netavark: A container network stack

Overview

netavark: A container network stack

Netavark is a rust based network stack for containers. It is being designed to work with Podman but is also applicable for other OCI container management applications.

Overview and scope

Netavark is capable of the following given the proper JSON input:

  • Create, manage, and destroy network interfaces including bridge and macvlan
  • Configure firewall (NAT) and port mapping rules
  • Support IPv4 and IPv6

As this project is in very early development, we will add more capabilities in the near future.

Requires

Build

$ make

Latest release

Not applicable yet (TBD)

Latest release

Not applicable yet (TBD)

Communications

For general questions and discussion, please use Podman's channels.

For discussions around issues/bugs and features, you can use the GitHub issues and PRs tracking system.

Comments
  • isolate podman networks

    isolate podman networks

    add support for a new option "isolate", a boolean that determines whether or not a network can send/recieve data outside of its bridge. This is done by creating a new chain "NETAVARK_ISOLATION" that drops external outgoing connections

    resolves #154

    Signed-off-by: cdoern [email protected]

    approved lgtm 
    opened by cdoern 32
  • Use latest aardvark-dns binary

    Use latest aardvark-dns binary

    Instead of using a packaged version of aardvark-dns, we grabbed the latest main branch zip copy and use it instead.

    Signed-off-by: Brent Baude [email protected]

    approved lgtm 
    opened by baude 25
  • deps: add support for `vendor` and use local `vendor` for `deps`

    deps: add support for `vendor` and use local `vendor` for `deps`

    While releasing netavark binary lot of platform does not allows build process to pull deps from upstream repo.

    Vendor and ship dependency locally in a vendor directory and point cargo to use local vendored deps.

    Automatically uses vendor while doing make build or make

    See: https://github.com/containers/netavark/issues/115

    approved lgtm 
    opened by flouthoc 25
  • ipv6 network setup on a system with ipv6 disabled should return useful error message

    ipv6 network setup on a system with ipv6 disabled should return useful error message

    Error in creating container
    
    ➜  ~ cat /etc/redhat-release
    Fedora release 36 (Thirty Six)
    ➜  ~ uname -r
    5.18.17-200.fc36.x86_64
    ➜  ~ uname -a
    Linux localhost.localdomain 5.18.17-200.fc36.x86_64 containers/podman#1 SMP PREEMPT_DYNAMIC Thu Aug 11 14:36:06 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    
    
    ➜  ~ podman network ls
    NETWORK ID    NAME        DRIVER
    88c9b7b61afd  kind        bridge
    2f259bab93aa  podman      bridge
    ➜  ~ podman inspect kind
    [
         {
              "name": "kind",
              "id": "88c9b7b61afd09229a54869e7f3603416f588848f71343ee2706ca1dc21c1d49",
              "driver": "bridge",
              "network_interface": "podman1",
              "created": "2022-08-21T00:14:12.41086239+08:00",
              "subnets": [
                   {
                        "subnet": "fc00:f853:ccd:e793::/64",
                        "gateway": "fc00:f853:ccd:e793::1"
                   },
                   {
                        "subnet": "10.89.0.0/24",
                        "gateway": "10.89.0.1"
                   }
              ],
              "ipv6_enabled": true,
              "internal": false,
              "dns_enabled": true,
              "ipam_options": {
                   "driver": "host-local"
              }
         }
    ]
    ➜  ~ ip a
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
        link/ether 00:15:5d:03:5e:28 brd ff:ff:ff:ff:ff:ff
        inet 172.28.28.121/20 brd 172.28.31.255 scope global dynamic noprefixroute eth0
           valid_lft 85030sec preferred_lft 85030sec
    5: podman1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
        link/ether 62:a5:c2:5f:89:9b brd ff:ff:ff:ff:ff:ff
    
