Create and configure network before container is created in case of rootless Podman

[amshinde]

In case of rootless containers, the network flow is as follows:

1. Rootless podman passes an empty path for the network namespace in the OCI config.json
2. OCI runtime spawns a container creating a new network namespace
3. podman then calls slirp4netns passing it the pid of the container to create a tap interface in the process's network namespace.

My proposal is to change the network creation flow similar to how it is done today when podman is run with root privileges i.e move the network creation and configuration before the container is created. With this:

1. Rootless podman would create the network namespace.
2. slirp4netns would then be called to create the tap interface.
3. podman would then call the OCI runtime to create the sandbox.

This approach would benefit VM-based runtimes like Kata, as the network would be fully configured when the container is created (Kata scans the network namespace at the time of container creation assuming that the network has been created and configured)

[amshinde]

cc @giuseppe @mheon
From what we discussed, slirp4netns would be need to be changed to accept a network namespace path rather than a pid. Is there anything else that needs to be considered?

[sboeuf]

@giuseppe @mheon @rhatdan
I would add that you had two options from the podman perspective about when to create the network namespace. You obviously chose the easiest one, but unfortunately it will make harder for Kata Containers to support podman rootless.
If you don't mind adding the code creating the network namespace into podman, and if we manage to push a small change to slirp4netns, then Kata Containers would work with podman rootless like a charm :)

As a reference, CRI-O has the two different modes (netns created before or after the container is created), but only one make it working with Kata Containers.

[mheon]

I don't have a major issue with this, so long as we can manage to make the slirp4netns changes non-breaking.

[sboeuf]

@mheon

I don't have a major issue with this, so long as we can manage to make the slirp4netns changes non-breaking.

That's good to hear! Let's pull @AkihiroSuda in the conversation here then. I think he maintains slirp4netns, and I'm eager to hear his input on this.

Just to summarize @AkihiroSuda, the idea would be to provide a way for slirp4netns to join the network namespace based on the path and not only on the PID of a process running into this same namespace. Do you see any objection to this?

[AkihiroSuda]

SGTM, could you open a PR?

[sboeuf]

@AkihiroSuda oh great!
Let's discuss about the design here: rootless-containers/slirp4netns#84

[gabibeyer]

Hi @giuseppe! The PR for slirp4netns has been reviewed and is nearly merged, will you be working on the patch for podman?

[giuseppe]

I'll take a look, but that won't happen in the next few weeks. We will need to expose PostConfigureNetNS and make it configurable as I think the current behaviour is still to prefer when possible as it doesn't leave namespaces around.

[gabibeyer]

@giuseppe no problem! I've been digging into the code some and working to hack something together. Would it be okay I submit a PR once I get things cleaned up and completely working?

[rhatdan]

@gabibeyer We love PRs.