{"id":16338801,"url":"https://github.com/neverpanic/podman-rootful-network","last_synced_at":"2025-06-25T01:12:00.291Z","repository":{"id":175326517,"uuid":"653668678","full_name":"neverpanic/podman-rootful-network","owner":"neverpanic","description":"Rootful Networking with Rootless Podman Containers","archived":false,"fork":false,"pushed_at":"2024-08-06T13:28:09.000Z","size":24,"stargazers_count":26,"open_issues_count":0,"forks_count":8,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-20T11:11:16.144Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/neverpanic.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-14T13:47:33.000Z","updated_at":"2025-01-30T00:52:24.000Z","dependencies_parsed_at":"2024-10-28T09:09:53.996Z","dependency_job_id":"5b8aa171-c861-43d9-8745-b1ea71514a11","html_url":"https://github.com/neverpanic/podman-rootful-network","commit_stats":null,"previous_names":["neverpanic/podman-rootful-network"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neverpanic%2Fpodman-rootful-network","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neverpanic%2Fpodman-rootful-network/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neverpanic%2Fpodman-rootful-network/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neverpanic%2Fpodman-rootful-network/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/neverpanic","download_url":"https://codeload.github.com/neverpanic/podman-rootful-network/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244710622,"owners_count":20497275,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-10T23:51:41.021Z","updated_at":"2025-03-20T23:31:07.326Z","avatar_url":"https://github.com/neverpanic.png","language":"Python","readme":"# Rootful networking with rootless podman containers\n\nAs presented at [devconf.cz 2023][devconf-talk].\n\nThis python tool allows attaching network interfaces to initialized, but not\nrunning, rootless podman containers. It uses `netavark`, which is the same tool\npodman uses to do this. There are some known limitations:\n\n - `podman inspect` won't know about the network. From podman's point of view,\n   the container doesn'thave networking.\n - `podman run --sdnotify=conmon` won't work; `systemd` receives but rejects\n   the notification with a message similar to `user@1000.service: Got\n   notification message from PID 7687, but reception only permitted for main\n   PID 3201`\n\nIf you are using podman \u003e= 4.5, using\n\n```sh\npodman run \\\n    --uidmap=\"0:$(id -u user):1\" \\\n    --uidmap=\"1:$(grep -Po '(?\u003c=^user:).*$' /etc/subuid | head -1)\" \\\n    --gidmap=\"0:$(id -g user):1\" \\\n    --gidmap=\"1:$(grep -Po '(?\u003c=^user:).*$' /etc/subgid | head -1\")\n```\n\nalso gives you containers without a mapped root UID without external tooling.\nYou may want to use that, as it's a lot simpler.\n\n## Dependencies\n\n- `python3`\n- `python3-podman`\n- `container-selinux`\n- `dbus-x11` for `dbus-launch`, which is called somewhere in the setup by podman or systemd\n\n## Running\n\nTo see this in action manually, open one shell as root and one as the\nunprivileged user you want to use to run your container. In the example below,\nthis user is `test` with a UID of 1000.\n\n### Initial setup (run once)\n\nAs root:\n\n```bash\n# Create a secret that will be used to make the IP addresses (which are\n# calculated from the container name) unpredictable\ntouch /etc/rootful_network_secret \\\n    \u0026\u0026 chmod 600 /etc/rootful_network_secret \\\n    \u0026\u0026 dd if=/dev/urandom of=/etc/rootful_network_secret bs=1 count=32\n\n# lingering is required for the unprivileged user\nloginctl enable-linger test\n\n# clone and install required scripts\ngit clone https://github.com/neverpanic/podman-rootful-network\ninstall -m0755 \\\n    podman-rootful-network/rootful_network.py \\\n    /usr/local/sbin/rootful_network\n\n# enable the podman socket for root\nsystemctl enable --now podman.socket\n\n# create the podman network you want to use; rootless_network.py expects to\n# have exclusive control over this network, so do not use it for any other\n# containers\npodman network create [--ipv6] \"$networkname\"\n```\n\nAs user:\n\n```bash\n# enable the podman socket for the user\nsystemctl --user enable --now podman.socket\n```\n\n### For each container\n\nAs user:\n\n```bash\n# create the runtime directory that will contain state information\nruntimedir=\"/run/user/$(id -u)/container/$containername\"\nmkdir -p \"$runtimedir\"\n# create the container, but do not start it\n# the --cidfile will be used by rootful_network.py\npodman create \\\n    --cidfile=\"$runtimedir/ctr-id\" \\\n    --network=none \\\n    --name \"$containername\" \\\n    \"$image:$tag\"\n\n# initialize the container namespaces, but do not start it\npodman container init rootless\n```\n\nAs root:\n\n```bash\nruntimedir=\"/run/user/1000/container/$containername\"\n\nrootful_network \\\n    \"$runtimedir\" \\\n    setup \\\n    \"$name_used_to_generate_ip\" \\\n    /etc/rootful_network_secret \\\n    \"$unprivileged_user\" \\\n    --network \"$networkname\" \\\n    [--publish [[ip:][hostPort]:]containerPort[/protocol]] \\\n    [--network-alias \"$alias\"]\n```\n\nAs user:\n\n```bash\npodman start \"$containername\"\n```\n\n### Stopping containers\n\nAs user:\n\n```bash\npodman stop \"$containername\"\n```\n\nAs root:\n\n```bash\nruntimedir=\"/run/user/1000/container/$containername\"\n\nrootful_network \\\n    \"$runtimedir\" \\\n    teardown\n```\n\nAs user:\n\n```bash\npodman rm \"$containername\"\n```\n\nIf you start containers with `--rm` `rootful_network.py` won't be able to\ndetermine the container ID during teardown and cleanup will fail.\n\nThe example systemd service file `rootless-example.service` shows these\ncommands in a systemd service that can start and stop a container after the\ninitial setup steps.\n\n## Credits\n\nWithout the help of the following people and their posts and presentations,\nthis would not have been possible:\n\n - https://web.archive.org/web/20220303110335/https://podman.io/community/meeting/notes/2021-10-05/Podman-Rootless-Networking.pdf\n - https://lists.podman.io/archives/list/podman@lists.podman.io/thread/W6MCYO6RY5YFRTSUDAOEZA7SC2EFXRZE/\n\n## License\n\nThis code is licensed under the BSD-2-Clause license. The SPDX identifier is\n`BSD-2-Clause`.\n\n[devconf-talk]: https://devconfcz2023.sched.com/event/9b11eda5c5be46020cb1614e96ef25f0\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneverpanic%2Fpodman-rootful-network","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fneverpanic%2Fpodman-rootful-network","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneverpanic%2Fpodman-rootful-network/lists"}