Podman6: Remove slirp

.golangci.yml

@@ -76,6 +76,9 @@ linters:
       - path: _test\.go
         linters:
           - prealloc
+      - linters:
+          - unused
+        text: "(rootlessPortSyncR|rootlessPortSyncW)"
 
 issues:
   max-issues-per-linter: 0

README.md

@@ -92,7 +92,7 @@ Podman uses OCI projects and best of breed libraries for different aspects:
 - Runtime: We use the [OCI runtime tools](https://github.com/opencontainers/runtime-tools) to generate OCI runtime configurations that can be used with any OCI-compliant runtime, like [crun](https://github.com/containers/crun/) and [runc](https://github.com/opencontainers/runc/).
 - Images: Image management uses the [containers/image](https://github.com/containers/image) library.
 - Storage: Container and image storage is managed by [containers/storage](https://github.com/containers/storage).
-- Networking: Networking support through use of [Netavark](https://github.com/containers/netavark) and [Aardvark](https://github.com/containers/aardvark-dns).  Rootless networking is handled via [pasta](https://passt.top/passt) or [slirp4netns](https://github.com/rootless-containers/slirp4netns).
+- Networking: Networking support through use of [Netavark](https://github.com/containers/netavark) and [Aardvark](https://github.com/containers/aardvark-dns).  Rootless networking is handled via [pasta](https://passt.top/passt).
 - Builds: Builds are supported via [Buildah](https://github.com/containers/buildah).
 - Conmon: [Conmon](https://github.com/containers/conmon) is a tool for monitoring OCI runtimes, used by both Podman and CRI-O.
 - Seccomp: A unified [Seccomp](https://github.com/containers/container-libs/blob/main/common/pkg/seccomp/seccomp.json) policy for Podman, Buildah, and CRI-O.

cmd/podman/common/completion.go

@@ -1329,26 +1329,10 @@ func AutocompleteNetworkFlag(cmd *cobra.Command, _ []string, toComplete string)
 		"none":    nil,
 		"host":    nil,
 		"private": nil,
-		"slirp4netns:": func(s string) ([]string, cobra.ShellCompDirective) {
-			skv := keyValueCompletion{
-				"allow_host_loopback=": getBoolCompletion,
-				"cidr=":                nil,
-				"enable_ipv6=":         getBoolCompletion,
-				"mtu=":                 nil,
-				"outbound_addr=":       nil,
-				"outbound_addr6=":      nil,
-				"port_handler=": func(_ string) ([]string, cobra.ShellCompDirective) {
-					return []string{"rootlesskit", "slirp4netns"}, cobra.ShellCompDirectiveNoFileComp
-				},
-			}
-			return completeKeyValues(s, skv)
-		},
 	}
 
 	networks, _ := getNetworks(cmd, toComplete, completeDefault)
 	suggestions, dir := completeKeyValues(toComplete, kv)
-	// add slirp4netns here it does not work correct if we add it to the kv map
-	suggestions = append(suggestions, "slirp4netns")
 	return append(networks, suggestions...), dir
 }
 

cmd/podman/system/service_abi_common.go

@@ -2,7 +2,7 @@
 
 package system
 
-// Currently, we only need servicereaper on Linux to support slirp4netns.
+// Currently, we only need servicereaper on Linux for rootless networking.
 func maybeStartServiceReaper() {
 }
 

cmd/podman/system/service_abi_linux.go

@@ -8,7 +8,7 @@ import (
 	"go.podman.io/common/pkg/servicereaper"
 )
 
-// Currently, we only need servicereaper on Linux to support slirp4netns.
+// Currently, we only need servicereaper on Linux for rootless networking.
 func maybeStartServiceReaper() {
 	servicereaper.Start()
 }

cmd/rootlessport/main.go

@@ -229,7 +229,7 @@ outer:
 		unix.Dup2(int(f.Fd()), 2) //nolint:errcheck
 		f.Close()
 	}
-	// write and close ReadyFD (convention is same as slirp4netns --ready-fd)
+	// write and close ReadyFD to signal readiness
 	if _, err := readyW.Write([]byte("1")); err != nil {
 		return err
 	}

