Rootless podman in rootless podman is not using slirp4netns

[PangHLIT]

Issue Description

According to the rootless podman documentation, slirp4netns is the default network mode for rootless. But rootless podman in rootless podman is using host network mode, which is confusing. And one of the drawback is that port publishing (i.e. podman run -p) of the inner container does not work.

Steps to reproduce the issue

Steps to reproduce the issue

1. podman run -d --security-opt label=disable --user podman --device /dev/fuse quay.io/podman/stable podman run -p 8888:22222 alpine nc -l 22222
2. podman exec -l podman inspect -l --format={{.HostConfig.NetworkMode}} {{.HostConfig.PortBindings}}

Describe the results you received

Podman inspect shows that the network mode is host and port binding set (published ports) is empty.

host map[]

Describe the results you expected

Network mode being slirp4netns and the port binding set as specified in "-p hostPort:containerPort".

slirp4netns map[22222/tcp:[{ 8888}]]

podman info output

host:
  arch: amd64
  buildahVersion: 1.29.0
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.6-1.module_el8.8.0+3470+252b1910.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.6, commit: 21c43a36b2ccb9799dfab0e8428837fca920fb45'
  cpuUtilization:
    idlePercent: 98.19
    systemPercent: 0.52
    userPercent: 1.29
  cpus: 7
  distribution:
    distribution: '"almalinux"'
    version: "8.8"
  eventLogger: file
  hostname: lap0832
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.15.90.1-microsoft-standard-WSL2
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 1368735744
  memTotal: 14661337088
  networkBackend: cni
  ociRuntime:
    name: runc
    package: runc-1.1.4-1.module_el8.7.0+3407+95aa0ca9.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.1.4
      spec: 1.0.2-dev
      go: go1.18.9
      libseccomp: 2.5.2
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_SYS_CHROOT,CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-2.module_el8.7.0+3407+95aa0ca9.x86_64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 0
  swapTotal: 0
  uptime: 120h 58m 23.00s (Approximately 5.00 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /home/ypcheung/.config/containers/storage.conf
  containerStore:
    number: 5
    paused: 0
    running: 0
    stopped: 5
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/ypcheung/.local/share/containers/storage
  graphRootAllocated: 269427478528
  graphRootUsed: 163648200704
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 9
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/ypcheung/.local/share/containers/storage/volumes
version:
  APIVersion: 4.4.1
  Built: 1688126783
  BuiltTime: Fri Jun 30 20:06:23 2023
  GitCommit: ""
  GoVersion: go1.19.10
  Os: linux
  OsArch: linux/amd64
  Version: 4.4.1

Podman in a container

Yes

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[Luap99]

we overwrite containers.conf in the podman image so this is expected: https://github.com/containers/podman/blob/main/contrib/podmanimage/stable/containers.conf

[PangHLIT]

Please consider adding the information to the rootless podman documentation, such that users will know what the expected behaviors are.

Meanwhile, could you please let me know how to enable port publishing with rootless podman in rootless podman? Example use case is running multiple containers that listen on the same port in the container. With host network mode, they will crash with each other. With slirp4netns, we could remap the ports to different ports on the outer containers. Is there a way to force slirp4netns mode in containers.conf? I have not been able to find a way to add that for containers launched via docker api.

Thanks.

[Luap99]

change host to private in containers.conf

Please consider adding the information to the rootless podman documentation, such that users will know what the expected behaviors are.

Feel free to create a PR to improve docs, I don't know where and what information you would expect.

[PangHLIT]

Changing netns from host to private only works if --device /dev/net/tun --cap-add NET_ADMIN is added to the outer container's run parameters. Otherwise, the inner container would fail to run with

Error: /usr/bin/slirp4netns failed: "open("/dev/net/tun")
I am not sure if this is intended or not.

I think the information I'm looking for in the documentation is how rootless podman in rootless podman differs from rootless podman. And more importantly, why. I'll be more than happy to create the pull request for documentation update if I know the reasons behind those decisions.

[Luap99]

Well based on the error you get you see why, the defaults are chosen so it will run a "normal" container with little privileges.