Rootless networking options with administrator help

[saolof]

Hi! One thing that feels a bit limiting with podman is the apparent everything-or-nothing focus in the documentation I find, where either the entire stack is rootless or the application is run in rootful mode with no distinction between configuration time and run time.

Is there a way to set up a "real" bridge or macvlan network with administrator help (persistent IPs, isolated network namespace, no slirp4netns overhead), while still being able to write your own pods as a rootless user?

The idea that running a service in rootless mode implies that the container runtime has to be rootless at configuration time is by far my least favourite part of podman as used in my org right now, defaulting to host networking to avoid slirp4netns just makes rootless containers less safe than rootful ones in practice. Would it be possible to allow specific users to use bridge/macvlan networking with polkit rules or some other security model that isn't everything or nothing?

[Luap99]

It is not something the we support or have plans to support but you can run your own netns setup however you like, for example there is this project: https://github.com/neverpanic/podman-rootful-network
In general you can setup any netns however you like and have containers use them, however the kernel requires that the netns must be created from whitin the rootless podman userns in order to use it.

you can also write your own network plugin that connects to some privileged daemon which then configures the netns for you as mentioned in #23303

[saolof]

Got it. I assume then that trying to run a quadlet with host networking but setting up a netns & bridge at the systemd unit file level also won't work?

[Luap99]

that can work, --network host means it stays in whatever netns it is currently so running things unshare -n podman run --network host ... would work.
The issues there are that something like podman exec ctr would have no way to join the netns from the systemd unit.