containers · lsm5 · Dec 25, 2025 · Dec 25, 2025 · Dec 25, 2025 · Dec 25, 2025
diff --git a/cmd/podman/common/completion.go b/cmd/podman/common/completion.go
@@ -1768,13 +1768,6 @@ func AutocompleteEventBackend(_ *cobra.Command, _ []string, _ string) ([]string,
 	return types, cobra.ShellCompDirectiveNoFileComp
 }
 
-// AutocompleteNetworkBackend - Autocomplete network backend options.
-// -> "cni", "netavark"
-func AutocompleteNetworkBackend(_ *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
-	types := []string{string(types.CNI), string(types.Netavark)}
-	return types, cobra.ShellCompDirectiveNoFileComp
-}
-
 // AutocompleteLogLevel - Autocomplete log level options.
 // -> "trace", "debug", "info", "warn", "error", "fatal", "panic"
 func AutocompleteLogLevel(_ *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {

diff --git a/cmd/podman/root.go b/cmd/podman/root.go
@@ -607,11 +607,6 @@ func rootFlags(cmd *cobra.Command, podmanConfig *entities.PodmanConfig) {
 		_ = cmd.RegisterFlagCompletionFunc(namespaceFlagName, completion.AutocompleteNone)
 		_ = pFlags.MarkHidden(namespaceFlagName)
 
-		networkBackendFlagName := "network-backend"
-		pFlags.StringVar(&podmanConfig.ContainersConf.Network.NetworkBackend, networkBackendFlagName, podmanConfig.ContainersConfDefaultsRO.Network.NetworkBackend, `Network backend to use ("cni"|"netavark")`)
-		_ = cmd.RegisterFlagCompletionFunc(networkBackendFlagName, common.AutocompleteNetworkBackend)
-		_ = pFlags.MarkHidden(networkBackendFlagName)
-
 		rootFlagName := "root"
 		pFlags.StringVar(&podmanConfig.GraphRoot, rootFlagName, "", "Path to the graph root directory where images, containers, etc. are stored")
 		_ = cmd.RegisterFlagCompletionFunc(rootFlagName, completion.AutocompleteDefault)

diff --git a/cmd/podman/system/unshare.go b/cmd/podman/system/unshare.go
@@ -9,7 +9,6 @@ import (
 	"github.com/containers/podman/v6/pkg/domain/entities"
 	"github.com/containers/podman/v6/pkg/rootless"
 	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
 	"go.podman.io/common/pkg/completion"
 )
 
@@ -35,14 +34,7 @@ func init() {
 	})
 	flags := unshareCommand.Flags()
 	flags.SetInterspersed(false)
-	flags.BoolVar(&unshareOptions.RootlessNetNS, "rootless-netns", false, "Join the rootless network namespace used for CNI and netavark networking")
-	// backwards compat still allow --rootless-cni
-	flags.SetNormalizeFunc(func(_ *pflag.FlagSet, name string) pflag.NormalizedName {
-		if name == "rootless-cni" {
-			name = "rootless-netns"
-		}
-		return pflag.NormalizedName(name)
-	})
+	flags.BoolVar(&unshareOptions.RootlessNetNS, "rootless-netns", false, "Join the rootless network namespace used for netavark networking")
 }
 
