Bug 1903412

Summary:	Podman 2.0 fails to build an image using '--network container' in rootless mode
Product:	Red Hat Enterprise Linux 8	Reporter:	Masahiro Yamaguchi <ma-yamaguchi>
Component:	podman	Assignee:	Tom Sweeney <tsweeney>
Status:	CLOSED ERRATA	QA Contact:	Joy Pu <ypu>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	8.3	CC:	bbaude, dwalsh, jligon, jnovy, kanderso, lsm5, mheon, pthomas, tsweeney, umohnani, ypu
Target Milestone:	rc	Flags:	pm-rhel: mirror+
Target Release:	8.0
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	podman-2.2 or newer	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-02-16 14:21:54 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Masahiro Yamaguchi 2020-12-02 02:56:21 UTC

Description of problem:

Podman 2.0 fails to build an image using '--network container' in rootless mode.

$ cat Dockerfile
FROM registry.access.redhat.com/ubi8/ubi
RUN touch /tmp/test.txt

$ podman build --network container .
STEP 1: FROM registry.access.redhat.com/ubi8/ubi
Getting image source signatures
Copying blob 6500ac87b29f done
Copying blob 1b8dabac56ed done
Copying config 33df2983b0 done
Writing manifest to image destination
Storing signatures
STEP 2: RUN touch /tmp/test.txt
error running container: error configuring network list if0 for [/bin/sh -c touch /tmp/test.txt]: failed to create bridge "cni-podman0": could not add "cni-podman0": operation not permitted
Error: error building at STEP "RUN touch /tmp/test.txt": error while running runtime: exit status 1

"cni-podman0" is defined in the file /etc/cni/net.d/87-podman-bridge.conflist.
It seems that the cause is reading the file /etc/cni/net.d/87-podman-bridge.conflist even though it is in rootless mode.
I tried the build without the file /etc/cni/net.d/87-podman-bridge.conflist and then it succeeded.

Version-Release number of selected component (if applicable):

podman 2.0.5

$ podman version
Version:      2.0.5
API Version:  1
Go Version:   go1.14.7
Built:        Thu Sep 24 01:18:02 2020
OS/Arch:      linux/amd64

$ podman info
host:
  arch: amd64
  buildahVersion: 1.15.1
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.20-2.module+el8.3.0+8221+97165c3f.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.20, commit: 77ce9fd1e61ea89bd6cdc621b07446dd9e80e5b6'
  cpus: 2
  distribution:
    distribution: '"rhel"'
    version: "8.3"
  eventLogger: file
  hostname: rhel8
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 4.18.0-240.1.1.el8_3.x86_64
  linkmode: dynamic
  memFree: 2937245696
  memTotal: 4118761472
  ociRuntime:
    name: runc
    package: runc-1.0.0-68.rc92.module+el8.3.0+8221+97165c3f.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.2-dev'
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.4-2.module+el8.3.0+8221+97165c3f.x86_64
    version: |-
      slirp4netns version 1.1.4
      commit: b66ffa8e262507e37fca689822d23430f3357fe8
      libslirp: 4.3.1
      SLIRP_CONFIG_VERSION_MAX: 3
  swapFree: 4253020160
  swapTotal: 4253020160
  uptime: 14m 19.85s
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /home/user1/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.1.2-3.module+el8.3.0+8221+97165c3f.x86_64
      Version: |-
        fuse-overlayfs: version 1.1.0
        FUSE library version 3.2.1
        using FUSE kernel interface version 7.26
  graphRoot: /home/user1/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 1
  runRoot: /run/user/1000/containers
  volumePath: /home/user1/.local/share/containers/storage/volumes
version:
  APIVersion: 1
  Built: 1600877882
  BuiltTime: Thu Sep 24 01:18:02 2020
  GitCommit: ""
  GoVersion: go1.14.7
  OsArch: linux/amd64
  Version: 2.0.5

How reproducible:

[Dockerfile]
FROM registry.access.redhat.com/ubi8/ubi
RUN touch /tmp/test.txt

Steps to Reproduce:
1. create Dockerfile including RUN
2. execute build with '--network container' in rootless mode
   $ podman build --network container .

