libpod: fix netavark DNS for rootful Podman in LXC#28995
Closed
vfreex wants to merge 1 commit into
Closed
Conversation
vfreex
changed the title
Signed-off-by: Yuxiang Zhu <vfreex@gmail.com>
vfreex
force-pushed
the
rootful-nested-network-preflight
branch
from
4c825d2 to
963dbbd
Compare
Luap99
requested changes
Jun 22, 2026
Luap99
left a comment
Luap99
left a comment
Member
There was a problem hiding this comment.
This does not fix anything though it just creates an error if we do not have CAP_NET_ADMIN which should only happen if we run with CAP_SYS_ADMIN but without CAP_NET_ADMIN which is not something I have ever seen as such I do not see the need to add additional checks for it.
Member
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #18783
Dependency support: podman-container-tools/container-libs#932
Summary
When Podman runs as UID 0 inside a delegated container environment such as Incus/LXC, it should use rootful networking semantics, like it does in a VM. If the environment does not delegate the networking capability needed for rootful bridge setup, Podman should fail clearly before calling netavark instead of producing a container with broken aardvark DNS.
The reported failure mode is especially confusing for netavark/aardvark DNS: Podman can create network status that causes the container resolv.conf to point at aardvark, while aardvark was started through rootless behavior and failed with
systemd-run --user. The result is a container that appears to start successfully but has broken DNS.Behavior change
CAP_NET_ADMINbefore calling netavark.This makes the networking boundary explicit:
CAP_NET_ADMIN: clear error before netavark setupRationale
Incus/LXC containers are guest environments. UID 0 inside the guest should be treated like UID 0 inside a VM for Podman's networking mode selection when the required capability is delegated. If
CAP_NET_ADMINis not delegated, silently continuing into netavark can produce partial network/DNS state.Rootful aardvark startup does not use
systemd-run --user; that flag is only added by netavark when it is in rootless mode. The dependency PR keeps UID 0 in nested user namespaces on rootful network paths by using the original caller UID for network path selection.This PR currently has a local
CAP_NET_ADMINhelper. Once the container-libs dependency PR is merged and vendored, this should be replaced withunshare.HasCapNetAdmin().Tests
gofmtgit diff --checkGOCACHE=/private/tmp/podman-go-cache go test ./libpod ./pkg/domain/infra/abiNote: libpod Linux-only tests are not executed on this macOS workspace; the package reports no test files here.