Podman: Can't run rootless containers on Debian 10

I believe your slirp4netns is outdated. Can you provide the package for it?

vagrant@buster:~$ slirp4netns --version
slirp4netns version 1.0.0
commit: unknown
libslirp: 4.2.0
vagrant@buster:~$ sudo slirp4netns --version
slirp4netns version 1.0.0
commit: unknown
libslirp: 4.2.0

Checking on Debian official Package site, this is the official version for buster: https://packages.debian.org/buster/slirp4netns

see #6922
Debian package will likely remain out of date. I'll try installing slirp4netns from upstream

It worked compiling last version of slirp4netns from here: https://github.com/rootless-containers/slirp4netns

I'll close the ticket since there is a solution and has nothing to do with Podman directly, it's more an issue of the Debian package being outdated.

I'm having the same issue. When running as a non-root user I get the following error:

$ podman run hello-world
Error: /usr/bin/slirp4netns failed: "sent tapfd=7 for tap0\nWARNING: Support for seccomp is experimental\nreceived tapfd=7\nenable_seccomp failed\ndo_slirp is exiting\ndo_slirp failed\nparent failed\nWARNING: Support for seccomp is experimental\nStarting slirp\n* MTU:             65520\n* Network:         10.0.2.0\n* Netmask:         255.255.255.0\n* Gateway:         10.0.2.2\n* DNS:             10.0.2.3\n* Recommended IP:  10.0.2.100\nseccomp: The following syscalls will be blocked by seccomp:"

Running podman as root works fine.

I have the OpenSUSE Kubic repository configured. This is where my slirp4netns and libslirp0 packages are installed from.

$ apt-cache madison slirp4netns
slirp4netns |    1.1.4~2 | http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10  Packages
slirp4netns |    0.2.3-1 | http://deb.debian.org/debian buster/main amd64 Packages

$ apt-cache madison libslirp0
 libslirp0 |    4.2.0~4 | http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10  Packages

$ dpkg -l | grep slirp
ii  libslirp0:amd64                      4.2.0~4                             amd64        General purpose TCP-IP emulator library
ii  slirp4netns                          1.1.4~2                             amd64        User-mode networking for unprivileged network namespaces

Ping @lsm5

Hi Lokesh,

I beleive @matutetandil must have installed slirp4netns from the Kubic repo as well since the version of slirp4netns available from the buster/main repository is 0.2.3-1. It looks as though this is an issue with the slirp4netns package available from the Kubic repository.

slirp4netns was recently updated to version 1.1.4 in the Kubic repository.

The slirp4netns binary from the Kubic repository is _dynamically_ linked - presumably against libslirp 4.2.0 - hence the dependancy on libslirp0 >= 4.1.0-1.

$ file /usr/bin/slirp4netns 
/usr/bin/slirp4netns: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c8b0a40e72da7735822cf3a49faf5cdf687fd739, stripped

$ apt-cache show slirp4netns
Package: slirp4netns
Version: 1.1.4~2
Architecture: amd64
Maintainer: Lokesh Mandvekar <[email protected]>
Installed-Size: 92
Depends: libc6 (>= 2.17), libglib2.0-0 (>= 2.28.0), libseccomp2 (>= 1.0.1), libslirp0 (>= 4.1.0-1)
...

Uninstalling the slirp4netns and libslirp0 packages and replacing it with version 1.1.4 of the slirp4netns binary available from the slirp4netns releases page fixes the issue.

$ sudo apt-get --purge autoremove -y slirp4netns 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  libslirp0* slirp4netns*
...

$ curl -sSLO https://github.com/rootless-containers/slirp4netns/releases/download/v1.1.4/slirp4netns-x86_64
$ sudo install slirp4netns-x86_64 /usr/bin/slirp4netns

$ podman run hello-world

Hello from Docker!
This message shows that your installation appears to be working correctly.
...

Note that the slirp4netns releases page states that:

The binaries are statically linked with libslirp v4.3.1, using Debian 10.

Perhaps the slirp4netns binary available from the Kubic repository needs to be linked (statically or dynamically) against v4.3.1 of libslirp to solve the issue?

Hope that helps.

P.S. I would be happy to test any new Debian packages for you - just ping me.

