Talk:Podman

From Gentoo Wiki
Jump to:navigation Jump to:search
Note
Before creating a discussion or leaving a comment, please read about using talk pages. To create a new discussion, click here. Comments on an existing discussion should be signed using ~~~~: 
A comment [[User:Larry|Larry]] 13:52, 13 May 2024 (UTC)
: A reply [[User:Sally|Sally]] 04:45, 22 February 2025 (UTC)
:: Your reply ~~~~
Navigate to first

Potential security issues in "Rootless containers under OpenRC" setup

Talk status
This discussion is still ongoing.

The information i've provided in the "Rootless containers under OpenRC" section is the best i've been able to come up with after failed attempts to instead use the --cgroup-parent and --cgroupns options to podman-create(1) / podman-run(1) in various ways - including in consultation with someone on #podman, who suggested input from someone knowledgeable about cgroups is required.

-- Flexibeast (talk) 13:58, 12 May 2024 (UTC)

Error: netavark (exit code 1): create bridge: Netlink error: Operation not supported (os error 95)

Talk status
This discussion is done as of 2025-02-07.

The current kernel config does not meet the requirements for podman to start a container, especially when using a minimal kernel.

-- Douglarek (talk) 10:40, 6 February 2025 (UTC)

A quick Web search for that error found this, which suggests that IP_NF_TABLES might need to be enabled. Kernel menuconfig documents IP_NF_TABLES with:
Symbol: IP_NF_IPTABLES [=n]
Type  : tristate                                                                                                                              
Defined at net/ipv4/netfilter/Kconfig:129
  Prompt: IP tables support (required for filtering/masq/NAT)
  Depends on: NET [=y] && INET [=y] && NETFILTER [=y]
  Location:
    -> Networking support (NET [=y])
      -> Networking options
        -> Network packet filtering framework (Netfilter) (NETFILTER [=y])
          -> IP: Netfilter Configuration
            -> IP tables support (required for filtering/masq/NAT) (IP_NF_IPTABLES [=n])
Selects: NETFILTER_XTABLES [=n]
Does enabling this make any difference on your system?
-- Flexibeast (talk) 01:38, 7 February 2025 (UTC)
This config has already been enabled, it has no effect. -- Douglarek (talk) 01:58, 7 February 2025 (UTC)
To make podman run completely, the following config is also needed:
CONFIG_STP=m
CONFIG_BRIDGE=m
CONFIG_BRIDGE_IGMP_SNOOPING=y
CONFIG_LLC=m
CONFIG_NF_NAT_MASQUERADE=y
CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_NETFILTER_XT_MATCH_IPVS=m
CONFIG_IP_VS=m
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_SH_TAB_BITS=8
CONFIG_IP_VS_MH_TAB_INDEX=12
CONFIG_NF_NAT=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_IP_NF_NAT=m
CONFIG_NETFILTER_XT_MARK=m
And lsmod ouput:
$ lsmod | grep -E 'bridge|comment|mark'
xt_mark                12288  2
xt_comment             12288  3
bridge                262144  0
stp                    12288  1 bridge
llc                    12288  2 bridge,stp
-- Douglarek (talk) 05:16, 7 February 2025 (UTC)
Great, thanks. i've now updated the "Kernel" section based on the above, with what i think are the options needed to get the config you've described, based on what i found using menuconfig just now; if not, hopefully someone can make the appropriate corrections.
-- Flexibeast (talk) 01:05, 9 February 2025 (UTC)
Retrieved from "https://wiki.gentoo.org/index.php?title=Talk:Podman&oldid=1338918"