Run DHCP Server inside rootless container

[Rabbit234]

I cannot use ISC DHCP Server with rootless podman.

I made sure that podman is allowed to expose on unprivileged ports.

sysctl net.ipv4.ip_unprivileged_port_start
net.ipv4.ip_unprivileged_port_start = 0

I created a minimal Dockerfile for starting ISC DHCP Server

# Dockerfile
FROM debian:latest
RUN apt-get update 
RUN apt-get install -y isc-dhcp-server iproute2
COPY dhcpd.conf /etc/dhcp/dhcpd.conf
COPY dhcpd.leases /var/lib/dhcp/dhcpd.leases
CMD ["/usr/sbin/dhcpd", "-f", "-d", "-cf", "/etc/dhcp/dhcpd.conf", "-lf", "/var/lib/dhcp/dhcpd.leases", "--no-pid"]

podman build -t dhcp-server .
podman run --rm --name dhcp-server --net=host --cap-add=NET_ADMIN --cap-add=NET_RAW --privileged dhcp-server

Internet Systems Consortium DHCP Server 4.4.1
Copyright 2004-2018 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
unable to create icmp socket: Operation not permitted
Config file: /etc/dhcp/dhcpd.conf
Database file: /var/lib/dhcp/dhcpd.leases
PID file: /var/run/dhcpd.pid
Wrote 0 leases to leases file.
Open a socket for LPF: Operation not permitted

If you think you have received this message due to a bug rather
than a configuration issue please read the section on submitting
bugs on either our web page at www.isc.org or in the README file
before submitting a bug.  These pages explain the proper
process and the information we find helpful for debugging.

exiting.

I am not sure if using --privileged is needed because I get the same error without the flag.
Is there anything I am missing or do I need another capabilities on host for this specific use case?

[Luap99]

I don't think this is possible in the host network namespace, while you can add capabilities inside the container the kernel knows that you (a user) is not allowed to modify the host network namespace.

Rootless podman cannot gain more privileges that your user already has so it is impossible to modify the host network namespace or open a raw socket in it. If it were this would be a huge security problem.
The sysctl allows you only to bind low ports, e.g. udp or tcp but I think dhcp requires a raw socket so it shouldn't matter in this case.

I think the only way to make it work is to run podman as root.

[Rabbit234]

Thanks a lot for your reply. I already assumed that this is not possible. We will try something different here. Have a great day.

[rhatdan]

@Luap99 is correct this is not possible in rootless mode.