contrib/cirrus/logcollector.sh

@@ -47,7 +47,6 @@ case $1 in
                     passt
                     podman
                     skopeo
-                    slirp4netns
         )
         case $OS_RELEASE_ID in
             fedora)

docs/source/markdown/options/network.image.md

@@ -15,15 +15,6 @@ considered insecure.
 - **ns:**_path_: path to a network namespace to join.
 - **private**: create a new namespace for the container (default)
 - **\<network name|ID\>**: Join the network with the given name or ID, e.g. use `--network mynet` to join the network with the name mynet. Only supported for rootful users.
-- **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. It is possible to specify these additional options, they can also be set with `network_cmd_options` in containers.conf:
-  - **allow_host_loopback=true|false**: Allow slirp4netns to reach the host loopback IP (default is 10.0.2.2 or the second IP from slirp4netns cidr subnet when changed, see the cidr option below). The default is false.
-  - **mtu=MTU**: Specify the MTU to use for this network. (Default is `65520`).
-  - **cidr=CIDR**: Specify ip range to use for this network. (Default is `10.0.2.0/24`).
-  - **enable_ipv6=true|false**: Enable IPv6. Default is true. (Required for `outbound_addr6`).
-  - **outbound_addr=INTERFACE**: Specify the outbound interface slirp binds to (ipv4 traffic only).
-  - **outbound_addr=IPv4**: Specify the outbound ipv4 address slirp binds to.
-  - **outbound_addr6=INTERFACE**: Specify the outbound interface slirp binds to (ipv6 traffic only).
-  - **outbound_addr6=IPv6**: Specify the outbound ipv6 address slirp binds to.
 - **pasta[:OPTIONS,...]**: use **pasta**(1) to create a user-mode networking
     stack. \
     This is the default for rootless containers and only supported in rootless mode. \
@@ -48,14 +39,12 @@ considered insecure.
         gateway address.
     - **pasta:--mtu,1500**: Specify a 1500 bytes MTU for the _tap_ interface in
         the container.
-    - **pasta:--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,-m,1500,--no-ndp,--no-dhcpv6,--no-dhcp**,
-        equivalent to default slirp4netns(1) options: disable IPv6, assign
-        `10.0.2.0/24` to the `tap0` interface in the container, with gateway
-        `10.0.2.3`, enable DNS forwarder reachable at `10.0.2.3`, set MTU to 1500
-        bytes, disable NDP, DHCPv6 and DHCP support.
-    - **pasta:-I,tap0,--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,--no-ndp,--no-dhcpv6,--no-dhcp**,
-        equivalent to default slirp4netns(1) options with Podman overrides: same as
-        above, but leave the MTU to 65520 bytes
+    - **pasta:--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,-m,1500,--no-ndp,--no-dhcpv6,--no-dhcp**:
+        disable IPv6, assign `10.0.2.0/24` to the `tap0` interface in the container,
+        with gateway `10.0.2.3`, enable DNS forwarder reachable at `10.0.2.3`,
+        set MTU to 1500 bytes, disable NDP, DHCPv6 and DHCP support.
+    - **pasta:-I,tap0,--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,--no-ndp,--no-dhcpv6,--no-dhcp**:
+        same as above, but leave the MTU to 65520 bytes
     - **pasta:-t,auto,-u,auto,-T,auto,-U,auto**: enable automatic port forwarding
         based on observed bound ports from both host and container sides
     - **pasta:-T,5201**: enable forwarding of TCP port 5201 from container to

docs/source/markdown/options/network.md

@@ -31,21 +31,7 @@ Valid _mode_ values are:
 
 - **ns:**_path_: Path to a network namespace to join.
 