    ➜  KIND_EXPERIMENTAL_PROVIDER=podman sudo kind create cluster --config ./config.yml
    enabling experimental podman provider
    Creating cluster "kind" ...
     ✓ Ensuring node image (localhost/kindest/node:22.10.20220801.1.24.3) 🖼
     ✗ Preparing nodes 📦 📦
    ERROR: failed to create cluster: command "podman run --name kind-control-plane --hostname kind-control-plane --label io.x-k8s.kind.role=control-plane --privileged --tmpfs /tmp --tmpfs /run --volume 29eb75650a9b89f0032582a1d5930ac072f5dc8c4bd692a8a87255ebb184196b:/var:suid,exec,dev --volume /lib/modules:/lib/modules:ro -e KIND_EXPERIMENTAL_CONTAINERD_SNAPSHOTTER --detach --tty --net kind --label io.x-k8s.kind.cluster=kind -e container=podman --volume /dev/mapper:/dev/mapper --publish=127.0.0.1:43279:6443/tcp -e KUBECONFIG=/etc/kubernetes/admin.conf localhost/kindest/node:22.10.20220801.1.24.3" failed with error: exit status 126
    Command Output: Error: netavark: failed to configure bridge and veth interface: failed while configuring network interface: failed to set ip address to podman1: Permission denied (os error 13)
    
    stale-issue 
    opened by xiaofan-linux 23
  • dns: start aardvark-dns on a different port

    dns: start aardvark-dns on a different port

    I've taken a stab at a proof of concept first -- as said in the issue about port 53 shouldn't be used (link below) it seems simple enough to use DNAT for this.

    This WIP version has at least two problems:

    • I've hardcoded port 1153 as alternative port, we should either use an ephemeral port (problem: we can't know if it's free unless we try to bind to it, so we'd need some retry...) or simpler just make it configurable at network level as a driver-specific option. I'd favor the later.
    • I'm not actually checking if dns settings are enabled to create the forward rule, that should obviously be checked.

    Is there anything else I missed?

    Fixes: https://github.com/containers/aardvark-dns/issues/13

    approved lgtm 
    opened by martinetd 22
  • netavark, dns: don't `double-fork` aardvark instead wait for the aardvark process to return.

    netavark, dns: don't `double-fork` aardvark instead wait for the aardvark process to return.

    Netavark now does not double-forks aardvark-dns's server instead it waits for aardvark-process to return back and success return means aardvark-dns is ready to serve requests and now forking happens at aardvark end.

    See: https://doc.rust-lang.org/std/process/struct.Command.html#method.spawn

    This needs: https://github.com/containers/aardvark-dns/pull/148

    Should help in:

    • https://github.com/containers/podman/issues/14173
    • https://github.com/containers/podman/issues/14171

    Alternative to: https://github.com/containers/netavark/pull/300

    approved lgtm 
    opened by flouthoc 20
  • static macvlan IP is duplicated after container restart

    static macvlan IP is duplicated after container restart

    repro:

    sudo podman network create macvtest -d macvlan --subnet=fd22::/16
    sudo podman run --net=macvtest:ip=fd22::3 docker.io/nginx 
    

    In a second window run:

    sudo nsenter -t $(pgrep nginx | tail -n1) -p -n ip -6 a
    
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    27: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
        inet6 censored-slaac-address/64 scope global tentative dynamic mngtmpaddr 
           valid_lft 2592000sec preferred_lft 604800sec
        inet6 fd22::3/16 scope global tentative 
           valid_lft forever preferred_lft forever
        inet6 fe80::28a7:41ff:feb3:9497/64 scope link 
           valid_lft forever preferred_lft forever
    

    looks ok, now ctrl+c the nginx and start it again. sudo nsenter -t $(pgrep nginx | tail -n1) -p -n ip -6 a now shows:

    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    28: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
        inet6 censored-slaac-address/64 scope global dynamic mngtmpaddr 
           valid_lft 2591990sec preferred_lft 604790sec
        inet6 fd22::3/16 scope global dadfailed tentative 
           valid_lft forever preferred_lft forever
        inet6 fe80::54c8:36ff:fe70:2b5b/64 scope link 
           valid_lft forever preferred_lft forever
    

    Notice the dadfailed on eth0. Does this need to be released somehow?

    opened by nivekuil 18
  • Cirrus: Switch CI onto VMs from containers

    Cirrus: Switch CI onto VMs from containers

    Prior to this commit, CI ran entirely in a container environment. This was very much less than ideal, since actual network/firewall manipulations could not be exercised. With this commit, everything will execute on the same VM images and image-build workflow used by all the other containers-org project automations.

