search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.43k stars 2.38k forks source link

[Feature]: Support setting up completely isolated rootless network (no slirp/pasta) #17061

Open oxan opened 1 year ago

oxan commented 1 year ago

Feature request description

As a user of rootless networking, I want to run containers (or a pod) on a network that is completely isolated from the host and its network. The containers should have network interfaces and be able to communicate with each other, but no external traffic must be allowed.

The current network options don't work in this scenario:

Suggest potential solution

Adding an option to the bridge network mode to make it skip starting slirp4netns/pasta would be ideal.

rhatdan commented 1 year ago

Seams reasonable to me, @Luap99 WDYT?

Luap99 commented 1 year ago

@oxan Why not just use podman network create --internal? This should work for both rootless and rootful.

oxan commented 1 year ago

@Luap99 Huh, I didn't know about that option, it seems to work. It still runs slirp4netns though, which seems a bit wasteful.

Luap99 commented 1 year ago

Well adding a option to not run slip4netns is possible but makes maintenance harder. Is running one slirp process really wasteful? It needs basically no cpu when unused and very little memory.

rhatdan commented 1 year ago

Do we know that we are isolated?

Luap99 commented 1 year ago

Do we know that we are isolated?

I don't understand this question. Isolation is a network option.

oxan commented 1 year ago

Is running one slirp process really wasteful? It needs basically no cpu when unused and very little memory.

I didn't look at resource usage, it just seems somewhat less tidy architecturally and possibly increases attack surface a bit. But whether fixing that's worth the maintenance effort is up to you guys to decide :)

github-actions[bot] commented 1 year ago

A friendly reminder that this issue had no activity for 30 days.

rhatdan commented 1 year ago

@Luap99 What should we do with this one?

Luap99 commented 1 year ago

I need to rewrite this code anyway for the pasta integration, I might be able to add this. At least I don't think it is more than a couple of if else branches.

jpic commented 1 year ago

Could this be why containers are routed across different podman-compose stacks on RHEL8 for me?