-- **private**: Create a new namespace for the container. This uses the **bridge** mode for rootful containers and **slirp4netns** for rootless ones.
-
-- **slirp4netns[:OPTIONS,...]**: use **slirp4netns**(1) to create a user network stack. It is possible to specify these additional options, they can also be set with `network_cmd_options` in containers.conf:
-
-  - **allow_host_loopback=true|false**: Allow slirp4netns to reach the host loopback IP (default is 10.0.2.2 or the second IP from slirp4netns cidr subnet when changed, see the cidr option below). The default is false.
-  - **mtu=**_MTU_: Specify the MTU to use for this network. (Default is `65520`).
-  - **cidr=**_CIDR_: Specify ip range to use for this network. (Default is `10.0.2.0/24`).
-  - **enable_ipv6=true|false**: Enable IPv6. Default is true. (Required for `outbound_addr6`).
-  - **outbound_addr=**_INTERFACE_: Specify the outbound interface slirp binds to (ipv4 traffic only).
-  - **outbound_addr=**_IPv4_: Specify the outbound ipv4 address slirp binds to.
-  - **outbound_addr6=**_INTERFACE_: Specify the outbound interface slirp binds to (ipv6 traffic only).
-  - **outbound_addr6=**_IPv6_: Specify the outbound ipv6 address slirp binds to.
-  - **port_handler=rootlesskit**: Use rootlesskit for port forwarding. Default. \
-  Note: Rootlesskit changes the source IP address of incoming packets to an IP address in the container network namespace, usually `10.0.2.100`. If the application requires the real source IP address, e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for rootless containers when connected to user-defined networks.
-  - **port_handler=slirp4netns**: Use the slirp4netns port forwarding, it is slower than rootlesskit but preserves the correct source IP address. This port handler cannot be used for user-defined networks.
+- **private**: Create a new namespace for the container. This uses the **bridge** mode for rootful containers and **pasta** for rootless ones.
 
 - **pasta[:OPTIONS,...]**: use **pasta**(1) to create a user-mode networking
     stack. \
@@ -79,14 +65,12 @@ Valid _mode_ values are:
         gateway address.
     - **pasta:--mtu,1500**: Specify a 1500 bytes MTU for the _tap_ interface in
         the container.
-    - **pasta:--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,-m,1500,--no-ndp,--no-dhcpv6,--no-dhcp**,
-        equivalent to default slirp4netns(1) options: disable IPv6, assign
-        `10.0.2.0/24` to the `tap0` interface in the container, with gateway
-        `10.0.2.3`, enable DNS forwarder reachable at `10.0.2.3`, set MTU to 1500
-        bytes, disable NDP, DHCPv6 and DHCP support.
-    - **pasta:-I,tap0,--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,--no-ndp,--no-dhcpv6,--no-dhcp**,
-        equivalent to default slirp4netns(1) options with Podman overrides: same as
-        above, but leave the MTU to 65520 bytes
+    - **pasta:--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,-m,1500,--no-ndp,--no-dhcpv6,--no-dhcp**:
+        disable IPv6, assign `10.0.2.0/24` to the `tap0` interface in the container,
+        with gateway `10.0.2.3`, enable DNS forwarder reachable at `10.0.2.3`,
+        set MTU to 1500 bytes, disable NDP, DHCPv6 and DHCP support.
+    - **pasta:-I,tap0,--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,--no-ndp,--no-dhcpv6,--no-dhcp**:
+        same as above, but leave the MTU to 65520 bytes
     - **pasta:-t,auto,-u,auto,-T,auto,-U,auto**: enable automatic port forwarding
         based on observed bound ports from both host and container sides
     - **pasta:-T,5201**: enable forwarding of TCP port 5201 from container to

docs/source/markdown/options/publish.md

@@ -23,4 +23,4 @@ If it is not, the container port is randomly assigned a port on the host.
 Use **podman port** to see the actual mapping: `podman port $CONTAINER $CONTAINERPORT`.
 
 Port publishing is only supported for containers utilizing their own network namespace
-through `bridge` networks, or the `pasta` and `slirp4netns` network modes.
+through `bridge` networks, or the `pasta` network mode.

docs/source/markdown/podman-container-inspect.1.md.in

@@ -239,7 +239,7 @@ $ podman container inspect foobar
                 "Tag": "",
                 "Size": "0B"
             },
-            "NetworkMode": "slirp4netns",
+            "NetworkMode": "pasta",
             "PortBindings": {},
             "RestartPolicy": {
                 "Name": "",

docs/source/markdown/podman-create.1.md.in

@@ -499,13 +499,13 @@ be installed. The shadow-utils package must include the newuidmap and newgidmap
 
 In order for users to run rootless, there must be an entry for their username in /etc/subuid and /etc/subgid which lists the UIDs for their user namespace.
 