    Note: Given all other projects generally use golang, the VM images here are NOT tailored to a rust project. Unfortunately that means performing runtime updates/installs and using cache to reduce the dnf repo. Metadata/package downloading. These aspects can be removed once dedicated netavark VM images are realized and implemented in a future commit.

    approved lgtm 
    opened by cevich 18
  • teardown: implement teardown for removing container interfaces or container `veth`.

    teardown: implement teardown for removing container interfaces or container `veth`.

    Implements teardown which is responsible for removing container interfaces and performing cleanups.

    Usage

    netavark -f <config> teardown <networknamespace>
    
    approved lgtm 
    opened by flouthoc 18
  • core: configure required kernel parameters `accept_ra` and `accept_dad` for `ipv6` not for `ipv4`

    core: configure required kernel parameters `accept_ra` and `accept_dad` for `ipv6` not for `ipv4`

    Explicitly required kernel parameters like accept_ra and accept_dad are only needed for interface when we are using ipv6 not ipv4.

    Standard netavark configuration has a field ipv6_enabled which should be enough for us to propagate configuration to lower utility functions in the stack.

    approved lgtm 
    opened by flouthoc 17
  • aardvark,commit: acquire fs lock when performing commit to avoid `race` across parallel invocations.

    aardvark,commit: acquire fs lock when performing commit to avoid `race` across parallel invocations.

    • We should avoid overriding configs when another instance of aardvark is trying to commit configs on the same path.

    • On certain system a race exists where more than one aardvark instance are started in the frame where one instance has not yet completed updating its aardvark.pid causing more than one instance to get started and eventually causing conflits on the requested ports.

    Some conditions are reported on low power hardware which tries to start a significant amount of containers and it looks like the case matches with what is described in the second point.

    approved lgtm 
    opened by flouthoc 16
  • build(deps): bump clap from 3.2.23 to 4.0.29

    build(deps): bump clap from 3.2.23 to 4.0.29

    Bumps clap from 3.2.23 to 4.0.29.

    Release notes

    Sourced from clap's releases.

    v4.0.29

    [4.0.29] - 2022-11-29

    v4.0.28

    [4.0.28] - 2022-11-29

    Fixes

    • Fix wasm support which was broken in 4.0.27

    v4.0.26

    [4.0.26] - 2022-11-16

    Fixes

    • (error) Fix typos in ContextKind::as_str

    v4.0.25

    [4.0.25] - 2022-11-15

    Features

    • (error) Report available subcommands when required subcommand is missing

    v4.0.24

    [4.0.24] - 2022-11-14

    Fixes

    • Avoid panic when printing an argument that isn't built

    v4.0.23

    [4.0.23] - 2022-11-11

    Fixes

    • Don't panic on reporting invalid-long errors when followed by invalid UTF8
    • (help) Clarified argument to help subcommand

    v4.0.22

    [4.0.22] - 2022-11-07

    Fixes

    • (help) Don't overflow into next-line-help early due to stale (pre-v4) padding calculations

    v4.0.21

    [4.0.21] - 2022-11-07

    Features

    ... (truncated)

    Changelog

    Sourced from clap's changelog.

