Correct way to create a podman-network that can only communicate to services bound on localhost.

[arizvisa]

Essentially, I have a couple of services that are bound to localhost that I want to expose to a couple of processes running inside a container, where the container should not be able to communicate to any routable networks/dns/etc. The processes inside the container connect to 127.0.0.1. However, I can likely patch their sockaddr to specify 10.0.2.2 or something else for them to reach the services I'm simulating. (Although, I'd prefer to avoid patching unless absolutely necessary).

I thought I remembered being able to do something similar with CNI's host-device plugin, but with CNI now being deprecated for netavark(1) and slirp4netns(1) being (eventually) replaced with pasta(1), my searches haven't turned up specific results.

What's the right way to do this? Also, if possible, I'd like to keep the containers as rootless.

[sbrivio-rh]

There are many ways to do this :) I just happened to post an overview at #22653 (comment).

In your specific case, the -T / --tcp-ns option for pasta would probably be the best fit: that will map a localhost-bound port inside the container to a local port on the host. At that point, you could drop the non-loopback interface in the container.

With pasta alone (without the --config-net option, that Podman passes by default), you can already try that out:

$ nc -l 5555

and in another terminal (pasta will detach the network namespace):

$ pasta -T 5555
# echo x | nc -N localhost 5555

Inside the network namespace, there are no addresses other than loopback ones:

# ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo 
       valid_lft forever preferred_lft forever
2: enp9s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 22:d9:d5:ce:de:98 brd ff:ff:ff:ff:ff:ff

[arizvisa]

Okay, awesome. I was able to reproduce your example w/ just pasta(1). Using your example as a starting point, I had to fumble around a bit..but was able to get something working with podman-run(1).

Starting with the following (your example), resulted in things being routable (expected, but undesired):

$ podman run --rm -it --network=pasta:-T,57005 --entrypoint bash fuckyou:test -i
[root@22d74d9599b4 /]# ip addr; ip rou
bash: ip: command not found
bash: ip: command not found
[root@22d74d9599b4 /]# ifconfig -a | grep -e '^\S'
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
wliwl0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 65520
[root@22d74d9599b4 /]# netstat -rn -4
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.10.1    0.0.0.0         UG        0 0          0 wliwl0
192.168.10.0    0.0.0.0         255.255.255.0   U         0 0          0 wliwl0
192.168.20.0    192.168.10.1    255.255.255.0   UG        0 0          0 wliwl0
192.168.30.0    192.168.10.1    255.255.255.0   UG        0 0          0 wliwl0

Re-reading the manpage a couple of times highlighted the "-i" parameter, which resulted in the following which was complaining about the missing tap interface.

$ podman run --rm -it --network=pasta:-T,57005,-i,lo --entrypoint bash fuckyou:test -i
Error: pasta failed with exit code 1:
TUNSETIFF failed: Invalid argument
Failed to set up tap device in namespace

Eventually, I found issue #22737, which mentioned the "-I" parameter to specify a non-default name for the tap interface that I believe pasta(1) needs when there's no interface name to inherit from(?).

$ podman run --rm -it --network=pasta:-T,57005,-i,lo,-I,garbagename --entrypoint bash fuckyou:test -i
[root@68960c3d8040 /]# ping -c 1 4.2.2.1
connect: Network is unreachable
[root@68960c3d8040 /]# ifconfig | grep  -e '^\S'
for-pretend: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 65520
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
[root@68960c3d8040 /]# netstat -rn -4
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 for-pretend

This seems to result in the environment that I'm looking for..Hopefully it's how pasta(1) expects you to do this ;-). Anyways, hella thanks for putting me on the right path to figuring this out.

Also, there's no real way to alias this with podman-network-create(1) somehow, right? Since...it's essentially a "non-network" (which podman-network(1) doesn't appear to consider)?