It is not possible to start a container in a pod with --net=none

[rudolfvesely]

/kind bug

Description

Dear Podman team,

I tested that rootless podman run --net=none ... works only when it's outside of a pod. I can't run a container inside of a rootless pod that was created with --net=none.

Please let me know if you need any additional information. Thank you.

Kind regards,

Rudolf Vesely

Steps to reproduce the issue:

podman pod create --name project1 --net=none

5e1ac474318117ffa1aa853a3e4550c0898075c0224b4a43e73e9e01565aaea6

podman run -d --pod=project1 --name=project1-web docker://docker.io/library/nginx:latest

Trying to pull docker://docker.io/library/nginx:latest...
Getting image source signatures
Copying blob a076a628af6f done
Copying blob d7f36f6fe38f done
Copying blob f72584a26f32 done
Copying blob 7125e4df9063 done
Copying blob 0732ab25fa22 done
Copying config f6d0b4767a done
Writing manifest to image destination
Storing signatures
ERRO[0009] error starting some container dependencies
ERRO[0009] "error stat'ing file `/home/testuser3/.config/cni/net.d`: No such file or directory: OCI not found"
Error: error starting some containers: internal libpod error

• now let's try again with --net=none when creating pod and also when running a container.

podman pod rm --all
podman rm --all --force

podman pod create --name project1 --net=none

16b8f369ce5465b7680ce6997e448cd131148b16b024d6c86d8f2a801733dc5c

podman run -d --pod=project1 --name=project1-web --net=none docker://docker.io/library/nginx:latest

ERRO[0000] error starting some container dependencies
ERRO[0000] "error stat'ing file `/home/testuser3/.config/cni/net.d`: No such file or directory: OCI not found"
Error: error starting some containers: internal libpod error

Describe the results you received:

Error. Please see the output above.

Describe the results you expected:

Should run a container that has only localhost.

Additional information you deem important (e.g. issue happens only occasionally):

Tested on Fedora 33 on a fresh install.

Output of podman version:

Version:      2.2.1
API Version:  2.1.0
Go Version:   go1.15.5
Built:        Tue Dec  8 14:37:50 2020
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.18.0
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.21-3.fc33.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.21, commit: 0f53fb68333bdead5fe4dc5175703e22cf9882ab'
  cpus: 4
  distribution:
    distribution: fedora
    version: "33"
  eventLogger: journald
  hostname: fed
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.8.15-301.fc33.x86_64
  linkmode: dynamic
  memFree: 6717386752
  memTotal: 8340320256
  ociRuntime:
    name: crun
    package: crun-0.17-1.fc33.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.17
      commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  rootless: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 1h 5m 4.52s (Approximately 0.04 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageStore:
    number: 0
  runRoot: /var/run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 2.1.0
  Built: 1607438270
  BuiltTime: Tue Dec  8 14:37:50 2020
  GitCommit: ""
  GoVersion: go1.15.5
  OsArch: linux/amd64
  Version: 2.2.1

Package info (e.g. output of rpm -q podman or apt list podman):

rpm -q podman

podman-2.2.1-1.fc33.x86_64

dnf list installed | grep -E 'podman|buildah|skopeo'

buildah.x86_64          1.18.0-1.fc33     @updates
podman.x86_64           2:2.2.1-1.fc33    @updates
podman-plugins.x86_64   2:2.2.1-1.fc33    @updates
skopeo.x86_64           1:1.2.0-13.fc33   @updates

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes

I'm testing with up-to-date Fedora 33 with stable release of Podman. I haven't tested it with the RC version.

Additional environment details (AWS, VirtualBox, physical, etc.):

digitalocean.com VPS with Fedora 33

[Luap99]

There are two problems here:

First, the parsing for podman pod create --network is done differently from podman create. The none option is interpreted as cni network name. #9168 should fix this.

Second, network none is not supported for pods. https://github.com/containers/podman/blob/master/docs/source/markdown/podman-pod-create.1.md#--networkmode---net
After #9168 you will get this error: pods presently do not support network mode none

I do not know how difficult it would be to support the none option, @mheon @baude WDYT?

[rudolfvesely]

Thank you very much @Luap99 , I didn't realize that -net=none is not supported by pods.

how difficult it would be to support the none option

It would be very useful to have this option since if you want to configure a custom networking (for example VETH between bridge and rootless pod) you don't want other interfaces to be present in the pod network namespace and therefore you don't want slirp4netns to get involved.

Thank you.

[mheon]

@Luap99 Should definitely be possible - I'm amazed that it's not implemented already, actually. I can take that bit on Monday.

[rudolfvesely]

@mheon And if you're interested I'm very happy to test it by connecting bridge/pod by VETH and routing traffic.