AkihiroSuda
commented
3 years ago Could you try to run slirp4netns manually and see what error happens? https://github.com/rootless-containers/slirp4netns/tree/v1.1.8#usage
Closed OkenKhuman closed 3 years ago
AkihiroSuda
commented
3 years ago Could you try to run slirp4netns manually and see what error happens? https://github.com/rootless-containers/slirp4netns/tree/v1.1.8#usage
OkenKhuman
commented
3 years ago I obtained the fllowing output
Terminal tab1
pit@raspberrypi:~ $ unshare --user --map-root-user --net --mount
root@raspberrypi:~ # echo $$ > /tmp/pidTerminal tab2
pit@raspberrypi:~ $ slirp4netns --configure --mtu=65520 --disable-host-loopback $(cat /tmp/pid) tap0
sent tapfd=5 for tap0
received tapfd=5
Starting slirp
* MTU: 65520
* Network: 10.0.2.0
* Netmask: 255.255.255.0
* Gateway: 10.0.2.2
* DNS: 10.0.2.3
* Recommended IP: 10.0.2.100Terminal tab1
root@raspberrypi:~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 4a:ce:91:06:4f:87 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.100/24 brd 10.0.2.255 scope global tap0
valid_lft forever preferred_lft forever
inet6 fe80::48ce:91ff:fe06:4f87/64 scope link
valid_lft forever preferred_lft forever
root@raspberrypi:~ # echo "nameserver 10.0.2.3" > /tmp/resolv.conf
root@raspberrypi:~ # mount --bind /tmp/resolv.conf /etc/resolv.conf
root@raspberrypi:~ # curl https://example.com
<!doctype html>
<html>
<head>
<title>Example Domain</title>
<meta charset="utf-8" />
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<style type="text/css">
body {
background-color: #f0f0f2;
margin: 0;
padding: 0;
font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
}
div {
width: 600px;
margin: 5em auto;
padding: 2em;
background-color: #fdfdff;
border-radius: 0.5em;
box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
}
a:link, a:visited {
color: #38488f;
text-decoration: none;
}
@media (max-width: 700px) {
div {
margin: 0 auto;
width: auto;
}
}
</style>
</head>
<body>
<div>
<h1>Example Domain</h1>
<p>This domain is for use in illustrative examples in documents. You may use this
domain in literature without prior coordination or asking for permission.</p>
<p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>pit@raspberrypi:~ $ slirp4netns --version
slirp4netns version 1.0.1
commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
libslirp: 4.3.1and
pit@raspberrypi:~ $ rootlesskit --version
rootlesskit version 0.11.1I also did one test (not sure it will help debug)
Terminal tab1
pit@raspberrypi:~ $ unshare --user --map-root-user --net --mount
root@raspberrypi:~ # echo $$ > /tmp/pidTerminal tab2
pit@raspberrypi:~ $ $(cat /tmp/pid)
cat: /tmp/pid: No such file or directory
pit@raspberrypi:~ $ $(cat /tmp/pid)
bash: 1247: command not found
pit@raspberrypi:~ $ slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp $(cat /tmp/pid) tap0
WARNING: Support for seccomp is experimental
sent tapfd=5 for tap0
received tapfd=5
Starting slirp
* MTU: 65520
* Network: 10.0.2.0
* Netmask: 255.255.255.0
* Gateway: 10.0.2.2
* DNS: 10.0.2.3
* Recommended IP: 10.0.2.100
enable_seccomp failed
do_slirp is exiting
do_slirp failed
parent failed
seccomp: The following syscalls will be blocked by seccomp:Please try slirp4netns v1.1.8
OkenKhuman
commented
3 years ago with slirp4netns v1.1.8
rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave bash works
but when I try to run docker daemon
pit@raspberrypi:~ $ rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave dockerd
[rootlesskit:child ] error: command [dockerd] exited: signal: segmentation fault
[rootlesskit:parent] error: child exited: exit status 255if possible please give me advice on how to debug this
AkihiroSuda
commented
3 years ago command [dockerd] exited: signal: segmentation fault
This seems an issue of docker. Does it work with root?
OkenKhuman
commented
3 years ago Yes rootless docker works on normal setup.
Only in net-booted (via piserver) its not working.
This seems an issue of docker.
Now I got podman working on client RPi4. So this is solved. Thankyou
Hi, I am trying to use rootless container on netbbooted RPi4 (with piserver netboot server), thus my RPi is restricted to boot into read only FS (except some essentil directories).
when I enter the command
rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave bashand got the following errors[rootlesskit:parent] error: failed to setup network &{logWriter:0x106efa0 binary:slirp4netns mtu:65520 ipnet:<nil> disableHostLoopback:true apiSocketPath: enableSandbox:true enableSeccomp:true ifname:tap0}: waiting for ready fd (/usr/bin/slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 24164 tap0): slirp4netns failedPlease guide me to find out the actual problem.