-Rootless Podman works better if the fuse-overlayfs and slirp4netns packages are installed.
+Rootless Podman works better if the fuse-overlayfs package is installed.
 The fuse-overlayfs package provides a userspace overlay storage driver, otherwise users need to use
 the vfs storage driver, which can be disk space expensive and less performant
 than other drivers.
 
-To enable VPN on the container, slirp4netns or pasta needs to be specified;
-without either, containers need to be run with the --network=host flag.
+To enable VPN on the container, pasta networking is used by default;
+otherwise, containers need to be run with the --network=host flag.
 
 ## ENVIRONMENT
 
@@ -554,7 +554,7 @@ page.
 NOTE: Use the environment variable `TMPDIR` to change the temporary storage location of downloaded container images. Podman defaults to use `/var/tmp`.
 
 ## SEE ALSO
-**[podman(1)](podman.1.md)**, **[podman-save(1)](podman-save.1.md)**, **[podman-ps(1)](podman-ps.1.md)**, **[podman-attach(1)](podman-attach.1.md)**, **[podman-pod-create(1)](podman-pod-create.1.md)**, **[podman-port(1)](podman-port.1.md)**, **[podman-start(1)](podman-start.1.md)**, **[podman-kill(1)](podman-kill.1.md)**, **[podman-stop(1)](podman-stop.1.md)**, **[podman-generate-systemd(1)](podman-generate-systemd.1.md)**, **[podman-rm(1)](podman-rm.1.md)**, **[subgid(5)](https://www.unix.com/man-page/linux/5/subgid)**, **[subuid(5)](https://www.unix.com/man-page/linux/5/subuid)**, **[containers.conf(5)](https://github.com/containers/container-libs/blob/main/common/docs/containers.conf.5.md)**, **[podman-systemd.unit(5)](podman-systemd.unit.5.md)**, **[setsebool(8)](https://man7.org/linux/man-pages/man8/setsebool.8.html)**, **[slirp4netns(1)](https://github.com/rootless-containers/slirp4netns/blob/master/slirp4netns.1.md)**, **[pasta(1)](https://passt.top/builds/latest/web/passt.1.html)**, **[fuse-overlayfs(1)](https://github.com/containers/fuse-overlayfs/blob/main/fuse-overlayfs.1.md)**, **proc(5)**, **[conmon(8)](https://github.com/containers/conmon/blob/main/docs/conmon.8.md)**, **personality(2)**
+**[podman(1)](podman.1.md)**, **[podman-save(1)](podman-save.1.md)**, **[podman-ps(1)](podman-ps.1.md)**, **[podman-attach(1)](podman-attach.1.md)**, **[podman-pod-create(1)](podman-pod-create.1.md)**, **[podman-port(1)](podman-port.1.md)**, **[podman-start(1)](podman-start.1.md)**, **[podman-kill(1)](podman-kill.1.md)**, **[podman-stop(1)](podman-stop.1.md)**, **[podman-generate-systemd(1)](podman-generate-systemd.1.md)**, **[podman-rm(1)](podman-rm.1.md)**, **[subgid(5)](https://www.unix.com/man-page/linux/5/subgid)**, **[subuid(5)](https://www.unix.com/man-page/linux/5/subuid)**, **[containers.conf(5)](https://github.com/containers/container-libs/blob/main/common/docs/containers.conf.5.md)**, **[podman-systemd.unit(5)](podman-systemd.unit.5.md)**, **[setsebool(8)](https://man7.org/linux/man-pages/man8/setsebool.8.html)**, **[pasta(1)](https://passt.top/builds/latest/web/passt.1.html)**, **[fuse-overlayfs(1)](https://github.com/containers/fuse-overlayfs/blob/main/fuse-overlayfs.1.md)**, **proc(5)**, **[conmon(8)](https://github.com/containers/conmon/blob/main/docs/conmon.8.md)**, **personality(2)**
 