/reopen

@DanHam: You can't reopen an issue/PR unless you authored it or you are a collaborator.

@matutetandil Until this is fixed, reopening would be helpful for others coming across this issue!

@DanHam I'll reopen then!

@DanHam what I did, was to manually compile the version from the repo I posted. Once I did that, it worked perfectly. Sadly, it seems the Debian package is outdated, so until Debian releases an official update, I think compiling might be the only solution.

@matutetandil Thanks for reopening!

Are you using the Kubic repository to install podman and slirp4netns? If so the slirp4netns binary would be installed from there - not the buster/main repository.

PS I installed the slirp4netns binary from the release page of the repository you posted - as you say this works perfectly

@DanHam for podman I just followed the official guide: https://podman.io/getting-started/installation.html, then I just updated slirp4netns from the repo I posted.

@matutetandil OK - so if you followed that guide you would have installed slirp4netns from the Kubic repo's _not_ Debian's.

Hopefully @lsm5 (Lokesh) can provide an updated package with the fix - he's the package maintainer for the Kubic slirp4netns package. After that there should be no need to manually compile or grab the slirp4netns package from the upstream repo you posted.

The master branch of issues is for the master branch, We don't keep issues open for individual distributions. Distributions should have their own way of reporting bugs.

@rhatdan Understood. @lsm5 where should this bug be reported?

The master branch of issues is for the master branch, We don't keep issues open for individual distributions. Distributions should have their own way of reporting bugs.

The problem is that this is not an upstream issue for Debian but an issue in the external repository for Debian 10 provided by the Kubic Project and maintained by @lsm5

I've also tried to find a different place in which to report this but the Kubic's project bugzilla doesn't seem to be the place either because that only cares about openSUSE.

These external repositories are referenced in the online installation steps provided at podman's page so I would say that this is the correct place to report and reopen so far there is no other more suitable one.

The master branch of issues is for the master branch, We don't keep issues open for individual distributions. Distributions should have their own way of reporting bugs.

@rhatdan this is for obs repos and the best place to file issues is here itself.

@tanty @matutetandil @DanHam slirp4netns has been updated to the latest on obs, https://build.opensuse.org/package/show/devel:kubic:libcontainers:stable/slirp4netns . Could you let me know how it works with that? Sorry about the delay on this.

@lsm5 The version of slirp4netns and libslirp0 currently available from the obs repository is the same as I had installed previously and encountered the issue with - so no, installing those packages gives me the same error as seen previously.

$ dpkg -l | grep slirp
ii  libslirp0:amd64                      4.2.0~4                             amd64        General purpose TCP-IP emulator library
ii  slirp4netns                          1.1.4~2                             amd64        User-mode networking for unprivileged network namespaces

$ podman run hello-world
Error: /usr/bin/slirp4netns failed: "sent tapfd=7 for tap0\nWARNING: Support for seccomp is experimental\nreceived tapfd=7\nenable_seccomp failed\ndo_slirp is exiting\ndo_slirp failed\nparent failed\nWARNING: Support for seccomp is experimental\nStarting slirp\n* MTU:             65520\n* Network:         10.0.2.0\n* Netmask:         255.255.255.0\n* Gateway:         10.0.2.2\n* DNS:             10.0.2.3\n* Recommended IP:  10.0.2.100\nseccomp: The following syscalls will be blocked by seccomp:"

As noted previously, uninstalling the slirp4netns and libslirp0 packages and replacing it with version 1.1.4 of the slirp4netns binary available from the slirp4netns release page fixes the issue.

$ sudo apt-get --purge autoremove -y slirp4netns 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  libslirp0* slirp4netns*
...

$ curl -sSLO https://github.com/rootless-containers/slirp4netns/releases/download/v1.1.4/slirp4netns-x86_64
$ sudo install slirp4netns-x86_64 /usr/bin/slirp4netns

$ podman run hello-world

Hello from Docker!
This message shows that your installation appears to be working correctly.
...

Note that the slirp4netns releases page states that:

The binaries are statically linked with libslirp v4.3.1, using Debian 10.

Perhaps the slirp4netns binary available from the Kubic repository needs to be linked (statically or dynamically) against v4.3.1 of libslirp to solve the issue??? Currently it is dynamically linked against v4.2.0 of libslirp0.

