Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create and configure network before container is created in case of rootless Podman #2897

Closed
amshinde opened this issue Apr 10, 2019 · 10 comments · Fixed by #3310 or #3756
Closed

Create and configure network before container is created in case of rootless Podman #2897

amshinde opened this issue Apr 10, 2019 · 10 comments · Fixed by #3310 or #3756
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@amshinde
Copy link

In case of rootless containers, the network flow is as follows:

  1. Rootless podman passes an empty path for the network namespace in the OCI config.json
  2. OCI runtime spawns a container creating a new network namespace
  3. podman then calls slirp4netns passing it the pid of the container to create a tap interface in the process's network namespace.

My proposal is to change the network creation flow similar to how it is done today when podman is run with root privileges i.e move the network creation and configuration before the container is created. With this:

  1. Rootless podman would create the network namespace.
  2. slirp4netns would then be called to create the tap interface.
  3. podman would then call the OCI runtime to create the sandbox.

This approach would benefit VM-based runtimes like Kata, as the network would be fully configured when the container is created (Kata scans the network namespace at the time of container creation assuming that the network has been created and configured)
@amshinde
Copy link
Author

cc @giuseppe @mheon
From what we discussed, slirp4netns would be need to be changed to accept a network namespace path rather than a pid. Is there anything else that needs to be considered?

@sboeuf
Copy link

sboeuf commented Apr 10, 2019

@giuseppe @mheon @rhatdan
I would add that you had two options from the podman perspective about when to create the network namespace. You obviously chose the easiest one, but unfortunately it will make harder for Kata Containers to support podman rootless.
If you don't mind adding the code creating the network namespace into podman, and if we manage to push a small change to slirp4netns, then Kata Containers would work with podman rootless like a charm :)

As a reference, CRI-O has the two different modes (netns created before or after the container is created), but only one make it working with Kata Containers.

@mheon
Copy link
Member

mheon commented Apr 11, 2019

I don't have a major issue with this, so long as we can manage to make the slirp4netns changes non-breaking.

@sboeuf
Copy link

sboeuf commented Apr 11, 2019

@mheon

I don't have a major issue with this, so long as we can manage to make the slirp4netns changes non-breaking.

That's good to hear! Let's pull @AkihiroSuda in the conversation here then. I think he maintains slirp4netns, and I'm eager to hear his input on this.

Just to summarize @AkihiroSuda, the idea would be to provide a way for slirp4netns to join the network namespace based on the path and not only on the PID of a process running into this same namespace. Do you see any objection to this?

@AkihiroSuda
Copy link
Collaborator

SGTM, could you open a PR?

@AkihiroSuda AkihiroSuda mentioned this issue Apr 11, 2019
Closed
@sboeuf
Copy link

sboeuf commented Apr 11, 2019

@AkihiroSuda oh great!
Let's discuss about the design here: rootless-containers/slirp4netns#84

@gabibeyer gabibeyer mentioned this issue Apr 22, 2019
Closed
@gabibeyer
Copy link

Hi @giuseppe! The PR for slirp4netns has been reviewed and is nearly merged, will you be working on the patch for podman?

@giuseppe
Copy link
Member

I'll take a look, but that won't happen in the next few weeks. We will need to expose PostConfigureNetNS and make it configurable as I think the current behaviour is still to prefer when possible as it doesn't leave namespaces around.

@gabibeyer
Copy link

@giuseppe no problem! I've been digging into the code some and working to hack something together. Would it be okay I submit a PR once I get things cleaned up and completely working?

@rhatdan
Copy link
Member

rhatdan commented May 16, 2019

@gabibeyer We love PRs.

gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jun 12, 2019
rootless: Rearrange setup of rootless containers
55a046d 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to:
  1. create a network name
  2. pass the netns mounted path to the slirp4netns to create
     the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jun 12, 2019
rootless: Rearrange setup of rootless containers
b8d6381 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to:
  1. create a network name
  2. pass the netns mounted path to the slirp4netns to create
     the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jun 12, 2019
rootless: Rearrange setup of rootless containers
50dc220 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jun 12, 2019
rootless: Rearrange setup of rootless containers
5c1b1db 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
@gabibeyer gabibeyer mentioned this issue Jun 12, 2019
Merged
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jun 12, 2019
rootless: Rearrange setup of rootless containers
bc0db7d 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jun 18, 2019
rootless: Rearrange setup of rootless containers
22dbf7a 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jun 19, 2019
rootless: Rearrange setup of rootless containers
e4e3835 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jul 10, 2019
rootless: Rearrange setup of rootless containers
258578d 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jul 10, 2019
rootless: Rearrange setup of rootless containers
b143039 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jul 12, 2019
rootless: Rearrange setup of rootless containers
9fdc4d6 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jul 15, 2019
rootless: Rearrange setup of rootless containers
ade4378 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jul 16, 2019
rootless: Rearrange setup of rootless containers
3184f4c 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jul 16, 2019
rootless: Rearrange setup of rootless containers
9d7e8cb 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jul 16, 2019
rootless: Rearrange setup of rootless containers
c0e9051 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jul 16, 2019
rootless: Rearrange setup of rootless containers
81be153 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jul 16, 2019
rootless: Rearrange setup of rootless containers
9eb363b 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jul 17, 2019
rootless: Rearrange setup of rootless containers
60683fd 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jul 26, 2019
rootless: Rearrange setup of rootless containers
d12b1b6 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jul 29, 2019
rootless: Rearrange setup of rootless containers
7233cb6 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jul 29, 2019
rootless: Rearrange setup of rootless containers
40b86bc 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jul 30, 2019
rootless: Rearrange setup of rootless containers
1192398 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Jul 30, 2019
rootless: Rearrange setup of rootless containers
80dcd4b 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Aug 7, 2019
rootless: Rearrange setup of rootless containers
dccb103 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Aug 7, 2019
rootless: Rearrange setup of rootless containers
fade254 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Aug 7, 2019
rootless: Rearrange setup of rootless containers
fd77e01 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Aug 7, 2019
rootless: Rearrange setup of rootless containers
9160559 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Aug 7, 2019
rootless: Rearrange setup of rootless containers
34cc581 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
@gabibeyer gabibeyer mentioned this issue Aug 7, 2019
Merged
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Aug 7, 2019
rootless: Rearrange setup of rootless containers
4b7b6ef 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Aug 7, 2019
rootless: Rearrange setup of rootless containers
c971002 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Aug 8, 2019
rootless: Rearrange setup of rootless containers
7b0e4d8 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Aug 19, 2019
rootless: Rearrange setup of rootless containers
d183fb4 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Aug 19, 2019
rootless: Rearrange setup of rootless containers
7b8be8b 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Aug 22, 2019
rootless: Rearrange setup of rootless containers
1198de9 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Aug 22, 2019
rootless: Rearrange setup of rootless containers
486a5b9 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Aug 27, 2019
rootless: Rearrange setup of rootless containers
5208cb4 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Sep 4, 2019
rootless: Rearrange setup of rootless containers
5da48e2 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Sep 6, 2019
rootless: Rearrange setup of rootless containers
61d7684 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Sep 11, 2019
@gabibeyer
rootless: Rearrange setup of rootless containers
4ab6e2a 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Sep 12, 2019
@gabibeyer
rootless: Rearrange setup of rootless containers
69dc6fb 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Sep 19, 2019
@gabibeyer
rootless: Rearrange setup of rootless containers
e03e4ba 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Sep 23, 2019
@gabibeyer
rootless: Rearrange setup of rootless containers
7e55234 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
gabibeyer pushed a commit to gabibeyer/libpod that referenced this issue Sep 23, 2019
@gabibeyer
rootless: Rearrange setup of rootless containers
242467c 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
marcov pushed a commit to gabibeyer/libpod that referenced this issue Sep 24, 2019
@marcov
rootless: Rearrange setup of rootless containers
5813c82 
In order to run Podman with VM-based runtimes unprivileged, the
network must be set up prior to the container creation. Therefore
this commit modifies Podman to run rootless containers by:
  1. create a network namespace
  2. pass the netns persistent mount path to the slirp4netns
     to create the tap inferface
  3. pass the netns path to the OCI spec, so the runtime can
     enter the netns

Closes containers#2897

Signed-off-by: Gabi Beyer <gabrielle.n.beyer@intel.com>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 24, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 24, 2023
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
7 participants
@giuseppe @rhatdan @amshinde @mheon @gabibeyer @AkihiroSuda @sboeuf