unbound[1:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted

[quantum77]

Issue Description

$ podman run --name unbound -i -t --rm --publish 10.2.1.1:5353:53/tcp --publish=10.2.1.1:5353:53/udp -v /home/bill/unbound:/etc/unbound:ro,Z --tls-verify=false 127.0.0.1:5000/unbound
Trying to pull 127.0.0.1:5000/unbound:latest...
Getting image source signatures
Copying blob 8cdb2790ef24 done
Copying blob 843118f807a2 done
Copying blob a67f38f81ae8 done
Copying blob 9e27f648e5c1 done
Copying config 361b11ebcc done
Writing manifest to image destination
Aug 07 14:54:08 unbound[1:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted
Aug 07 14:54:08 unbound[1:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted
Aug 07 14:54:08 unbound[1:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted
Aug 07 14:54:08 unbound[1:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted
Aug 07 14:54:08 unbound[1:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted
Aug 07 14:54:08 unbound[1:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted
Aug 07 14:54:08 unbound[1:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted
Aug 07 14:54:08 unbound[1:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted

Steps to reproduce the issue

Steps to reproduce the issue

1. Build image with EXPOSE 5353
2. podman run with --publish 10.2.1.1:5353:53/tcp --publish=10.2.1.1:5353:53/udp
3. Profit with failure

Describe the results you received

IP_TRANSPARENT ..) failed: Operation not permitted

Describe the results you expected

For the container to start

podman info output

$ podman info
host:
  arch: amd64
  buildahVersion: 1.31.0
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.7-2.1.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.7, commit: unknown'
  cpuUtilization:
    idlePercent: 82.71
    systemPercent: 1.96
    userPercent: 15.32
  cpus: 2
  databaseBackend: boltdb
  distribution:
    distribution: '"opensuse-microos"'
    version: "20230804"
  eventLogger: journald
  freeLocks: 2048
  hostname: zeta.darkmatter.org
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.4.6-1-default
  linkmode: dynamic
  logDriver: journald
  memFree: 577261568
  memTotal: 3039854592
  networkBackend: cni
  networkBackendInfo:
    backend: cni
    dns: {}
    package: |-
      cni-1.1.2-2.4.x86_64
      cni-plugins-1.1.1-2.4.x86_64
    path: /usr/libexec/cni
  ociRuntime:
    name: runc
    package: runc-1.1.8-1.1.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.1.8
      commit: v1.1.8-0-g82f18fe0e44a
      spec: 1.0.2-dev
      go: go1.20.5
      libseccomp: 2.5.4
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-1.3.x86_64
    version: |-
      slirp4netns version 1.2.0
      commit: unknown
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 5
      libseccomp: 2.5.4
  swapFree: 0
  swapTotal: 0
  uptime: 0h 37m 26.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.opensuse.org
  - registry.suse.com
  - docker.io
store:
  configFile: /home/bill/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/bill/.local/share/containers/storage
  graphRootAllocated: 53677633536
  graphRootUsed: 19015688192
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/bill/.local/share/containers/storage/volumes
version:
  APIVersion: 4.6.0
  Built: 1691020800
  BuiltTime: Wed Aug  2 17:00:00 2023
  GitCommit: ""
  GoVersion: go1.20.7
  Os: linux
  OsArch: linux/amd64
  Version: 4.6.0

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

MicroOS (OpenSUSE Tumblewed)

$ podman version
Client: Podman Engine
Version: 4.6.0
API Version: 4.6.0
Go Version: go1.20.7
Built: Wed Aug 2 17:00:00 2023
OS/Arch: linux/amd64

$ rpm -q podman
podman-4.6.0-2.1.x86_64

cat unbound.imgbuild

FROM docker.io/alpinelinux/docker-cli

RUN apk --update --no-cache add
unbound &&
mkdir /run/unbound && chown root:unbound /run/unbound && chmod 770 /run/unbound &&
touch /var/log/unbound.log && chown root:unbound /var/log/unbound.log && chmod 664 /var/log/unbound.log
#openssl \

WORKDIR /etc/unbound

EXPOSE 5353

ENTRYPOINT ["/usr/sbin/unbound", "-d"]

setsebool -P container_manage_cgroup true

podman run --name unbound -i -t --rm --publish 10.2.1.1:5353:53/tcp --publish=10.2.1.1:5353:53/udp -v /home/bill/unbound:/etc/unbound:ro,Z --tls-verify=false 127.0.0.1:5000/unbound

Additional information

Issue is consistent.

[rhatdan]

You can not bind to ports less then 1024 in rootless mode, without changing a sysctl.

[rhatdan]

https://github.com/containers/podman/blob/main/rootless.md
You are not allowed to bind to ports < 1024 in rootless containers.

[quantum77]

I know. This is why I set -p to 5353. But I get the above.

[quantum77]

No one responds in #podman, and I can't reopen this bug, so I guess I have to make another one.

[rhatdan]

Have you tried to enable all caps to see if this is a capability issue.

CAP_NET_RAW or CAP_NET_ADMIN would be the likely ones I would try.

[quantum77]

Because it grants podman more capabilities than should be needed for the problem at hand. It also means that I have to trust that podman does in fact drop privileges correctly.

IOW -p does not behave as advertised. It is supposed to allow a container to run in userland, and within that container services to be run as 'root' inside that container --in this case unbound-- which then listens in the container on 53. And --publish ostensibly connects that 53 to host 5353 so as to not violate the rights allowed to the container user.

But it doesn't really work that way evidently...

[Luap99]

I think you are confusing things here, you do not grant podman the real CAP_NET_ADMIN. We already have this in our userns anyway, you must pass --cap-add CAP_NET_ADMIN for you container to give this cap to your container so it can modify its own network namespace with that.
We do not make the rules what caps the kernel requires for what operations.

From ip(7):

IP_TRANSPARENT (since Linux 2.6.24)
Setting this boolean option enables transparent proxying
on this socket. This socket option allows the calling
application to bind to a nonlocal IP address and operate
both as a client and a server with the foreign address as
the local endpoint. NOTE: this requires that routing be
set up in a way that packets going to the foreign address
are routed through the TProxy box (i.e., the system
hosting the application that employs the IP_TRANSPARENT
socket option). Enabling this socket option requires
superuser privileges (the CAP_NET_ADMIN capability).