podman network connect not implemented for slirp4netns

[jennydaman]

Issue Description

podman network connect does not work for rootless Podman using slirp4netns

Steps to reproduce the issue

Install Podman version 4.6.0 and configure it for rootless mode using slirp4netns

podman network create example-network
podman run --name example-container -d alpine sleep 10000
podman network connect example-network example-container

Describe the results you received

Error: "slirp4netns" is not supported: invalid network mo

Describe the results you expected

It works

podman info output

host:
  arch: amd64
  buildahVersion: 1.31.0
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.1.7-1
    path: /usr/bin/conmon
    version: 'conmon version 2.1.7, commit: f633919178f6c8ee4fb41b848a056ec33f8d707d'
  cpuUtilization:
    idlePercent: 99.8
    systemPercent: 0.08
    userPercent: 0.13
  cpus: 8
  databaseBackend: boltdb
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  freeLocks: 2044
  hostname: ferritin
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
  kernel: 6.1.44-1-lts
  linkmode: dynamic
  logDriver: journald
  memFree: 14321029120
  memTotal: 16635596800
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: /usr/lib/podman/aardvark-dns is owned by aardvark-dns 1.7.0-1
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.7.0
    package: /usr/lib/podman/netavark is owned by netavark 1.7.0-1
    path: /usr/lib/podman/netavark
    version: netavark 1.7.0
  ociRuntime:
    name: crun
    package: /usr/bin/crun is owned by crun 1.8.6-1
    path: /usr/bin/crun
    version: |-
      crun version 1.8.6
      commit: 73f759f4a39769f60990e7d225f561b4f4f06bcf
      rundir: /run/user/1001/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    exists: true
    path: /run/user/1001/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns is owned by slirp4netns 1.2.0-1
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 8589930496
  swapTotal: 8589930496
  uptime: 5h 32m 13.00s (Approximately 0.21 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/web/.config/containers/storage.conf
  containerStore:
    number: 3
    paused: 0
    running: 3
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/web/.local/share/containers/storage
  graphRootAllocated: 169290498048
  graphRootUsed: 12887916544
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 2
  runRoot: /run/user/1001/containers
  transientStore: false
  volumePath: /home/web/.local/share/containers/storage/volumes
version:
  APIVersion: 4.6.0
  Built: 1689943108
  BuiltTime: Fri Jul 21 08:38:28 2023
  GitCommit: 38e6fab9664c6e59b66e73523b307a56130316ae-dirty
  GoVersion: go1.20.6
  Os: linux
  OsArch: linux/amd64
  Version: 4.6.0

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Arch Linux, on-the-metal

Additional information

My use case: I am trying to use rootless Podman + Quadlet to run Nextcloud All-In-One on a home server. This application requires the "network connect" feature (called via Docker Engine API)

https://github.com/nextcloud/all-in-one/blob/e8ab2c702687e2f87895f076af0f5c961851bb9e/php/src/Docker/DockerActionManager.php#L785-L803

This bug has also been reported to affect kind, see kubernetes-sigs/kind#2694

[Luap99]

This is expected, slirp4netns is not a network it is what call a network mode. You have to start the container with --network bridge or any other network you created with podman network create

[jennydaman]

It has been noted that this feature works with rootless Docker, so can we at least document this as broken feature parity?

[Luap99]

There is no broken feature parity you can use network connect/disconnect just fine but as said you must use an actual network not host, slirp4netns, pasta or none when you start the container, the default as rootless is slirp4netns for historic reasons. If you want to change the default you can set netns to bridge in containers.conf that will make --network default to bridge

[Luap99]

Because you asked about this yesterday when I was not at the meeting.
Basically the issue is that we have a default --network slirp4netns as rootless which is not compatible with network connect/disconnect and it doesn't make sense to try to get that working.

I suspect the nextcloud aio issue is because they try to connect the nextcloud-aio-mastercontainer container which was started by the user via cli. So for now you must set --network bridge or Network=bridge in quadlet. For the docker compat API we already default to bridge so it should not be an issue there assuming containers are only created through the API which is usually the case and the case for the other nextcloud containers.

Also we are considering changing the rootless default to --network bridge with podman v5.0 as well then this should just work.

[jennydaman]

Thank you for revisiting this issue. It seems like Network=bridge works!

I created a guide for how to use Podman + Quadlet to run Nextcloud AIO here: nextcloud/all-in-one#3487