Skip to content

Slirp: Remove for Podman6 #27338

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lsm5 wants to merge 19 commits into from
Closed

Slirp: Remove for Podman6 #27338

lsm5 wants to merge 19 commits into from

Conversation

@lsm5
Copy link
Member

@lsm5 lsm5 commented Oct 21, 2025

Does this PR introduce a user-facing change?

Slirp support has been removed.

@lsm5 lsm5 added the 6.0 Breaking changes for Podman 6.0 label Oct 21, 2025
@openshift-ci openshift-ci bot added release-note do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Oct 21, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 21, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lsm5

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 21, 2025
@github-actions github-actions bot added the kind/api-change Change to remote API; merits scrutiny label Oct 21, 2025
@lsm5 lsm5 added No New Tests Allow PR to proceed without adding regression tests and removed kind/api-change Change to remote API; merits scrutiny labels Oct 21, 2025
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 24, 2025
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 10, 2025
@github-actions github-actions bot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. kind/api-change Change to remote API; merits scrutiny labels Nov 10, 2025
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 10, 2025
@packit-as-a-service
Copy link

packit-as-a-service bot commented Nov 10, 2025

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

1 similar comment
@packit-as-a-service
Copy link

packit-as-a-service bot commented Nov 10, 2025

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

@lsm5 lsm5 force-pushed the podman6-no-slirp branch 2 times, most recently from 583764c to d7744ec Compare November 10, 2025 21:20
@packit-as-a-service
Copy link

packit-as-a-service bot commented Nov 10, 2025

tmt tests failed for commit d7744ec. @lsm5, @psss, @thrix please check.

@psss
Copy link

psss commented Nov 11, 2025

Yeah, that sounds like a genuine problem on the podman side:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x48 pc=0x55dadaac0a55]

@packit-as-a-service
Copy link

packit-as-a-service bot commented Nov 12, 2025

tmt tests failed for commit a55c778. @lsm5, @psss, @thrix please check.

@packit-as-a-service
Copy link

packit-as-a-service bot commented Nov 12, 2025

tmt tests failed for commit f36cb63. @lsm5, @psss, @thrix please check.

@packit-as-a-service
Copy link

packit-as-a-service bot commented Nov 13, 2025

tmt tests failed for commit 2e7738c. @lsm5, @psss, @thrix please check.

@packit-as-a-service
Copy link

packit-as-a-service bot commented Nov 13, 2025

tmt tests failed for commit d9d63e6. @lsm5, @psss, @thrix please check.

lsm5 added a commit to lsm5/podman that referenced this pull request Nov 22, 2025
@lsm5
libpod: fix nil pointer dereference in getHostsEntries
77bc1b3 
When NetMode.IsPasta() is true but pastaResult is nil (which can happen
during container setup failures or in certain edge cases), accessing
c.pastaResult.IPAddresses causes a panic.

Add a nil check for c.pastaResult before accessing its fields, matching
the pattern used elsewhere in the codebase.

Fixes rootless test failures in PR containers#27338.

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
lsm5 added a commit to lsm5/podman that referenced this pull request Dec 2, 2025
@lsm5
libpod: fix nil pointer dereference in getHostsEntries
dce5c56 
When NetMode.IsPasta() is true but pastaResult is nil (which can happen
during container setup failures or in certain edge cases), accessing
c.pastaResult.IPAddresses causes a panic.

Add a nil check for c.pastaResult before accessing its fields, matching
the pattern used elsewhere in the codebase.

Fixes rootless test failures in PR containers#27338.

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5 lsm5 force-pushed the podman6-no-slirp branch from 77bc1b3 to dce5c56 Compare December 2, 2025 20:01
lsm5 added a commit to lsm5/podman that referenced this pull request Dec 22, 2025
@lsm5
libpod: fix nil pointer dereference in getHostsEntries
767a9af 
When NetMode.IsPasta() is true but pastaResult is nil (which can happen
during container setup failures or in certain edge cases), accessing
c.pastaResult.IPAddresses causes a panic.

Add a nil check for c.pastaResult before accessing its fields, matching
the pattern used elsewhere in the codebase.

Fixes rootless test failures in PR containers#27338.

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
lsm5 added a commit to lsm5/podman that referenced this pull request Dec 22, 2025
@lsm5
libpod: fix nil pointer dereference in getHostsEntries
9815be9 
When NetMode.IsPasta() is true but pastaResult is nil (which can happen
during container setup failures or in certain edge cases), accessing
c.pastaResult.IPAddresses causes a panic.

Add a nil check for c.pastaResult before accessing its fields, matching
the pattern used elsewhere in the codebase.

Fixes rootless test failures in PR containers#27338.

