Container gets private network when pod is created with --network=host #13763

mskarbek · 2022-04-03T23:49:25Z

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Steps to reproduce the issue:

podman pod create --network=host --name=net-test
podman run -d --pod=net-test ubi8/ubi:8.5 sleep 300

Describe the results you received:

# podman inspect 40625a49989e-infra | jq .[].NetworkSettings
{
  "EndpointID": "",
  "Gateway": "",
  "IPAddress": "",
  "IPPrefixLen": 0,
  "IPv6Gateway": "",
  "GlobalIPv6Address": "",
  "GlobalIPv6PrefixLen": 0,
  "MacAddress": "",
  "Bridge": "",
  "SandboxID": "",
  "HairpinMode": false,
  "LinkLocalIPv6Address": "",
  "LinkLocalIPv6PrefixLen": 0,
  "Ports": {},
  "SandboxKey": ""
}
# podman inspect boring_grothendieck | jq .[].NetworkSettings
{
  "EndpointID": "",
  "Gateway": "10.88.0.1",
  "IPAddress": "10.88.0.2",
  "IPPrefixLen": 16,
  "IPv6Gateway": "",
  "GlobalIPv6Address": "",
  "GlobalIPv6PrefixLen": 0,
  "MacAddress": "c6:12:25:1c:c1:bd",
  "Bridge": "",
  "SandboxID": "",
  "HairpinMode": false,
  "LinkLocalIPv6Address": "",
  "LinkLocalIPv6PrefixLen": 0,
  "Ports": {},
  "SandboxKey": "/run/netns/netns-cd354ff6-27b8-c6a7-1c8e-70af40e457bb",
  "Networks": {
    "podman": {
      "EndpointID": "",
      "Gateway": "10.88.0.1",
      "IPAddress": "10.88.0.2",
      "IPPrefixLen": 16,
      "IPv6Gateway": "",
      "GlobalIPv6Address": "",
      "GlobalIPv6PrefixLen": 0,
      "MacAddress": "c6:12:25:1c:c1:bd",
      "NetworkID": "podman",
      "DriverOpts": null,
      "IPAMConfig": null,
      "Links": null,
      "Aliases": [
        "75ac3dca28c4"
      ]
    }
  }
}

Describe the results you expected:
Container should also get host network.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Client:       Podman Engine
Version:      4.0.0
API Version:  4.0.0
Go Version:   go1.17.7

Built:      Mon Feb 21 21:35:55 2022
OS/Arch:    linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.24.1
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.0-1.module+el8.6.0+14131+b9baa4cc.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.0, commit: 69671bb13ee783c4924db64b241139d61db07321'
  cpus: 4
  distribution:
    distribution: '"rhel"'
    version: "8.6"
  eventLogger: journald
  hostname: cn01
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 4.18.0-369.el8.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 6740848640
  memTotal: 8232390656
  networkBackend: cni
  ociRuntime:
    name: crun
    package: crun-1.4.2-1.module+el8.6.0+14131+b9baa4cc.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.4.2
      commit: f6fbc8f840df1a414f31a60953ae514fa497c748
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /bin/slirp4netns
    package: slirp4netns-1.1.8-2.module+el8.6.0+14272+4d6325e6.x86_64
    version: |-
      slirp4netns version 1.1.8
      commit: d361001f495417b880f20329121e3aa431a8f90f
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 0
  swapTotal: 0
  uptime: 1h 36m 15.2s (Approximately 0.04 days)
plugins:
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 3
    paused: 0
    running: 1
    stopped: 2
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 5
  runRoot: /run/containers/storage
  volumePath: /var/lib/volumes/storage
version:
  APIVersion: 4.0.0
  Built: 1645479355
  BuiltTime: Mon Feb 21 21:35:55 2022
  GitCommit: ""
  GoVersion: go1.17.7
  OsArch: linux/amd64
  Version: 4.0.0

Package info (e.g. output of rpm -q podman or apt list podman):

podman-4.0.0-3.module+el8.6.0+14305+6b14f34e.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

Yes/No

Additional environment details (AWS, VirtualBox, physical, etc.):

Physical, RHEL 8.5, RHEL 8.6 Beta.

The text was updated successfully, but these errors were encountered:

mheon · 2022-04-04T01:51:55Z

Reproduces locally on main, this seems pretty significant. @cdoern @Luap99 PTAL

Luap99 · 2022-04-04T11:05:20Z

The infra container looks fine but the shared namespaces are not, I only see that uts and ipc are shared.