 func unshare(_ *cobra.Command, args []string) error {

diff --git a/docs/source/markdown/options/network-alias.md b/docs/source/markdown/options/network-alias.md
@@ -8,5 +8,3 @@ Add a network-scoped alias for the <<container|pod>>, setting the alias for all
 name only for a specific network, use the alias option as described under the **--network** option.
 If the network has DNS enabled (`podman network inspect -f {{.DNSEnabled}} <name>`),
 these aliases can be used for name resolution on the given network. This option can be specified multiple times.
-NOTE: When using CNI a <<container|pod>> only has access to aliases on the first network that it joins. This limitation does
-not exist with netavark/aardvark-dns.
diff --git a/docs/source/markdown/podman-info.1.md b/docs/source/markdown/podman-info.1.md
@@ -76,20 +76,16 @@ host:
   logDriver: journald
   memFree: 1833385984
   memTotal: 16401895424
-  networkBackend: cni
+  networkBackend: netavark
   networkBackendInfo:
-    backend: cni
+    backend: netavark
     dns:
-      package: podman-plugins-3.4.4-1.fc34.x86_64
-      path: /usr/libexec/cni/dnsname
-      version: |-
-        CNI dnsname plugin
-        version: 1.3.1
-        commit: unknown
-    package: |-
-      containernetworking-plugins-1.0.1-1.fc34.x86_64
-      podman-plugins-3.4.4-1.fc34.x86_64
-    path: /usr/libexec/cni
+      package: aardvark-dns-1.0.1-1.fc34.x86_64
+      path: /usr/libexec/podman/aardvark-dns
+      version: aardvark-dns 1.0.1
+    package: netavark-1.0.1-1.fc34.x86_64
+    path: /usr/libexec/podman/netavark
+    version: netavark 1.0.1
   ociRuntime:
     name: crun
     package: crun-1.0-1.fc34.x86_64
@@ -232,15 +228,16 @@ $ podman info --format json
     "logDriver": "journald",
     "memFree": 1785753600,
     "memTotal": 16401895424,
-    "networkBackend": "cni",
+    "networkBackend": "netavark",
     "networkBackendInfo": {
-      "backend": "cni",
-      "package": "containernetworking-plugins-1.0.1-1.fc34.x86_64\npodman-plugins-3.4.4-1.fc34.x86_64",
-      "path": "/usr/libexec/cni",
+      "backend": "netavark",
+      "package": "netavark-1.0.1-1.fc34.x86_64",
+      "path": "/usr/libexec/podman/netavark",
+      "version": "netavark 1.0.1",
       "dns": {
-        "version": "CNI dnsname plugin\nversion: 1.3.1\ncommit: unknown",
-        "package": "podman-plugins-3.4.4-1.fc34.x86_64",
-        "path": "/usr/libexec/cni/dnsname"
+        "version": "aardvark-dns 1.0.1",
+        "package": "aardvark-dns-1.0.1-1.fc34.x86_64",
+        "path": "/usr/libexec/podman/aardvark-dns"
       }
     },
     "ociRuntime": {

diff --git a/docs/source/markdown/podman-network-connect.1.md b/docs/source/markdown/podman-network-connect.1.md
@@ -14,8 +14,6 @@ Once connected, the container can communicate with other containers in the same
 #### **--alias**=*name*
 Add network-scoped alias for the container. If the network has DNS enabled (`podman network inspect -f {{.DNSEnabled}} <NAME>`),
 these aliases can be used for name resolution on the given network.  Multiple *--alias* options may be specified as input.
-NOTE: When using CNI, a container only has access to aliases on the first network that it joins. This limitation does
-not exist with netavark/aardvark-dns.
 
 #### **--ip**=*address*
 Set a static ipv4 address for this container on this network.

diff --git a/docs/source/markdown/podman-network-create.1.md b/docs/source/markdown/podman-network-create.1.md
@@ -62,8 +62,7 @@ For `macvlan` and `ipvlan`, it is the parent device on the host. It is the same
 
 #### **--internal**
 
-Restrict external access of this network when using a `bridge` network. Note when using the CNI backend
-DNS will be automatically disabled, see **--disable-dns**.
+Restrict external access of this network when using a `bridge` network.
 
 When using the `macvlan` or `ipvlan` driver with this option no default route will be added to the container.
 Because it bypasses the host network stack no additional restrictions can be set by podman and if a
@@ -92,9 +91,8 @@ ipam driver automatically based on the network driver.
 
