZE/

but it depends on starting the container first (and also depending on it not stopping immediately because network is not available at that point), and also needs to be done every time the container stopped/started. Nor really convenient.

Also here: #13706 (comment) - rhatdan says: "Allowing users to setup their own network namespace and allow that to joined to a Podman container is the best we can do."

Can this already be achieved with current config options for rootless podman, or is this something that needs development?

[Luap99]

If you have an netns you can use podman run --network ns:/path/to/netns .... However in order for a rootless user to have permissions to use it the netns must be created by the user within the podman user namespace, then you can use root to add devices into this netns, see #10384

[Luap99]

Although now thinking about it maybe I could just use --uidmap to map it to a user I would run it in rootless mode?

Yes this will work.

So are you telling me that if I run podman as root and with --uidmap, is it exactly the same as running it in rootless mode just with rootns networking?

No of course not, in one case podman runs with user privileges and in the other with root. However in both cases the container will run in a usernamespace where the real root is not mapped.

Also I need podman to not touch in any way/shape or form iptables/network interfaces.

If you run all containers with --network ns:... podman will never touch anything network related. Only when you use named networks it will start configure things accordingly.

Podman works fine with the iptables-nft backend so there is no need for the legacy iptables to be installed.

[electrofloat]

The thing is that I don't want iptables binary (let it be legacy or -nft) be on my system at all. nftables exists for about 10 years now, podman should already support it. Not to mention that using rootless podman only, does not need iptables package at all.

Anyways.. I think I'll wait for the 4.4 release (shouldn't it be that far away since 4.4.0-RC3 has just been released the other day, should it?) and also for an official way to install it on ubuntu 22.04, preferably without the words, WIP, CAUTION, UNSTABLE, etc. and try out the new pasta driver.

[Luap99]

Well installing dependencies is up to your package manager.

Not to mention that using rootless podman only, does not need iptables package at all.

Not true, you can use named networks as rootless and this will use CNI or netavark in a extra network namespace and it will call iptables there. It works like that since at least v3.2.

[mailinglists35]

is this all (attaching a netns to a rootless) documented in a structured way somewhere, or is everything spread into small parts inside github discussions and issues like here? for example information discussed here and implemented in #9423 is not found in https://github.com/containers/podman/blob/main/docs/tutorials/basic_networking.md nor https://www.redhat.com/sysadmin/container-networking-podman

[daiaji]

It sounds really complicated and lacks detailed guidelines.