-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not configure CNI when slirp4netns is requested #4853
Do not configure CNI when slirp4netns is requested #4853
Conversation
Our networking code bakes in a lot of assumptions about how networking should work - that CNI is *always* used with root, and that slirp4netns is *always* used only with rootless. These are not safe assumptions. This fixes one particular issue, which would cause CNI to also be run when slirp4netns was requested as root. Fixes: containers#4687 Signed-off-by: Matthew Heon <mheon@redhat.com>
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mheon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
rootlessport needs to be enabled as well, when slirp4netns is used? Also, what is the usecase of this? |
I'm not honestly sure - support for slirp4netns as root was added at some point in the past, but I can't recall why. It doesn't seem to have many users. |
code LGTM |
@AkihiroSuda Most likely running podman inside of a container. |
/lgtm |
Our networking code bakes in a lot of assumptions about how networking should work - that CNI is always used with root, and that slirp4netns is always used only with rootless. These are not safe assumptions. This fixes one particular issue, which would cause CNI to also be run when slirp4netns was requested as root.
Fixes: #4687