 ### Troubleshooting
 

docs/source/markdown/podman-generate-spec.1.md

@@ -86,7 +86,7 @@ $ podman generate spec container1
   "nsmode": "default"
  },
  "netns": {
-  "nsmode": "slirp4netns"
+  "nsmode": "pasta"
  },
  "Networks": null,
  "use_image_hosts": false,
@@ -161,7 +161,7 @@ $ cat output.json
   "nsmode": "default"
  },
  "netns": {
-  "nsmode": "slirp4netns"
+  "nsmode": "pasta"
  },
  "Networks": null,
  "use_image_hosts": false,

docs/source/markdown/podman-info.1.md

@@ -115,15 +115,6 @@ host:
     seccompProfilePath: /usr/share/containers/seccomp.json
     selinuxEnabled: true
   serviceIsRemote: false
-  slirp4netns:
-    executable: /bin/slirp4netns
-    package: slirp4netns-1.1.12-2.fc34.x86_64
-    version: |-
-      slirp4netns version 1.1.12
-      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
-      libslirp: 4.4.0
-      SLIRP_CONFIG_VERSION_MAX: 3
-      libseccomp: 2.5.0
   swapFree: 15687475200
   swapTotal: 16886259712
   uptime: 47h 15m 9.91s (Approximately 1.96 days)
@@ -258,11 +249,6 @@ $ podman info --format json
       "seccompProfilePath": "/usr/share/containers/seccomp.json",
       "selinuxEnabled": true
     },
-    "slirp4netns": {
-      "executable": "/bin/slirp4netns",
-      "package": "slirp4netns-1.1.12-2.fc34.x86_64",
-      "version": "slirp4netns version 1.1.12\ncommit: 7a104a101aa3278a2152351a082a6df71f57c9a3\nlibslirp: 4.4.0\nSLIRP_CONFIG_VERSION_MAX: 3\nlibseccomp: 2.5.0"
-    },
     "pasta": {
       "executable": "/usr/bin/passt",
       "package": "passt-0^20221116.gace074c-1.fc34.x86_64",

docs/source/markdown/podman-network.1.md

@@ -35,10 +35,7 @@ The default bridge network (called `podman`) uses 10.88.0.0/16 as a subnet. When
 ### Pasta
 Pasta by default performs no Network Address Translation (NAT) and copies the IPs from your main interface into the container namespace. If pasta cannot find an interface with the default route, it will select an interface if there is only one interface with a valid route. If you do not have a default route and several interfaces have defined routes, pasta will be unable to figure out the correct interface and it will fail to start. To specify the interface, use `-i` option to pasta. A default set of pasta options can be set in **[containers.conf(5)](https://github.com/containers/container-libs/blob/main/common/docs/containers.conf.5.md)** under the `[network]` section with the `pasta_options` key.
 
-The default rootless networking tool can be selected in **[containers.conf(5)](https://github.com/containers/container-libs/blob/main/common/docs/containers.conf.5.md)** under the `[network]` section with `default_rootless_network_cmd`, which can be set to `pasta` (default) or `slirp4netns`.
-
-### Slirp4netns
-Slirp4netns uses 10.0.2.0/24 for its default network. This can also be changed in **[containers.conf(5)](https://github.com/containers/container-libs/blob/main/common/docs/containers.conf.5.md)** but under the `[engine]` section. Use the `network_cmd_options` key and add `["cidr=X.X.X.X/24"]` as a value. Note that slirp4netns needs a network prefix size between 1 and 25. This option accepts an array, so more options can be added in a comma-separated string as described on the **[podman-network-create(1)](podman-network-create.1.md)** man page. To change the CIDR for just one container, specify it on the cli using the `--network` option like this: `--network slirp4netns:cidr=192.168.1.0/24`.
+Pasta is the default rootless networking tool.
 
 ### Podman network create
 When a new network is created with a `podman network create` command, and no subnet is given with the --subnet option, Podman starts picking a free subnet from 10.89.0.0/24 to 10.255.255.0/24. Use the `default_subnet_pools` option under the `[network]` section in **[containers.conf(5)](https://github.com/containers/container-libs/blob/main/common/docs/containers.conf.5.md)** to change the range and/or size that is assigned by default.

docs/source/markdown/podman-pod-create.1.md.in

@@ -212,11 +212,6 @@ Create a pod with published ports on the host.
 $ podman pod create --publish 8443:443
 ```
 
-Create a pod with the specified network configuration.
-```
-$ podman pod create --network slirp4netns:outbound_addr=127.0.0.1,allow_host_loopback=true
-```
-
 Create a pod with the specified network.
 ```
 $ podman pod create --network pasta