cap_net_raw rootless

[krisdevopsbot]

Is there anyway to make this work containerized and capture a host interface? trying to setup a tcpdump container as we save some pcaps for certain traffic. tried various things (setting cap on podman itself, adding cap-add cap_net_raw), but always end up with operation not permitted for the interface

[mluhmann]

I have the same question. But I am configuring several systems as root, for my users. Some users will need the cap_net_raw capability for their rootless containers. How can I configure the systems to extend their capabilities in rootless?

[rhatdan]

No CAP_NET_RAW is required on the process running podman, nothing in rootless containers allows you to get around this. The best you can do is run with sudo.

[mluhmann]

I already tried the sudo approach and it looks promising. But my users are using quadlets for their applications. There is no one using a run command after setup. How would a quadlet look like? It is placed in ~/.config/containers/systemd/ and then loaded via

systemctl --user daemon-reload
systemctl --user start <ServiceName>

[rhatdan]

Quadlets work in rootful mode.

[mluhmann]

I know, that they also work in rootful, but I need them to run rootless (what they already do) but with the possibility to have CAP_NET_RAW.

[sbrivio-rh]

By the way, we have a demo in seitan where the supervisor (seitan) opens a socket on behalf of the target process (a process in the container) and replaces it in its file table atomically. You could change that demo to open a raw(7) socket (or AF_PACKET, depending on the application).

It's entirely experimental and not production-ready, but I thought that somebody might feel like playing with it and contributing back.

The related Podman demo uses OCI annotations to load the BPF filter and it's intended exactly for cases like that, where a rootless container needs just one specific privileged operation and you would like to avoid granting the whole runtime a capability (or run it as root).

[Koli0842]

I also bumped into needing this capability (DHCP packet sniffing for home assistant), and I don't see any obvious way forward, other than to switch to rootful containers. If anyone is aware of any movement on the topic, feel free to let me know.

[Luap99]

There is no movement, this is the expected behavior as rootless user namespace cannot ever gain capabilities on the host. The only way to work around that is to add some kind of privileged daemon that does the privileged action on the users behalf. One way was mentioned already #21079 (comment)

[Luap99]

And to be clear CAP_NET_RAW is network namespace aware, a rootless container can run things like tcpdump in its own privately created network namesapce. However you can never do that on the host network namesapce because that would mean you could snoop all traffic which logically cannot ever be allowed by the kernel for security reasons.

This works:

$ podman run --rm -it --cap-add NET_RAW quay.io/libpod/testimage:20241011 socat IP4-RECVFROM:4 -

While this will not work:

$ podman run --rm -it --cap-add NET_RAW --network host  quay.io/libpod/testimage:20241011 socat IP4-RECVFROM:4 -
2025/09/01 16:42:32 socat[1] E socket(2, 3, 4): Operation not permitted