Allow combining sysctl network configurations and network=host when runtime=krun

[karuboniru]

Feature request description

Currently podman rejects setting net.ipv4.ip_nonlocal_bind with network=host when --network=host

$ podman run --runtime=krun --network=host -it --rm --sysctl net.ipv4.ip_nonlocal_bind=1 fedora:41 
Error: sysctl net.ipv4.ip_nonlocal_bind=1 can't be set since Network Namespace set to host: invalid argument

The rejection is vaild when considering the case of crun, as this would be equivlent to setting sysctl in the host net namespace. However, in the case of krun, such sysctl can be passed to the VM and set the flag in VM.

I wanted the flag since in some test when trying to run container with krun, most programs try to bind to 0.0.0.0, the call can be somehow converted to binding to :: with AF_INET6, which leads to a failure to pass the listen to host as the krun only support forwarding AF_INET.

But if bind to 127.0.0.1, it will make cross container communication difficult as I have to do extra fowarding.

So with net.ipv4.ip_nonlocal_bind=1 I can specify a reasonable address to listen on (in a krun container the program only sees loopback, so binding other address without the flag is impossible)

Suggest potential solution

Special handle the case, don't do anything for the sysctl flag in host side but forward such information to container, and the container's init can do the job (and take care of permission issues like containers/crun#1685).

Have you considered any alternatives?

Set the flag by default, I belive most people would be happy with the flag to enable smoother transition to krun, or grant AF_INET6 to libkrun that we don't have to workaround anything.

Additional context

With podman run --runtime=krun -it --rm --sysctl net.ipv4.ip_nonlocal_bind=1 fedora:41 it seems that the flag is set to the namespace in which the vm is created, which is also a strange design to me....

[Luap99]

I think generally we don't have any runtime specific info in podman. So special casing krun seems undesirable.

@giuseppe Is this something the oci runtime already handles and validates? I think we could in theory simply remove the check and let the runtime handle this.

[giuseppe]

generally I am fine to drop these checks when they duplicate the logic that is already in place in the OCI runtime.

On the other hand, isn't this just a side effect of --net=host having a different meaning with krun?

--net=host means do not change the current network namespace (and that is not doable/ignored by krun) and now we want to use the --sysctl mechanism to configure a different network namespace.

A cleaner approach, IMO, is to use OCI hooks to configure the new network namespace.

[karuboniru]

A cleaner approach, IMO, is to use OCI hooks to configure the new network namespace.

@giuseppe Just a question how I could make such a hook? Should I write a hook that produces the json definition that changes the entrypoint a binded executable which writes the sysctl & spawns the real payload?

[giuseppe]

please take a look at the oci-seccomp-bpf-hook.

You'd need to add a binary that reads the OCI configuration and when the OCI runtime is krun, perform the configuration you wish for the network namespace.

[karuboniru]

But it is in the VM that I wanted to set the flag net.ipv4.ip_nonlocal_bind, will this still apply?

[giuseppe]

in that case we need some mechanism to pass this information to krun. I don't think it would work even if we drop the podman check