    [4.0.29] - 2022-11-29

    [4.0.28] - 2022-11-29

    Fixes

    • Fix wasm support which was broken in 4.0.27

    [4.0.27] - 2022-11-24

    Features

    • Have Arg::value_parser accept Vec<impl Into<PossibleValue>>
    • Implement Display and FromStr for ColorChoice

    Fixes

    • Remove soundness issue by switching from atty to is-terminal

    [4.0.26] - 2022-11-16

    Fixes

    • (error) Fix typos in ContextKind::as_str

    [4.0.25] - 2022-11-15

    Features

    • (error) Report available subcommands when required subcommand is missing

    [4.0.24] - 2022-11-14

    Fixes

    • Avoid panic when printing an argument that isn't built

    [4.0.23] - 2022-11-11

    Fixes

    • Don't panic on reporting invalid-long errors when followed by invalid UTF8
    • (help) Clarified argument to help subcommand

    [4.0.22] - 2022-11-07

    Fixes

    • (help) Don't overflow into next-line-help early due to stale (pre-v4) padding calculations

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • build(deps): bump nix from 0.25.0 to 0.26.1

    build(deps): bump nix from 0.25.0 to 0.26.1

    Bumps nix from 0.25.0 to 0.26.1.

    Changelog

    Sourced from nix's changelog.

    [0.26.1] - 2022-11-29

    Fixed

    • Fix UB with sys::socket::sockopt::SockType using SOCK_PACKET. (#1821)

    [0.26.0] - 2022-11-29

    Added

    • Added SockaddrStorage::{as_unix_addr, as_unix_addr_mut} (#1871)
    • Added MntFlags and unmount on all of the BSDs.
    • Added any() and all() to poll::PollFd. (#1877)
    • Add MntFlags and unmount on all of the BSDs. (#1849)
    • Added a Statfs::flags method. (#1849)
    • Added NSFS_MAGIC FsType on Linux and Android. (#1829)
    • Added sched_getcpu on platforms that support it. (#1825)
    • Added sched_getaffinity and sched_setaffinity on FreeBSD. (#1804)
    • Added line_discipline field to Termios on Linux, Android and Haiku (#1805)
    • Expose the memfd module on FreeBSD (memfd was added in FreeBSD 13) (#1808)
    • Added domainname field of UtsName on Android and Linux (#1817)
    • Re-export RLIM_INFINITY from libc (#1831)
    • Added syncfs(2) on Linux (#1833)
    • Added faccessat(2) on illumos (#1841)
    • Added eaccess() on FreeBSD, DragonFly and Linux (glibc and musl). (#1842)
    • Added IP_TOS SO_PRIORITY and IPV6_TCLASS sockopts for Linux (#1853)
    • Added new_unnamed and is_unnamed for UnixAddr on Linux and Android. (#1857)
    • Added SockProtocol::Raw for raw sockets (#1848)
    • added IP_MTU (IpMtu) IPPROTO_IP sockopt on Linux and Android. (#1865)

    Changed

    • The MSRV is now 1.56.1 (#1792)

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • update: add support for `netavark update` command

    update: add support for `netavark update` command

    Netavark update allows container managers to update network scoped DNS servers of any configured network and notify running aarvark-dns about it.

    netavark-update
    Updates network dns servers for an already configured network
    
    USAGE:
        netavark update --network-dns-servers <NETWORK_DNS_SERVERS> <NETWORK_NAME>
    
    ARGS:
        <NETWORK_NAME>    Network name to update
    
    OPTIONS:
        -h, --help                                         Print help information
        -n, --network-dns-servers <NETWORK_DNS_SERVERS>    DNS Servers to update for the network
    
    approved 
    opened by flouthoc 4
  • launching aardvark-dns with systemd user on centos7 fails due to session dbus perms?

    launching aardvark-dns with systemd user on centos7 fails due to session dbus perms?

    I assume centos7 is not a supported platform but please bear with me for a second, I've got it almost working well, I'm super close, and there's just one weird thing I could use some advice/help on...

