Bug 1903412
Summary: | Podman 2.0 fails to build an image using '--network container' in rootless mode | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Masahiro Yamaguchi <ma-yamaguchi> |
Component: | podman | Assignee: | Tom Sweeney <tsweeney> |
Status: | CLOSED ERRATA | QA Contact: | Joy Pu <ypu> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.3 | CC: | bbaude, dwalsh, jligon, jnovy, kanderso, lsm5, mheon, pthomas, tsweeney, umohnani, ypu |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | podman-2.2 or newer | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-02-16 14:21:54 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Masahiro Yamaguchi
2020-12-02 02:56:21 UTC
We should be throwing an error on this, but the syntax is incorrect. You are supposed to specify a container:CONTAINERID. In podman run --network container:CONTAINERID tells podman to run the new container in the same network (namespace) as the CONTAINERID container. I don't think this is supported when doing a podman build. ``` man podman build ... --network=mode, --net Sets the configuration for network namespaces when handling RUN instructions. Valid mode values are: • none: no networking. • host: use the Podman host network stack. Note: the host mode gives the con‐ tainer full access to local system services such as D-bus and is therefore considered insecure. • ns:path: path to a network namespace to join. • private: create a new namespace for the container (default). ``` I think that podman build supports '--network container' without CONTAINERID in version 2.1 and before. In podman 2.0.5: ``` man podman build ... --net, --network=string Sets the configuration for network namespaces when handling RUN instructions. The configured value can be "" (the empty string) or "container" to indicate that a new network namespace should be created, or it can be "host" to indicate that the network namespace in which podman itself is being run should be reused, or it can be the path to a network namespace which is already in use by another process. ``` https://github.com/containers/podman/blob/v2.0.5/docs/source/markdown/podman-build.1.md The network option of podman build was changed in podman 2.2.0. '--network container' of podman build changed to '--network private' in podman 2.2.0. https://github.com/containers/podman/blob/v2.1.0/docs/source/markdown/podman-build.1.md Given this is documented, we will re-add this for Podman 2.2.1. However, we consider the new name (`private`) much more appropriate and less confusing, given that `podman run --net=container` means a completely different thing. Given this, I'm going to make `--net=container` deprecated as of 2.2.1, and it will be removed in a future Podman release. For reference, we are now targetting 2.2.1 for RHEL 8.3.1, so this will be fixed in the new RHEL release. This is actually working already as of 2.2.0. I will add documentation on the deprecation in the manpages. Checked the man page of podman build and podman build --help of podman-2.2.1-2.module+el8.3.1+9107+df0d2892.x86_64. Seems the docs are already updated. So set this to verified. Details: In Man: · private: create a new namespace for the container (default). The container network mode is an alias for private, but has been deprecated and will be removed in a future release of Podman. In --help: --network string 'private', 'none', 'ns:path' of network namespace to join, or 'host' Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0531 |