Luap99 · 2022-04-04T11:11:18Z

Problems seems to be here: https://github.com/containers/podman/blame/main/pkg/specgen/generate/namespaces.go#L486-L490
git blame says 221b1ad

I don't understand why this was added but it is definitely broken in v3.4 as well.

Luap99 · 2022-04-04T11:52:29Z

The problem is that we cannot join the infra namespaces as rootless when the infra already runs in the host namesapce. The oci runtime will fail with eperm on setns. I think we should catch this in podman and set the container to the host ns when the infra already uses the host ns.

I would think the other namespace options have the same problem.

github-actions · 2022-05-05T00:06:44Z

A friendly reminder that this issue had no activity for 30 days.

cdoern · 2022-05-05T02:56:26Z

I will tackle this one

When you have utsns="host" set in containers.conf the podman pod create command currently fails because it always sets a hostname for the pod. This is wrong, we only want a hostname with a private uts namespace. Otherwise we should ignore it. The test currently cannot work rootless because containers#13763. Ref containers#13763 Signed-off-by: Paul Holzinger <pholzing@redhat.com>

When you have utsns="host" set in containers.conf the podman pod create command currently fails because it always sets a hostname for the pod. This is wrong, we only want a hostname with a private uts namespace. Otherwise we should ignore it. The test currently cannot work rootless because containers#13763. Ref containers#13714 Signed-off-by: Paul Holzinger <pholzing@redhat.com>

the function `GetDefaultNamespaceMode` for pods checks if we are sharing each namespace and if not, returns the default which in the case of a network is slirp. add a switch case for explicitly checking if the pod's network mode is host and if so, return specgen.Host for the container resolves containers#13763 Signed-off-by: cdoern <cbdoer23@g.holycross.edu>

When you have utsns="host" set in containers.conf the podman pod create command currently fails because it always sets a hostname for the pod. This is wrong, we only want a hostname with a private uts namespace. Otherwise we should ignore it. The test currently cannot work rootless because containers#13763. Ref containers#13714 Signed-off-by: Paul Holzinger <pholzing@redhat.com>

cdoern · 2022-06-01T01:46:08Z

@Luap99 are you working on this? seeing a bunch of commits

Luap99 · 2022-06-01T08:50:21Z

No see the commit description, this is just related to the other issue.

the function `GetDefaultNamespaceMode` for pods checks if we are sharing each namespace and if not, returns the default which in the case of a network is slirp. add a switch case for explicitly checking if the pod's network mode is host and if so, return specgen.Host for the container resolves containers#13763 Signed-off-by: cdoern <cbdoer23@g.holycross.edu> Signed-off-by: cdoern <cdoern@redhat.com>

openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Apr 3, 2022

github-actions bot added the stale-issue label May 5, 2022

cdoern self-assigned this May 5, 2022

cdoern removed the stale-issue label May 5, 2022

Luap99 mentioned this issue May 5, 2022

pod create: work with uts host namespace #14128

Closed

cdoern mentioned this issue Jun 2, 2022

fix pod network handling with a host network #14461

Merged

openshift-merge-robot closed this as completed in #14461 Jun 3, 2022

cdoern mentioned this issue Jun 8, 2022

patch for pod host networking & other host namespace handling #14480

Merged

github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 20, 2023

github-actions bot locked as resolved and limited conversation to collaborators Sep 20, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Container gets private network when pod is created with --network=host #13763

Container gets private network when pod is created with --network=host #13763

mskarbek commented Apr 3, 2022

mheon commented Apr 4, 2022

Luap99 commented Apr 4, 2022

Luap99 commented Apr 4, 2022

Luap99 commented Apr 4, 2022

github-actions bot commented May 5, 2022

cdoern commented May 5, 2022

cdoern commented Jun 1, 2022

Luap99 commented Jun 1, 2022

Container gets private network when pod is created with --network=host #13763

Container gets private network when pod is created with --network=host #13763

Comments

mskarbek commented Apr 3, 2022

mheon commented Apr 4, 2022

Luap99 commented Apr 4, 2022

Luap99 commented Apr 4, 2022

Luap99 commented Apr 4, 2022

github-actions bot commented May 5, 2022

cdoern commented May 5, 2022

cdoern commented Jun 1, 2022

Luap99 commented Jun 1, 2022