    Backstory: I gave up on docker years ago after I decided it was too much of a security risk, but when I checked back in on containers recently I saw podman was thing and was natively rootless and I wanted to give it a go since containers are cool but not so cool I want to run a root docker daemon. I played around with the centos7 version 1.x podman and it was great, but I wanted some of the newer podman features, specifically the better rootless network stuff.[1]

    Anyway, I went about building and installing and updating things that seemed like they needed updating, and ended up with this:

    • netavark v1.2.0
    • aardvark-dns v1.2.0
    • slirp4netns v1.2.0
    • podman v4.3.0
    • iptables v1.8.8
    • kernel v6.0.3
    • dbus v1.14.5 (this isn't installed system-wide, but I've built tested a local user dbus-daemon with it, same results)
    • systemd v219 (this is centos 7 original 😬 but I (un)patched it to support session/user systemd and added user dbus.service and dbus.socket files)
    • I'm probably forgetting other stuff I've updated, it's been a long week.

    I have basically everything working, including per user dbus launching with session systemd automatically and working as expected with dbus-test-tool and dbus-monitor and whatnot.

    The only remaining problem is aardvark-dns won't launch properly in the containers, and it's due to a dbus authn issue.

    Here's what happens:

    [checker] ~$ podman network create test
    test
    [checker] ~$ podman run -dt --network=test --name echo busybox /bin/nc -lk -p 1111 -e echo hello
    Failed to start transient scope unit: Operation not permitted
    180dd8c8ec4b9eae28457b6cfb1fc9633586744fa78f59643037a2498fc5139f
    [checker] ~$ cat /run/user/1000/containers/networks/aardvark-dns/test
    10.89.0.1
    180dd8c8ec4b9eae28457b6cfb1fc9633586744fa78f59643037a2498fc5139f 10.89.0.30  echo,180dd8c8ec4b
    [checker] ~$ podman run -it --network=test  busybox /bin/sh
    Failed to start transient scope unit: Operation not permitted
    / # ping echo
    ping echo
    ping: bad address 'echo'
    / # ping 10.89.0.30
    ping 10.89.0.30
    PING 10.89.0.30 (10.89.0.30): 56 data bytes
    64 bytes from 10.89.0.30: seq=0 ttl=64 time=0.212 ms
    64 bytes from 10.89.0.30: seq=1 ttl=64 time=0.076 ms
      C-c C-c^C
    --- 10.89.0.30 ping statistics ---
    2 packets transmitted, 2 packets received, 0% packet loss
    round-trip min/avg/max = 0.076/0.144/0.212 ms
    / # nc 10.89.0.30 1111
    nc 10.89.0.30 1111
    hello
      C-c C-c^Cpunt!
    / #
    

    Okay, so the Failed to start transient scope unit: Operation not permitted is obviously an issue. There used to be way more errors before I got systemd user dbus working, including the dbus-daemon leaking (https://github.com/containers/podman/issues/4483, https://github.com/containers/podman/issues/9727, etc.), and ERRO[0000] failed to move the rootless netns slirp4netns process to the systemd user.slice: dbus: invalid bus address (no transport), but once I got session dbus working smoothly, all those went away.

    Debugging Failed to start transient scope unit: Operation not permitted let me to this in the --log-level trace for the run:

    [DEBUG netavark::dns::aardvark] Spawning aardvark server
    [DEBUG netavark::dns::aardvark] start aardvark-dns: ["systemd-run", "-q", "--scope", "--user", "/usr/libexec/podman/aardvark-dns", "--config", "/run/user/1000/containers/networks/aardvark-dns", "-p", "53", "run"]
    Failed to start transient scope unit: Operation not permitted
    

    so I set about debugging that. The command runs fine from a normal shell, but it turns out this command also fails in the same way inside a podman unshare --rootless-netns shell:

    [checker] ~$ podman unshare --rootless-netns
    [root] ~$ systemd-run -q --scope --user /usr/libexec/podman/aardvark-dns --config /run/user/1000/containers/networks/aardvark-dns -p 53 run
    Failed to start transient scope unit: Operation not permitted
    

    which is nice because this is a lot easier to debug than a full container. I debugged systemd-run with gdb because I'd already built it to remove the centos patch to disable user systemd (which works fine, others have done it), and system-run was failing to talk on the /run/users/1000/systemd/private socket to the mothership. You can see that here:

