Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionSayali Kulkarni
2017-09-21 11:17:19 UTC
Description of problem:
docker does not allow to define fixed subnet to all new networks that are created.
Version-Release number of selected component (if applicable):
All
How reproducible:
Everytime.
Additional info:
docker should have configuration through which we can have some fixed subnet to all docker networks that are created using 'docker network create'.
If --fixed-cidr option is configured in /etc/sysconfig/docker it only affects docker0 bridge. Instead in this feature enhancement, they want something which will restrict subnet to all docker networks that are created.
We don't support a 'network create' command in Podman yet, instead requiring manual manipulation of CNI configuration files, as previously mentioned. Does the customer require this command? If so, use cases for it would be helpful.
They want to blacklist/restrict the network subnet/IP address ranges that can be used with 'docker network create ...'. Thus if podman has 'network create' command, they would like to have this feature.
The question I have is this even available for rootless containers? If not then we have to worry about an admin modifying cni files at this point correct, since podman does not support network create. Is the customer wanting to prevent people with the root acount from configuring CNI files?
The question would be do we want to have this enforced or not on the rootless user. Or just a guide to make sure the user does not make a mistake.
Currently the user can override all fields in the containers.conf file if they want. And I don't see us changing this behaviour.
It's substantially less of an issue for rootless - the rootless user's IP block should never escape their rootless user namespace, so we don't have to worry about conflicts between multiple users on the same system, for example. Explicitly overriding containers.conf would let them use restricted ranges, but the worst-case scenario I see in that case is the user makes a subnet with the same address as an internal subnet elsewhere and can't access resources on said network - so users can break themselves, but only through deliberate action, and they can't break other users.