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
lsm5 added 17 commits December 24, 2025 15:38
@lsm5
cmd/podman: Remove slirp from completions
a7c62e2 
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
pkg/specgen/: Remove slirp
c3f66e2 
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
libpod/: Remove slirp
1c18a12 
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
test/e2e: Remove slirp
27a19f8 
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
test/system: Remove slirp
ce88768 
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
TMT: remove slirp4netns dependency
f5ac1cd 
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
RPM: remove slirp4netns
6c24752 
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
pkg/namespaces/namespaces.go: Remove slirp
eba5d29 
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
Cirrus: Remove slirp4netns from logcollector script
98d62eb 
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
docs/tutorials: Remove slirp
08afe57 
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
docs/source/markdown: Remove slirp
c80d2d5 
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
docs/source/locale: Remove slirp
e910951 
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
FreeBSD: solve lint issues
ebd6651 
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
Packit: tmp ignore cockpit and tmt
7f24075 
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
check if pastaResult exists before returning
c915a09 
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
libpod: fix nil pointer dereference in getHostsEntries
222ca8e 
When NetMode.IsPasta() is true but pastaResult is nil (which can happen
during container setup failures or in certain edge cases), accessing
c.pastaResult.IPAddresses causes a panic.

Add a nil check for c.pastaResult before accessing its fields, matching
the pattern used elsewhere in the codebase.

Fixes rootless test failures in PR containers#27338.

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
libpod: fix nil pointer dereference and port forwarding in setupRootl…
7fb9274 
…essPortMappingViaRLK

When PostConfigureNetNS is true, the network namespace is configured
after container start (in completeNetworkSetup). In this case, the
rootlessPortSyncR/W pipes were never created, causing two issues:

1. Nil pointer dereference when CloseQuiet tried to close the nil pipe
2. Port forwarding failures because nil was passed to the vendor
   SetupRootlessPortMappingViaRLK function, which expects a valid pipe

Fix by:
- Always creating the pipes when they don't exist (checked via nil)
- Only defer-closing them when !PostConfigureNetNS to avoid double-close

This matches the pattern from the old setupSlirp4netns code which
checked for nil before deferring the close.

Also removes the obsolete test/compose/slirp4netns_opts/ test directory
which was testing slirp4netns network mode that no longer exists.

Fixes test failures in PR containers#27338:
- sys remote: "podman networking: port with --userns=keep-id for rootless"
- compose_v2: "slirp4netns_opts - up"
- int podman: "podman kube play" port publishing tests

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
lsm5 added 2 commits December 25, 2025 09:23
@lsm5
libpod: fix rootless port forwarding for PostConfigureNetNS containers
06e6fbc 
When PostConfigureNetNS is true (which happens with --userns=keep-id or
other user namespace options), the network namespace is configured after
container start. In this case, the rootlessport sync pipes need special
handling:

1. The pipes must be created BEFORE conmon starts (not during network
   setup)
2. The write end must be leaked to conmon via ExtraFiles
3. When conmon exits, closing the write end signals rootlessport to exit

The previous fix in commit 7fb9274 only handled pipe creation during
network setup, but didn't account for the PostConfigureNetNS flow where
pipes need to be created earlier and passed to conmon.

This fix:
- Creates rootlessPortSync pipes in oci_conmon_common.go when
  PostConfigureNetNS=true and ports exist
- Leaks the write end to conmon so it stays open for container lifetime
- In setupRootlessPortMappingViaRLK, checks if pipes already exist
  (from conmon code) before creating new ones
- Always closes the read end in parent after passing to rootlessport
  child

Fixes the "port with --userns=keep-id" test failure in PR containers#27338.

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
libpod: fix rootless port forwarding pipe creation timing
fd3f672 
This commit fixes rootless port forwarding by ensuring rootlessport
sync pipes are created at the correct time in the container lifecycle.

The core issue was that pipes were created AFTER network setup instead
of BEFORE, causing the rootlessport process to use different pipe file
descriptors than those leaked to conmon.

Changes:

1. container_internal_linux.go (prepare function):
   Create rootlessport sync pipes BEFORE calling createNetNS() for
   normal containers (!PostConfigureNetNS). This ensures the pipes
   exist when setupRootlessPortMappingViaRLK is called during network
   configuration.

2. oci_conmon_common.go (createOCIContainer function):
   - For PostConfigureNetNS containers: Create pipes here since
     network setup happens after container start
   - For normal containers: Just leak the existing pipes created in
     prepare() instead of creating new ones

3. networking_slirp4netns.go (setupRootlessPortMappingViaRLK):
   - Check if pipes already exist before creating new ones
   - Always close the read end after spawning rootlessport process
   - Add debug logging to trace pipe lifecycle

4. networking_linux.go (configureNetNS):
   Add debug logging to help trace port forwarding setup

Testing:
- Port forwarding now works correctly for normal rootless containers
- rootlessport process successfully starts and listens on the socket
- Verified with: nc -w 1 127.0.0.1 <port> && echo "Connection successful"

Known issues not addressed by this commit:
- --userns=keep-id containers have pre-existing permission denied errors
  preventing any binary execution (exists on main branch)
- NetworkSettings.SandboxKey may be empty for PostConfigureNetNS
  containers due to cleanup timing

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
Copy link
Member Author

lsm5 commented Jan 5, 2026

obsoleted by #27828

@lsm5 lsm5 closed this Jan 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

6.0 Breaking changes for Podman 6.0 approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/api-change Change to remote API; merits scrutiny machine No New Tests Allow PR to proceed without adding regression tests release-note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lsm5 @psss @openshift-merge-robot