How to exemplify this shortcoming of rootless podman: "When using --net=host with rootless containers, subsequent podman execs ..."

[eriksjolund]

In the list Shortcomings of Rootless Podman there is this sentence:

When using --net=host with rootless containers, subsequent podman execs to that container will not join the host network namespace because it is owned by root.

Does anyone have an example showing this?

I tried it out on Fedora CoreOS 40.20240825.1.0 but I am not able to demonstrate it.
On the other hand I don't know exactly what is meant.

Here is my best trial

1. Create directory

   mkdir ~/dir
   

2. Change directory

   cd ~/dir
   

3. Create the file Containerfile containing

   FROM docker.io/library/fedora
   RUN useradd test
   

   (user test then has UID 1000 and GID 1000)
4. Build the container

   podman build -t myimg .
   

5. Create the file ~/start.bash containing

   #!/bin/bash
   set -o errexit
   set -o nounset
   dir=$(mktemp -d)
   touch $dir/file
   chmod 777 -R $dir
   
   ctr=$(podman run  --rm -d -v $dir:/dir:z --network=host localhost/myimg sh -c "ls -ln /proc/self/ns/net >> /dir/file && sleep 300")
   sleep 1
   podman exec --user 1000:1000 $ctr sh -c "ls -ln /proc/self/ns/net >> /dir/file"
   podman exec --user 1000:1000 $ctr sh -c "curl -sL www.kernel.org | head -1 >> /dir/file"
   echo result:
   cat $dir/file
   

6. Run the script

   bash start.bash
   

   The following output is printed

   result:
   lrwxrwxrwx. 1 0 0 0 Aug 31 10:15 /proc/self/ns/net -> net:[4026531840]
   lrwxrwxrwx. 1 1000 1000 0 Aug 31 10:15 /proc/self/ns/net -> net:[4026531840]
   <!DOCTYPE html>
   

(I don't know how to interpret the results)

For details, see

podman/rootless.md

Line 47 in ef905ef

* When using --net=host with rootless containers, subsequent podman execs to that container will not join the host network namespace because it is owned by root.

[eriksjolund]

I found a clue

The git commit message
9de18a1
says it fixes
#4473
which has a section Steps to reproduce the issue:

[eriksjolund]

After reading #4473 and #10384 I'm beginning understand what this is all about. I'll close this discussion thread.