RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1494024 - [RFE] podman should restrict subnets of newly configured networks
Summary: [RFE] podman should restrict subnets of newly configured networks
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: podman
Version: 8.0
Hardware: x86_64
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: Brent Baude
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks: 1186913
TreeView+ depends on / blocked
 
Reported: 2017-09-21 11:17 UTC by Sayali Kulkarni
Modified: 2023-09-18 00:12 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-05 13:38:19 UTC
Type: Feature Request
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Sayali Kulkarni 2017-09-21 11:17:19 UTC 
Description of problem:

docker does not allow to define fixed subnet to all new networks that are created.

Version-Release number of selected component (if applicable):

All

How reproducible:

Everytime.

Additional info:

docker should have configuration through which we can have some fixed subnet to all docker networks that are created using 'docker network create'.

If --fixed-cidr option is configured in /etc/sysconfig/docker it only affects docker0 bridge. Instead in this feature enhancement, they want something which will restrict subnet to all docker networks that are created.
Comment 4 Daniel Walsh 2019-01-02 21:49:59 UTC 
Since we are replacing Docker CLI with Podman, we are verifing all RFE to make sure they work with podman.
Comment 5 Daniel Walsh 2019-01-02 21:50:22 UTC 
Can this be done with CNI Plugins?
Comment 6 Daniel Walsh 2019-01-02 21:57:52 UTC 
Tom can you document how to configure the bridge plugin for podman to do this?
Comment 9 Matthew Heon 2019-04-02 13:48:25 UTC 
We don't support a 'network create' command in Podman yet, instead requiring manual manipulation of CNI configuration files, as previously mentioned. Does the customer require this command? If so, use cases for it would be helpful.
Comment 10 Sayali Kulkarni 2019-04-17 09:07:07 UTC 
They want to blacklist/restrict the network subnet/IP address ranges that can be used with 'docker network create ...'. Thus if podman has 'network create' command, they would like to have this feature.
Comment 12 Daniel Walsh 2019-08-14 10:40:10 UTC 
Brent, this is something we should consider for podman network.
Comment 14 Derrick Ornelas 2019-10-17 19:46:03 UTC 
As Red Hat Enterprise Linux 7 is now in its Maintenance Support 1 phase[1] no new software functionality is planned.  We are moving this request to Red Hat Enterprise Linux 8 where it may be considered for inclusion in a future minor release.  

[1] https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_1_Phase
Comment 18 Daniel Walsh 2020-09-11 17:13:08 UTC 
The question I have is this even available for rootless containers?  If not then we have to worry about an admin modifying cni files at this point correct, since podman does not support network create.  Is the customer wanting to prevent people with the root acount from configuring CNI files?
Comment 23 Brent Baude 2020-12-09 14:45:22 UTC 
if dan walsh would agree this can be set in containers common in cidr format, we can wire it up in podman.  we will need cards for both pieces.
Comment 24 Daniel Walsh 2020-12-09 22:25:47 UTC 
Fine with me.
Comment 25 Daniel Walsh 2021-01-28 21:18:13 UTC 
The question would be do we want to have this enforced or not on the rootless user.  Or just a guide to make sure the user does not make a mistake.

Currently the user can override all fields in the containers.conf file if they want.  And I don't see us changing this behaviour.
Comment 26 Matthew Heon 2021-01-28 21:26:11 UTC 
It's substantially less of an issue for rootless - the rootless user's IP block should never escape their rootless user namespace, so we don't have to worry about conflicts between multiple users on the same system, for example. Explicitly overriding containers.conf would let them use restricted ranges, but the worst-case scenario I see in that case is the user makes a subnet with the same address as an internal subnet elsewhere and can't access resources on said network - so users can break themselves, but only through deliberate action, and they can't break other users.
Comment 32 Brent Baude 2022-01-24 15:25:23 UTC 
i agree with matt ... 4.1 is a good target for this ... or potentially even a 4.0.x backport if we get heat.
Comment 38 Matthew Heon 2023-05-05 13:38:19 UTC 
Added on Podman 4.1 via the `default_subnet_pools` field in `containers.conf`. Closing as CURRENTRELEASE given this.
Comment 39 Red Hat Bugzilla 2023-09-18 00:12:45 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.