 Valid values are:
 
- - `dhcp`: IP addresses are assigned from a dhcp server on the network. When using the netavark backend
-  the `netavark-dhcp-proxy.socket` must be enabled in order to start the dhcp-proxy when a container is
-  started, for CNI use the `cni-dhcp.socket` unit instead.
+ - `dhcp`: IP addresses are assigned from a dhcp server on the network. The `netavark-dhcp-proxy.socket`
+  must be enabled in order to start the dhcp-proxy when a container is started.
  - `host-local`: IP addresses are assigned locally.
  - `none`: No ip addresses are assigned to the interfaces.
 

diff --git a/docs/source/markdown/podman-network.1.md b/docs/source/markdown/podman-network.1.md
@@ -9,16 +9,7 @@ podman\-network - Manage Podman networks
 ## DESCRIPTION
 The network command manages networks for Podman.
 
-Podman supports two network backends [Netavark](https://github.com/containers/netavark)
-and [CNI](https://www.cni.dev/). Netavark is the default network backend and was added in Podman version 4.0.
-CNI is deprecated and will be removed in the next major Podman version 5.0, in preference of Netavark.
-To configure the network backend use the `network_backend` key under the `[Network]` in
-**[containers.conf(5)](https://github.com/containers/common/blob/main/docs/containers.conf.5.md)**.
-New systems use netavark by default, to check what backend is used run
-`podman info --format {{.Host.NetworkBackend}}`.
-
-All network commands work for both backends but CNI and Netavark use different config files
-so networks have to be created again after a backend change.
+Podman uses [Netavark](https://github.com/containers/netavark) as the network backend.
 
 ## COMMANDS
 

diff --git a/docs/source/markdown/podman.1.md b/docs/source/markdown/podman.1.md
@@ -107,11 +107,8 @@ Further note that the flag is a root-level flag and must be specified before any
 #### **--network-config-dir**=*directory*
 
 Path to the directory where network configuration files are located.
-For the netavark backend "/etc/containers/networks" is used as root
+The default is "/etc/containers/networks" as root
 and "$graphroot/networks" as rootless.
-For the CNI backend the default is "/etc/cni/net.d" as root
-and "$HOME/.config/cni/net.d" as rootless.
-CNI is deprecated and will be removed in the next major Podman version 5.0 in preference of Netavark.
 
 #### **--out**=*path*
 Redirect the output of podman to the specified path without affecting the container output or its logs. This parameter can be used to capture the output from any of podman's commands directly into a file and enable suppression of podman's output by specifying /dev/null as the path. To explicitly disable the container logging, the **--log-driver** option should be used.

diff --git a/docs/tutorials/basic_networking.md b/docs/tutorials/basic_networking.md
@@ -82,9 +82,7 @@ As mentioned earlier, slirp4netns is the default network configuration for rootl
 users.  But as of Podman version 4.0, rootless users can also use netavark.
 The user experience of rootless netavark is very akin to a rootful netavark, except that
 there is no default network configuration provided.  You simply need to create a
-network, and the one will be created as a bridge network. If you would like to switch from
-CNI networking to netavark, you must issue the `podman system reset --force` command.
-This will delete all of your images, containers, and custom networks.
+network, and the one will be created as a bridge network.
 
 ```
 $ podman network create
@@ -185,17 +183,10 @@ The next step is to ensure that the DHCP service is running. This handles
 the DHCP leases from the network. If DHCP is not needed, the `--subnet` option
 can be used to assign a static subnet in the `network create` command above.
 
-CNI and netavark both use their own DHCP service; therefore, you need to know
-what backend you are using. To see what you are using, run this command:
-```
-$ sudo podman info --format {{.Host.NetworkBackend}}
-```
-If this command does not work, you are using an older version prior to Podman
-v4.0 which means you are using CNI.
-If the netavark backend is used, at least Podman v4.5 with netavark v1.6 is
-required to use DHCP.
+Podman uses netavark for networking, which requires netavark v1.6 or later with Podman v4.5+
+to use DHCP.
 
-For netavark use:
+To enable DHCP with netavark:
 ```
 $ sudo systemctl enable --now netavark-dhcp-proxy.socket
 ```
@@ -204,16 +195,6 @@ Or if the system doesn't use systemd, start the daemon manually:
 $ /usr/libexec/podman/netavark dhcp-proxy --activity-timeout 0
 ```
 
