Cannot use sysctl in pod

[xfoobar]

/kind bug

Cannot use sysctl.net.ipv4.ip_unprivileged_port_start in pod

Steps to reproduce the issue:

podman pod create --name=test_pod

podman run -it --rm --pod=test_pod fedora:35 echo foobar1
podman run -it --rm --sysctl=net.ipv4.ip_unprivileged_port_start=80 fedora:35 echo foobar2
podman run -it --rm --pod=test_pod --sysctl=net.ipv4.ip_unprivileged_port_start=80 fedora:35 echo foobar3

Describe the results you received:
foobar1
foobar2
Error: open /proc/sys/net/ipv4/ip_unprivileged_port_start: Permission denied: OCI permission denied

Describe the results you expected:
foobar1
foobar2
foobar3

Additional information you deem important (e.g. issue happens only occasionally):
The cause of the problem is "--pod".

Output of podman version:

Version:      3.4.4
API Version:  3.4.4
Go Version:   go1.16.8
Built:        Thu Dec  9 05:45:07 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.23.1
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.30-2.fc35.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.30, commit: '
  cpus: 8
  distribution:
    distribution: fedora
    variant: server
    version: "35"
  eventLogger: journald
  hostname: ***
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.15.11-200.fc35.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 798375936
  memTotal: 3039383552
  ociRuntime:
    name: crun
    package: crun-1.4-1.fc35.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.4
      commit: 3daded072ef008ef0840e8eccb0b52a7efbd165d
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.12-2.fc35.x86_64
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.3
  swapFree: 3012554752
  swapTotal: 3038769152
  uptime: 147h 45m 37.86s (Approximately 6.12 days)
plugins:
  log:
  - k8s-file
  - none
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  docker.io:
    Blocked: false
    Insecure: false
    Location: ***.mirror.aliyuncs.com
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: docker.io
  search:
  - docker.io
store:
  configFile: /home/***/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.7.1-2.fc35.x86_64
      Version: |-
        fusermount3 version: 3.10.5
        fuse-overlayfs: version 1.7.1
        FUSE library version 3.10.5
        using FUSE kernel interface version 7.31
  graphRoot: /home/***/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 22
  runRoot: /run/user/1000/containers
  volumePath: /home/***/.local/share/containers/storage/volumes
version:
  APIVersion: 3.4.4
  Built: 1638999907
  BuiltTime: Thu Dec  9 05:45:07 2021
  GitCommit: ""
  GoVersion: go1.16.8
  OsArch: linux/amd64
  Version: 3.4.4

Package info (e.g. output of rpm -q podman or apt list podman):

podman-3.4.4-1.fc35.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):
physical/fedora35 amd64

[rhatdan]

These worked for me?

$ podman pod create --name=test_pod
4b10a21c5b8c2b4f8a598de1eace7b94918d813055891276c2472df856a7fbc1
$ podman run -it --rm --pod=test_pod fedora:35 echo foobar1
Resolved "fedora" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.fedoraproject.org/fedora:35...
Getting image source signatures
Copying blob 4545346f2a49 skipped: already exists  
Copying config 3059bef432 done  
Writing manifest to image destination
Storing signatures
foobar1
$ podman run -it --rm --sysctl=net.ipv4.ip_unprivileged_port_start=80 fedora:35 echo foobar2
foobar2
$ podman run -it --rm --pod=test_pod --sysctl=net.ipv4.ip_unprivileged_port_start=80 fedora:35 echo foobar3
foobar3

I actually think this does not work the way I would expect. I would figure the sysctl should only work on the pod and not on the container. If these containers are in the same Pod, by default they are sharing the network namespace. So setting this field for each container would alter it for the other containers, which potentially could cause unexpected behaviour.

@cdoern Could you add --syscall support to podman pod create?

[xfoobar]

It worked after reinstalling the os, and I don’t know why

[cdoern]

Reopening to implement on the pod level

[cdoern]

so @rhatdan just to clarify, this is something that only needs to be set in infra, not passed down on a container by container basis? Currently working on this and running into some namespace issues upon implementation

[rhatdan]

Correct, the containers will not be allowed to do this.