-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pasta networking is not supported for rootless containers created by root with --userns=auto #17840
Comments
Hi @lukasmrtvy, thanks for reporting this!
In some sense this is intended: pasta won't run as root because that would unnecessarily broaden privileges that can be used after exploiting an attack vector, and I didn't expect it to be particularly useful if Podman is anyway started as root. It was a bit tricky (albeit doable) to safely handle the switch to a fallback unprivileged user when started by Podman, so we skipped that in the initial integration. However, I guess it might be useful regardless of security considerations if you want a particular network configuration or if you just have some other reasons to run Podman as root for the moment. It would be interesting if you could share your use case. Regardless of that, yes, I would still consider it as a missing feature. Cc: @Luap99 |
What is the use case here? As root it seems much more preferable to just use the kernel networking tools (bridge + veth pair or macvlan) as those should be much more performant. |
Well, one might still want network isolation (against spoofing, packet forging, etc.), and throughput is usually higher for local port forwarding compared to building frames for veth or macvlan. But I'm also really curious to hear the use case here. :) |
I need to control nftables for rootless containers and that's not possible. It works ok in rootful with @sbrivio-rh mentioned https://superuser.com/questions/1277697/making-routing-decisions-based-on-uid-using-nftables, but not sure if this would work. Rootless container with slirp4netns / pasta with |
@Luap99, you can assign this one to me, unless you plan to work on it as part of anything else you have pending. |
A friendly reminder that this issue had no activity for 30 days. |
@sbrivio-rh Any progress? |
No, sorry, not yet. It's a quite a low priority item on my list (but we're talking about weeks, not months). |
A friendly reminder that this issue had no activity for 30 days. |
cc @dgibson |
@lukasmrtvy I'm trying to understand this requirement a bit better. I'm assuming what you're doing here is modifying nftables rules in the host which will affect packets flowing to or from your container. Is that correct? What exactly do those rules look like? Just being able to invoke pasta when root may not be enough here. Because pasta is forwarding traffic at L4, rather than L2, the rules you'd need to match them in the host may well be different from those you'd need for bridge based networking, and I doubt that's something we could practically address in podman or pasta. |
Issue Description
Pasta networking is not supported for rootless containers created by root with --userns=auto
Steps to reproduce the issue
Steps to reproduce the issue
sudo su
podman run --rm -it --userns=auto --network pasta alpine
Describe the results you received
Error: invalid config provided: pasta networking is only supported for rootless mode
Describe the results you expected
Rootless container is created with pasta networking
podman info output
Podman in a container
No
Privileged Or Rootless
None
Upstream Latest Release
Yes
Additional environment details
Additional environment details
Additional information
Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting
The text was updated successfully, but these errors were encountered: