Podman not using Pasta in certain cases

[jjhidalgar]

Issue Description

Podman not using Pasta in certain cases. This makes it NOT work when going rootless.

These cases are

• When using a pre-created network
• When using podman compose (I think it's related to this compose does not use pasta network  podman-compose#967)

Steps to reproduce the issue

This works:

podman run -d -p 8000:8000/udp ubuntu:latest sleep infinity

This doesn't work:

podman network create infra
podman run --network=infra -d -p 8000:8000/udp ubuntu:latest sleep infinity

Error: netavark: iptables: No such file or directory (os error 2)

Describe the results you received

Error: netavark: iptables: No such file or directory (os error 2)

You can see how the container that works fine (without --network, or without docker compose), has pasta in the NetworkMode, while the other doesn't

[rocky@aws-infra-vm:~/Logstash]$ podman inspect 743411ef0e78 | grep Net
          "NetworkSettings": {
               "Networks": {
                         "NetworkID": "infra",
               "NetworkMode": "bridge",
[rocky@aws-infra-vm:~/Logstash]$ podman inspect 4a065dcdba50 | grep Net
          "NetworkSettings": {
               "NetworkMode": "pasta",

Describe the results you expected

No errors

podman info output

podman info
host:
  arch: amd64
  buildahVersion: 1.37.0
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.10-1.20240313132120223048.main.19.gaffab49.el9.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: '
  cpuUtilization:
    idlePercent: 97.43
    systemPercent: 0.58
    userPercent: 1.98
  cpus: 2
  databaseBackend: sqlite
  distribution:
    distribution: rocky
    version: "9.4"
  eventLogger: journald
  freeLocks: 2045
  hostname: aws-infra-vm.aws.cccis.com
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.14.0-427.16.1.el9_4.x86_64
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 2688086016
  memTotal: 4022386688
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.12.1-1.20241015153705227287.main.42.g25bf0c8.el9.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.0-dev
    package: netavark-1.10.3-1.el9.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.10.3
  ociRuntime:
    name: crun
    package: crun-1.17-1.20241014095439306722.main.20.g53cd1c1.el9.x86_64
    path: /usr/bin/crun
    version: |-
      crun version UNKNOWN
      commit: 34286c495ef155194388d1b953dfbf9a586d6e71
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20231204.gb86afe3-1.el9.x86_64
    version: |
      pasta 0^20231204.gb86afe3-1.el9.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 1h 15m 25.00s (Approximately 0.04 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /home/rocky/.config/containers/storage.conf
  containerStore:
    number: 3
    paused: 0
    running: 1
    stopped: 2
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.13-1.el9.x86_64
      Version: |-
        fusermount3 version: 3.10.2
        fuse-overlayfs: version 1.13-dev
        FUSE library version 3.10.2
        using FUSE kernel interface version 7.31
  graphRoot: /home/rocky/.local/share/containers/storage
  graphRootAllocated: 10587451392
  graphRootUsed: 1761443840
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/rocky/.local/share/containers/storage/volumes
version:
  APIVersion: 5.3.0-dev-29eb8ce09
  Built: 1725235200
  BuiltTime: Mon Sep  2 00:00:00 2024
  GitCommit: ""
  GoVersion: go1.21.11 (Red Hat 1.21.11-1.el9_4)
  Os: linux
  OsArch: linux/amd64
  Version: 5.3.0-dev-29eb8ce09

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

AWS instance

Additional information

I can fix the issue if I configure this in the system:

dnf install netavark # this would also install dependencies: iptables-libs, iptables-legacy and iptables-legacy-libs
modprobe ip_tables

Then, it works, but I'm not sure if it's using Pasta when doing so

podman inspect 28c2d0e259f2acc96287552db59d7bd788b140fcfb818fe9b17a81cf30c2a9c4 | grep Net
          "NetworkSettings": {
               "Networks": {
                         "NetworkID": "infra",
               "NetworkMode": "bridge",

If we compare to the above case (when not specifying --network, and not using compose), we see the containers with this:

"NetworkMode": "pasta",

[Luap99]

That is just how this works, #22943 (comment)

If you want to use bridge networks you need netavark and all the stuff it needs to configure that

You can configure netavark to use nftables: https://fedoraproject.org/wiki/Changes/NetavarkNftablesDefault#How_To_Test

But also you should not need to install iptables at al on a RHEL system as it should already be a dependey in the rpms and there is no iptables-legacy use on RHEL 8 and newer as they only use the iptables-nft compat layer.