Actual results:

Failed with the following error.

error running container: error configuring network list if0 for [/bin/sh -c touch /tmp/test.txt]: failed to create bridge "cni-podman0": could not add "cni-podman0": operation not permitted
Error: error building at STEP "RUN touch /tmp/test.txt": error while running runtime: exit status 1


Expected results:

Build is successful.

Additional info:

buildah 1.15.1 can build the image.

$ buildah bud --network container .
STEP 1: FROM registry.access.redhat.com/ubi8/ubi
STEP 2: RUN touch /tmp/test.txt
STEP 3: COMMIT
Getting image source signatures
Copying blob 0b5feeefca25 skipped: already exists
Copying blob 37ab7f712dcb skipped: already exists
Copying blob 14072adefd84 done
Copying config 0283b28d44 done
Writing manifest to image destination
Storing signatures
--> 0283b28d448
0283b28d448eb868944f3e032c72cea11b5926a4fd0d4c7b08b1ca90ce483f8c

buildah version
Version:         1.15.1
Go Version:      go1.14.7
Image Spec:      1.0.1-dev
Runtime Spec:    1.0.2-dev
CNI Spec:        0.4.0
libcni Version:
image Version:   5.5.1
Git Commit:
Built:           Thu Jan  1 09:00:00 1970
OS/Arch:         linux/amd64

podman 1.6.4 and buildah 1.11.6 (container-tools:2.0) can also build the image.

$ sudo yum remove podman buildah
$ sudo yum module reset container-tools
$ sudo yum module enable container-tools:2.0
$ sudo yum install podman buildah
$ sudo rm -rf ~/.local/share/containers/
$ rm -rf ~/.config/containers/

$ podman build --network container .
STEP 1: FROM registry.access.redhat.com/ubi8/ubi
Getting image source signatures
Copying blob 6500ac87b29f done
Copying blob 1b8dabac56ed done
Copying config 33df2983b0 done
Writing manifest to image destination
Storing signatures
STEP 2: RUN touch /tmp/test.txt
STEP 3: COMMIT
ea691b52205e89dd5e282d1f76838bc6e1faaaaf765a37c7583ede196294b7cd

$ podman version
Version:            1.6.4
RemoteAPI Version:  1
Go Version:         go1.14.7
OS/Arch:            linux/amd64

$ podman info
host:
  BuildahVersion: 1.12.0-dev
  CgroupVersion: v1
  Conmon:
    package: conmon-2.0.15-1.module+el8.3.0+8377+eff33c85.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.15, commit: fbcd7321de30f46efd05fa415487462f0e8e0a68'
  Distribution:
    distribution: '"rhel"'
    version: "8.3"
  IDMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  MemFree: 2874540032
  MemTotal: 4118761472
  OCIRuntime:
    name: runc
    package: runc-1.0.0-64.rc10.module+el8.3.0+8377+eff33c85.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.1-dev'
  SwapFree: 4253020160
  SwapTotal: 4253020160
  arch: amd64
  cpus: 2
  eventlogger: journald
  hostname: rhel8.vms
  kernel: 4.18.0-240.1.1.el8_3.x86_64
  os: linux
  rootless: true
  slirp4netns:
    Executable: /usr/bin/slirp4netns
    Package: slirp4netns-0.4.2-3.git21fdece.module+el8.3.0+8377+eff33c85.x86_64
    Version: |-
      slirp4netns version 0.4.2+dev
      commit: 21fdece2737dc24ffa3f01a341b8a6854f8b13b4
  uptime: 34m 32.47s
registries:
  blocked: null
  insecure: null
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  ConfigFile: /home/user1/.config/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: overlay
  GraphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-0.7.8-1.module+el8.3.0+8377+eff33c85.x86_64
      Version: |-
        fuse-overlayfs: version 0.7.8
        FUSE library version 3.2.1
        using FUSE kernel interface version 7.26
  GraphRoot: /home/user1/.local/share/containers/storage
  GraphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 2
  RunRoot: /run/user/1000
  VolumePath: /home/user1/.local/share/containers/storage/volumes

