T7133: Add slirp4netns podman dependency for rootless networking support

[Firefishy]

Change summary

Add slirp4netns podman dependency for rootless networking support

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

https://vyos.dev/T7133

Related PR(s)

How to test / Smoketest result

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[github-actions]

👍
No issues in PR Title / Commit Title

[sever-sever]

We build podman from sources https://github.com/vyos/vyos-build/blob/3d24c1077e1a6e368bd380b7a4952d4e4bc4c2e3/scripts/package-build/podman/package.toml#L3

What will solve this PR? Could you provide example of the VyOS CLI where it is used?

[github-actions]

CI integration ❌ failed!

Details

CI logs

• CLI Smoketests (no interfaces) ❌ failed
• CLI Smoketests (interfaces only) 👍 passed
• Config tests 👍 passed
• RAID1 tests 👍 passed
• TPM tests 👍 passed

[Firefishy]

We build podman from sources https://github.com/vyos/vyos-build/blob/3d24c1077e1a6e368bd380b7a4952d4e4bc4c2e3/scripts/package-build/podman/package.toml#L3

The debian slirp4netns package works with the VyOS build of podman. If VyOS moved to podman 5.x+ then I'd be happy to redo this PR to instead build the passt/pasta package (podman 5.x+ replacement for slirp4netns)

Example run without slirp4netns installed

vyos@gate:~$ podman --version
podman version 4.9.5
vyos@gate:~$ podman run -it --rm ubuntu
Resolved "ubuntu" as an alias (/etc/containers/registries.conf.d/shortnames.conf)
[...]
Error: could not find slirp4netns, the network namespace can't be configured: exec: "slirp4netns": executable file not found in $PATH
WARN[0002] Failed to add pause process to systemd sandbox cgroup: dbus: couldn't determine address of session bus
vyos@gate:~$ [failed to start container]

And after install slirp4netns is installed:

vyos@gate:~$ slirp4netns --version
slirp4netns version 1.2.0
commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.4
vyos@gate:~$ podman run -it --rm ubuntu
root@ce94031c9e39:/# echo hello world from container
hello world from container

What will solve this PR? Could you provide example of the VyOS CLI where it is used?

This is a step to allow under privileged users processes to launch containers, rather than current setup where all containers need to be launched by root.

All containers currently run by VyOS run podman as root, the podman process can then set the container to a specific uid as defined by set container name <name> uid <container-uid>, which becomes podman ... --user <container-uid>. The podman process and networking processes are being run as root and podman runs in the host user namespace.

Redhat describes why rootless containers are a good idea better than I could.

[sever-sever]

I’d try to build image with v5 version and check smoke tests.
Are you able to try it?

[dmbaturin]

@sever-sever Do you plan to build it and try, or you want the PR author to build it?

[sever-sever]

@sever-sever Do you plan to build it and try, or you want the PR author to build it?

@dmbaturin I need at least an example of a config that does not work in the current version, to compare them
So I'm expecting an answer from @Firefishy or at least steps to reproduce this bug/ check this bug does not exists in the newest version.

We can build the 5 version, but it requires crun (>= some specific version) that we should also add to build from sources. Otherwise, containers cannot start at all.

[Firefishy]

At the moment the only example I can share is that the default vyos cannot run any containers because root is needed. As per examples shared earlier in thread. Adding the single package fixes the issue.

Adding an vyos config option to allow running containers as another user (underprivileged) is currently beyond me (time, commitment, knowledge).

[sever-sever]

@Firefishy, we do not use native commands to configure podman, all configurations should be done via CLI
So it is not clear for now how to reproduce it via VyOS CLI,

vyos@r14:~$ show version all | match "podman|crun"
ii  crun                                 1.8.1-1+deb12u1                  amd64        lightweight OCI runtime for running containers
ii  podman                               5.4.0                            amd64        Engine to run OCI-based containers in Pods
vyos@r14:~$ 
vyos@r14:~$ 
vyos@r14:~$ podman run --rm docker.io/library/alpine:3.20.3
Trying to pull docker.io/library/alpine:3.20.3...
Getting image source signatures
Copying blob da9db072f522 done   | 
Copying config 63b790fccc done   | 
Writing manifest to image destination
Error: could not find pasta, the network namespace can't be configured: exec: "pasta": executable file not found in $PATH
vyos@r14:~$ 

Do you want just start containeres without VyOS CLI? It is not option

[Firefishy]

@Firefishy, we do not use native commands to configure podman, all configurations should be done via CLI So it is not clear for now how to reproduce it via VyOS CLI,

vyos@r14:~$ show version all | match "podman|crun"
ii  crun                                 1.8.1-1+deb12u1                  amd64        lightweight OCI runtime for running containers
ii  podman                               5.4.0                            amd64        Engine to run OCI-based containers in Pods
vyos@r14:~$ 
vyos@r14:~$ 
vyos@r14:~$ podman run --rm docker.io/library/alpine:3.20.3
Trying to pull docker.io/library/alpine:3.20.3...
Getting image source signatures
Copying blob da9db072f522 done   | 
Copying config 63b790fccc done   | 
Writing manifest to image destination
Error: could not find pasta, the network namespace can't be configured: exec: "pasta": executable file not found in $PATH
vyos@r14:~$ 

Podman >= 5.x you need pasta (debian package) to run containers rootless. Podman < 5.x you need slirp4netns to run rootless.

Do you want just start containers without VyOS CLI? It is not option

Yes for now without, but next step would be to add VyOS CLI support. I really don't like running containers as root.

[dmbaturin]

Since it's a PR to the VyOS CLI package, I don't see a point in merging it without the CLI. People who are willing to do things by hand can also install the package by hand.

A question, though: if it's going to be different for Podman 5.x, should we go this route? Any reasons why we shouldn't update to Podman 5.x in the rolling release? @sever-sever, what do you think?

[sever-sever]

Any reasons why we shouldn't update to Podman 5.x in the rolling release? @sever-sever, what do you think?

I'm not against it. Just needs to update the podman version + build own crun with a specific version, as build-in version cannot work with podman 5+ (I had these issues while testing it) + an additional dependency passt

[dmbaturin]

Things are going to change in Podman 5, so this PR will almost certainly need to be done in a very different way. We can get back to it when we migrate to it (with Debian Trixie wholesale or just Podman 5).

If you have CLI ideas, please share them. We can later work together to add a rootless networking CLI.