    ...
    sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0AUTH EXTERNAL ", iov_len=15}, {iov_base="30", iov_len=2}, {iov_base="\r\nNEGOTIATE_UNIX_FD\r\nBEGIN\r\n", iov_len=28}], msg_iovlen=3, msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 45
    ...
    recvmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="REJECTED\r\nERROR\r\nERROR\r\n", iov_len=256}], msg_iovlen=1, msg_control=[{cmsg_len=28, cmsg_level=SOL_SOCKET, cmsg_type=SCM_CREDENTIALS, cmsg_data={pid=13971, uid=0, gid=0}}], msg_controllen=32, msg_flags=MSG_CMSG_CLOEXEC}, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) = 24
    ...
    

    Turns out no dbus apps will run in the rootless-netns, here's the trace on busctl --user which tries to connect to /run/user/1000/bus which is the normal (non-systemd/private dbus for users):

    sendto(3, "AUTH EXTERNAL 30\r\n", 18, MSG_NOSIGNAL, NULL, 0) = 18
    poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
    read(3, "REJECTED EXTERNAL DBUS_COOKIE_SH"..., 2048) = 46
    

    It looks like the dbus sockets are available, but the dbus-daemon is using the peer credentials unix socket EXTERNAL authn and rejecting the connection maybe because of the uid mapping? But isn't root in my unshare --network-netns shell uid 1000 outside the namespace? Here is somebody else who hacked his dbus authn off to work around this.

    So then I went and built and debugged the latest dbus-daemon, dbus-test-tool, etc. It is indeed failing the authn in handle_server_data_external_mech because the uid it gets off the SO_PEERCRED is 1000 for the connection from the dbus app inside the netns but the app itself is passing 0 in the AUTH EXTERNAL greeting and so these fail _dbus_credentials_are_superset. In debugging the daemon, I noticed a bunch of dbus connections as the unshare is set up, but those seem to work because they're not passing the uid the auth line, although it's hard to tell if they're happening before or after the namespace is set up.

    Then I tried launching a dbus-daemon inside the netns and I got that to work with aardvark-dns launching, but that seems like a weird thing to have to do.

    The other hack I tried was renaming /bin/systemd-run to /bin/systemd-runx so that netavark failed to find it here https://github.com/containers/netavark/blob/90cccc1c21f26fbc473a201ce3b30d77667c7635/src/dns/aardvark.rs#L86 which also allowed aardvark to launch in the container.

    Okay, so questions:

    1. Is this supposed to work? I assume because rootless netavark and aardvark-dns are the new hotness that this is just supposed to work with user sessions and dbus and whatnot? netavark seems to require user session systemd to not complain on creation of the container?
    2. If it's supposed to work, which part of my system is buggy? Once I built the latest dbus, that seems to be the last bit of old centos 7 code that was running, so now it isn't the old systemd that's rejecting the dbus connection, even the latest dbus-test-tool talking to the latest dbus-daemon is sending the wrong (root) uid in the connection and getting rejected, so there's something else going on here maybe?

    Thanks for reading all this rambling, maybe somebody with more of a systemd/dbus/container/namespace clue than I have can help out!

    Chris

    [1] although this was working great (and still is): https://github.com/AkihiroSuda/podman-network-create-for-rootless-podman

    opened by chrishecker 11
Releases(v1.3.0)
Owner
Containers
Open Repository for Container Tools
Containers
A tool for defining and running multi-container Docker applications

Ikki Ikki is a tool for defining and running multi-container Docker applications. It is similar to Docker Compose but comes with some differences. Goa

Kirill Vasiltsov 37 Nov 17, 2022
Docker containers on a synthetic network. Run applications in a context that lets you manipulate their network conditions.