$ podman rmi ea691b52205e

$ buildah bud --network container .
STEP 1: FROM registry.access.redhat.com/ubi8/ubi
STEP 2: RUN touch /tmp/test.txt
STEP 3: COMMIT
Getting image source signatures
Copying blob 0b5feeefca25 skipped: already exists
Copying blob 37ab7f712dcb skipped: already exists
Copying blob f17ebb8e81b8 done
Copying config 13476acc26 done
Writing manifest to image destination
Storing signatures
13476acc263ff6a998eb95beb51b80df0b1579457aaad6418d46c22868a52718
13476acc263ff6a998eb95beb51b80df0b1579457aaad6418d46c22868a52718

$ buildah version
Version:         1.11.6
Go Version:      go1.14.7
Image Spec:      1.0.1-dev
Runtime Spec:    1.0.1-dev
CNI Spec:        0.4.0
libcni Version:
image Version:   5.0.0
Git Commit:
Built:           Thu Jan  1 09:00:00 1970
OS/Arch:         linux/amd64

summary
[container-tools:rhel8]
podman 2.0.5: `podman build --network container .` => FAILED
buildah 1.15.1: `buildah bud --network container .` => SUCCESS

[container-tools:2.0]
podman 1.6.4: `podman build --network container .` => SUCCESS
buildah 1.11.6: `buildah bud --network container .` => SUCCESS

Comment 1 Daniel Walsh 2020-12-02 14:15:08 UTC

We should be throwing an error on this, but the syntax is incorrect. 
You are supposed to specify a container:CONTAINERID.

In podman run --network container:CONTAINERID tells podman to run the
new container in the same network (namespace) as the CONTAINERID container.

I don't think this is supported when doing a podman build.

```
man podman build
...
   --network=mode, --net
       Sets the configuration for network namespaces when handling RUN instructions.

       Valid mode values are:

              • none: no networking.

              • host: use the Podman host network stack. Note: the host mode gives the  con‐
                tainer  full  access to local system services such as D-bus and is therefore
                considered insecure.

              • ns:path: path to a network namespace to join.

              • private: create a new namespace for the container (default).

```

Comment 2 Masahiro Yamaguchi 2020-12-03 01:12:19 UTC

I think that podman build supports '--network container' without CONTAINERID in version 2.1 and before.

In podman 2.0.5:
```
man podman build
...
       --net, --network=string

       Sets the configuration for network namespaces when handling RUN
       instructions.  The configured value can be "" (the empty string) or
       "container" to indicate that a new network namespace should be created,
       or it can be "host" to indicate that the network namespace in which
       podman itself is being run should be reused, or it can be the path to a
       network namespace which is already in use by another process.
```
https://github.com/containers/podman/blob/v2.0.5/docs/source/markdown/podman-build.1.md

The network option of podman build was changed in podman 2.2.0.
'--network container' of podman build changed to '--network private' in podman 2.2.0.
https://github.com/containers/podman/blob/v2.1.0/docs/source/markdown/podman-build.1.md

Comment 3 Matthew Heon 2020-12-03 16:52:00 UTC

Given this is documented, we will re-add this for Podman 2.2.1. However, we consider the new name (`private`) much more appropriate and less confusing, given that `podman run --net=container` means a completely different thing. Given this, I'm going to make `--net=container` deprecated as of 2.2.1, and it will be removed in a future Podman release.

Comment 4 Matthew Heon 2020-12-03 16:54:13 UTC

For reference, we are now targetting 2.2.1 for RHEL 8.3.1, so this will be fixed in the new RHEL release.

Comment 6 Matthew Heon 2020-12-03 19:23:04 UTC

This is actually working already as of 2.2.0. I will add documentation on the deprecation in the manpages.

Comment 10 Joy Pu 2021-01-04 15:20:18 UTC

Checked the man page of podman build and podman build --help of podman-2.2.1-2.module+el8.3.1+9107+df0d2892.x86_64. Seems the docs are already updated. So set this to verified. Details:

In Man:
       · private: create a new namespace for the container (default). The
         container network mode is an alias for private, but has been
         deprecated and will be removed in a future release of Podman.

In --help:
      --network string                               'private', 'none', 'ns:path' of network namespace to join, or 'host'

Comment 12 errata-xmlrpc 2021-02-16 14:21:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:0531