Skip to content

Commit 054c65c

Browse files
committed
Document pasta forwarding mode for rootless bridge networks
Signed-off-by: Jan Rodák <hony.com@seznam.cz>
1 parent 53b6b58 commit 054c65c

5 files changed

Lines changed: 21 additions & 0 deletions

File tree

docs/source/markdown/options/network.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,8 @@ Valid _mode_ values are:
3535

3636
Any other options will be passed through to netavark without validation. This can be useful to pass arguments to netavark plugins.
3737

38+
For rootless bridge networks, port forwarding uses `rootlessport` by default. Setting `rootless_port_forwarder="pasta"` in the `[network]` section of **[containers.conf(5)](https://github.com/containers/container-libs/blob/main/common/docs/containers.conf.5.md)** switches to pasta's kernel-level forwarding (via `pesto`), which preserves the original client source IP address inside the container. This option is experimental and its behavior is subject to change.
39+
3840
For example, to set a static IPv4 address and a static mac address, use `--network bridge:ip=10.88.0.10,mac=44:33:22:11:00:99`.
3941

4042
- _\<network name or ID\>_**[:OPTIONS,...]**: Connect to a user-defined network; this is the network name or ID from a network created by **[podman network create](podman-network-create.1.md)**. It is possible to specify the same options described under the bridge mode above. Use the **--network** option multiple times to specify additional networks. \

docs/source/markdown/options/publish.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,3 +28,11 @@ Use **podman port** to see the actual mapping: `podman port $CONTAINER $CONTAINE
2828

2929
Port publishing is only supported for containers utilizing their own network namespace
3030
through `bridge` networks, or the `pasta` network mode.
31+
32+
For rootless bridge networks, port forwarding uses `rootlessport` by default, which
33+
is a userspace proxy that does not preserve client source IPs. Setting
34+
`rootless_port_forwarder="pasta"` in the `[network]` section of
35+
**[containers.conf(5)](https://github.com/containers/container-libs/blob/main/common/docs/containers.conf.5.md)**
36+
switches to pasta's kernel-level forwarding via `pesto`, preserving the original
37+
client IP address inside the container. This option is experimental and its
38+
behavior is subject to change.

docs/source/markdown/podman-info.1.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,7 @@ host:
9696
spec: 1.0.0
9797
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
9898
os: linux
99+
rootlessPortForwarder: rootlessport
99100
pasta:
100101
executable: /usr/bin/passt
101102
package: passt-0^20221116.gace074c-1.fc34.x86_64
@@ -237,6 +238,7 @@ $ podman info --format json
237238
"version": "crun version 1.0\ncommit: 139dc6971e2f1d931af520188763e984d6cdfbf8\nspec: 1.0.0\n+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL"
238239
},
239240
"os": "linux",
241+
"rootlessPortForwarder": "rootlessport",
240242
"remoteSocket": {
241243
"path": "/run/user/3267/podman/podman.sock"
242244
},

docs/tutorials/basic_networking.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,14 @@ The user experience of rootless netavark is very akin to a rootful netavark, exc
8080
there is no default network configuration provided. You simply need to create a
8181
network, and the one will be created as a bridge network.
8282

83+
By default, rootless bridge networks use `rootlessport` for port forwarding, which
84+
is a userspace proxy that does not preserve client source IPs. To preserve source
85+
IPs, set `rootless_port_forwarder="pasta"` in the `[network]` section of
86+
`containers.conf`. This uses `pesto` to configure pasta's kernel-level forwarding,
87+
so containers see the real client IP address instead of the bridge gateway.
88+
This option is experimental and its behavior is subject to change.
89+
It requires a version of passt (`>= passt-0^20260507.g1afd4ed`) that ships the `pesto` binary.
90+
8391
```
8492
$ podman network create
8593
```

rootless.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ The following list categorizes the known issues and irregularities with running
88
* A proxy server, kernel firewall rule, or redirection tool such as [redir](https://github.com/troglobit/redir) may be used to redirect traffic from a privileged port to an unprivileged one (where a podman pod is bound) in a server scenario - where a user has access to the root account (or setuid on the binary would be an acceptable risk), but wants to run the containers as an unprivileged user for enhanced security and for a limited number of pre-known ports.
99
* As of Podman 5.0, pasta is the default networking tool. Since pasta copies the IP address of the main interface, connections to that IP from containers do not work. This means that unless you have more than one interface, inter-container connections cannot be made without explicitly passing a pasta network configuration, either in `containers.conf` or at runtime.
1010
* If you previously had port forwards (ex. via `-p 80:80`) that other containers could access, you can use the solution (setting pasta options with `10.0.2.x` IPs) posted [here](https://blog.podman.io/2024/03/podman-5-0-breaking-changes-in-detail/).
11+
* Rootless bridge networks use `rootlessport` for port forwarding by default, which is a userspace proxy that does not preserve client source IPs. Setting `rootless_port_forwarder="pasta"` in the `[network]` section of `containers.conf` switches to pasta's kernel-level forwarding (via `pesto`), preserving the original client IP. This option is experimental and its behavior is subject to change. It requires a version of passt (`>= passt-0^20260507.g1afd4ed`) that ships the `pesto` binary.
1112
* If /etc/subuid and /etc/subgid are not set up for a user, then podman commands
1213
can easily fail
1314
* Some identity providers (e.g. FreeIPA) have integrated subuid/subgid support, but many have not.

0 commit comments

Comments
 (0)