-With CNI use:
-```
-$ sudo systemctl enable --now cni-dhcp.socket
-```
-Or if the system doesn't use systemd, start the daemon manually:
-```
-$ sudo /usr/libexec/cni/dhcp daemon
-```
-Note that depending on the distribution, the binary location may differ.
-
 Now run the container and be certain to attach it to the network we created earlier.
 ```
 $ sudo podman run -d --name webserver --network webnetwork quay.io/libpod/banner

diff --git a/libpod/container.go b/libpod/container.go
@@ -217,8 +217,8 @@ type ContainerState struct {
 	// and not delegated to the OCI runtime.
 	ExtensionStageHooks map[string][]spec.Hook `json:"extensionStageHooks,omitempty"`
 
-	// NetInterfaceDescriptions describe the relationship between a CNI
-	// network and an interface names
+	// NetInterfaceDescriptions describe the relationship between a
+	// network and an interface name
 	NetInterfaceDescriptions ContainerNetworkDescriptions `json:"networkDescriptions,omitempty"`
 
 	// Service indicates that container is the service container of a
@@ -323,7 +323,7 @@ type ContainerSecret struct {
 	Target string
 }
 
-// ContainerNetworkDescriptions describes the relationship between the CNI
+// ContainerNetworkDescriptions describes the relationship between the
 // network and the ethN where N is an integer
 type ContainerNetworkDescriptions map[string]int
 

diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go
@@ -2203,7 +2203,6 @@ func (c *Container) addResolvConf() error {
 
 	ipv6 := c.checkForIPv6(netStatus)
 
-	networkBackend := c.runtime.config.Network.NetworkBackend
 	nameservers := make([]string, 0, len(c.runtime.config.Containers.DNSServers.Get())+len(c.config.DNSServer))
 
 	// If NetworkBackend is `netavark` do not populate `/etc/resolv.conf`
@@ -2213,7 +2212,7 @@ func (c *Container) addResolvConf() error {
 
 	// Exception: Populate `/etc/resolv.conf` if container is not connected to any network
 	// with dns enabled then we do not get any nameservers back.
-	if networkBackend != string(types.Netavark) || len(networkNameServers) == 0 {
+	if len(networkNameServers) == 0 {
 		nameservers = append(nameservers, c.runtime.config.Containers.DNSServers.Get()...)
 		for _, ip := range c.config.DNSServer {
 			nameservers = append(nameservers, ip.String())
@@ -2222,9 +2221,9 @@ func (c *Container) addResolvConf() error {
 	// If the user provided dns, it trumps all; then dns masq; then resolv.conf
 	keepHostServers := false
 	if len(nameservers) == 0 {
-		// when no network name servers or not netavark use host servers
+		// when no network name servers use host servers
 		// for aardvark dns we only want our single server in there
-		if len(networkNameServers) == 0 || networkBackend != string(types.Netavark) {
+		if len(networkNameServers) == 0 {
 			keepHostServers = true
 		}
 		if len(networkNameServers) > 0 {

diff --git a/libpod/define/container_inspect.go b/libpod/define/container_inspect.go
@@ -384,8 +384,8 @@ type InspectContainerHostConfig struct {
 	// NetworkMode is the configuration of the container's network
 	// namespace.
 	// Populated as follows:
-	// default - A network namespace is being created and configured via CNI
-	// none - A network namespace is being created, not configured via CNI
+	// default - A network namespace is being created and configured
+	// none - A network namespace is being created, not configured
 	// host - No network namespace created
 	// container:<id> - Using another container's network namespace
 	// ns:<path> - A path to a network namespace has been specified
@@ -703,8 +703,8 @@ type InspectBasicNetworkConfig struct {
 	// MacAddress is the MAC address for the interface in this network.
 	MacAddress string `json:"MacAddress"`
 	// AdditionalMacAddresses is a set of additional MAC Addresses beyond
-	// the first. CNI may configure more than one interface for a single
-	// network, which can cause this.
+	// the first. The network backend may configure more than one interface
+	// for a single network, which can cause this.
 	AdditionalMacAddresses []string `json:"AdditionalMACAddresses,omitempty"`
 }