Synthetic Network Docker containers on a synthetic network. Run applications in a context that lets you manipulate their network conditions. Dependenc

Daily 56 Nov 11, 2022
a smol tcp/ip stack

smoltcp smoltcp is a standalone, event-driven TCP/IP stack that is designed for bare-metal, real-time systems. Its design goals are simplicity and rob

smoltcp 2.7k Nov 22, 2022
The Rust Implementation of libp2p networking stack.

Central repository for work on libp2p This repository is the central place for Rust development of the libp2p spec. Warning: While we are trying our b

libp2p 2.9k Dec 3, 2022
Fast User-Space TCP/UDP Stack

Catnip Catnip is a TCP/IP stack that focuses on being an embeddable, low-latency solution for user-space networking. Building and Running 1. Clone Thi

Demikernel 79 Sep 9, 2022
RusTCP is an attempt to rewrite some of the PyTCP stack functionality using Rust language.

RusTCP is an attempt to rewrite some of the PyTCP stack functionality using Rust language. Currently, the main goal of this project is to create a stable IPv6 platform that could be used to facilitate the process of labing the SRv6 technology.

Sebastian Majewski 2 Nov 25, 2022
Network simulation in Rust

netsim - A Rust library for network simulation and testing (currently linux-only). netsim is a crate for simulating networks for the sake of testing n

Andrew Cann 112 Nov 21, 2022
A private network system that uses WireGuard under the hood.

innernet A private network system that uses WireGuard under the hood. See the announcement blog post for a longer-winded explanation. innernet is simi

Tonari, Inc 4.1k Nov 25, 2022
A Curve-like AMM for Secret Network

A Curve-like AMM for Secret Network. Supports a varibale number of tokens with the same underlying value.

Enigma 17 Sep 21, 2022
A multi-protocol network relay

A multi-protocol network relay

zephyr 42 Oct 23, 2022
A Rust library for parsing the SOME/IP network protocol (without payload interpretation).

someip_parse A Rust library for parsing the SOME/IP network protocol (without payload interpretation). Usage Add the following to your Cargo.toml: [de

Julian Schmid 18 Oct 31, 2022
Computational Component of Polkadot Network

Gear is a new Polkadot/Kusama parachain and most advanced L2 smart-contract engine allowing anyone to launch any dApp for networks with untrusted code.

null 140 Nov 17, 2022
Fullstack development framework for UTXO-based dapps on Nervos Network

Trampoline-rs The framework for building powerful dApps on the number one UTXO chain, Nervos Network CKB. This is an early-stage, currently very incom

TannrA 2 Mar 25, 2022
Official Implementation of Findora Network.

Findora Platform Wiki Contribution Guide Licensing The primary license for Platform is the Business Source License 1.1 (BUSL-1.1), see LICENSE. Except

Findora Foundation 60 Nov 4, 2022
Simple in-network file transfer with barely any overhead.

fftp fftp is the "Fast File Transport Protocol". It transfers files quickly between computers on a network with low overhead. Motivation FTP uses two

leo 4 May 12, 2022
A cross-platform, user-space WireGuard port-forwarder that requires no system network configurations.

Cross-platform, user-space WireGuard port-forwarder that requires no system network configurations.

Aram Peres 613 Nov 28, 2022
An implementation of the CESS network supported by CESS LAB.

--------- ?? ---------An infrastructure of decentralized cloud data network built with Substrate-------- ?? -------- ---------------- ?? -------------

Cess Project 244 Nov 19, 2022
A small utility to wake computers up or put them to sleep over the local network

WKSL - a wake and sleep utility An experiment in writing a small CLI utility in Rust. The program lets you wake a machine on your local network up fro

Henrik Ravn 0 Nov 14, 2021
Private swaps for Secret Network using a private entropy pool & differential privacy.

WIP SecretSwap: Anon Edition Private swaps for Secret Network! Uses private entropy pool for differential privacy when reporting pools sizes. Swap amo

SCRT Labs 5 Apr 5, 2022