With slirp4netns installed from the OBS repositories file tells us the binary is dynamically linked:

$ file /usr/bin/slirp4netns 
/usr/bin/slirp4netns: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c8b0a40e72da7735822cf3a49faf5cdf687fd739, stripped

With slirp4netns installed from the slirp4netns releases page file tells us the binary is statically linked:

$ file /usr/bin/slirp4netns 
/usr/bin/slirp4netns: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bec30ec320e0e2dfee6a9752e2a7681525dc21cb, with debug_info, not stripped

@DanHam sorry about that, slirp4netns is included in debian 10 afaict, so ideally it would be great if it was updated to the latest there itself. But I'll look into statically building it or maybe update libslirp0.

@siretart any idea when libslirp0 and slirp4netns would get updated in debian 10?

libslirp build is currently give me grief:

```The Meson build system
Version: 0.55.0
Source dir: /home/lsm5/repositories/libslirp
Build dir: /home/lsm5/repositories/libslirp/obj-x86_64-linux-gnu
Build type: native build
Project name: libslirp
Project version: UNKNOWN-dirty
Using 'CFLAGS' from environment with value: '-g -O2 -fdebug-prefix-map=/home/lsm5/repositories/libslirp=. -fstack-protector-strong -Wformat -Werror=format-security'
Using 'LDFLAGS' from environment with value: '-Wl,-z,relro'
Using 'CPPFLAGS' from environment with value: '-Wdate-time -D_FORTIFY_SOURCE=2'
Using 'CFLAGS' from environment with value: '-g -O2 -fdebug-prefix-map=/home/lsm5/repositories/libslirp=. -fstack-protector-strong -Wformat -Werror=format-security'
Using 'LDFLAGS' from environment with value: '-Wl,-z,relro'
Using 'CPPFLAGS' from environment with value: '-Wdate-time -D_FORTIFY_SOURCE=2'
C compiler for the host machine: cc (gcc 10.2.0 "cc (Debian 10.2.0-5) 10.2.0")
C linker for the host machine: cc ld.bfd 2.35
Host machine cpu family: x86_64
Host machine cpu: x86_64
Program build-aux/meson-dist found: YES (/home/lsm5/repositories/libslirp/build-aux/meson-dist)

../meson.build:13:0: ERROR: Index 1 out of bounds of array of size 1.
```

I might be able to provide an updated package in buster-backports.

For now, I'd recommend to use Debian/testing.

On Tue, Aug 18, 2020, 09:34 Lokesh Mandvekar notifications@github.com
wrote:

@DanHam https://github.com/DanHam sorry about that, slirp4netns is
included in debian 10 afaict, so ideally it would be great if it was
updated to the latest there itself. But I'll look into statically building
it or maybe update libslirp0.

@siretart https://github.com/siretart any idea when libslirp0 and
slirp4netns would get updated in debian 10?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/containers/podman/issues/6967#issuecomment-675482115,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAOKTJBUF62CN42JJTL7XY3SBJ7QHANCNFSM4OZPH77A
.

thanks @siretart. Btw, if you have access to the ubuntu package, would you be able to update those too?

alright, so I have a static build of slirp4netns happening on OBS right now. I would recommend using @siretart's official builds whenever ready for your distro, but otherwise I hope the OBS build gets you unblocked. 1.1.4~10 is the right build to use: https://build.opensuse.org/package/show/devel:kubic:libcontainers:stable/slirp4netns

Let me know how that works..

Closing this. Please reopen or comment if the issue still persists.

@lsm5 I've just installed the 1.1.4~10 version of slirp4netns from the OBS repository. This version fixes the problems reported above and works perfectly!

Thanks for taking the time to look into that and providing a fix - much appreciated!

The upcoming 20.10 release is current right now.

20.04 and earlier are going to be difficult...

On Wed, Aug 19, 2020, 09:11 Lokesh Mandvekar notifications@github.com
wrote:

thanks @siretart https://github.com/siretart. Btw, if you have access
to the ubuntu package, would you be able to update those too?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/containers/podman/issues/6967#issuecomment-676332283,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAOKTJDZF3BTOLOVORQMKOLSBPFQFANCNFSM4OZPH77A
.

On Thu, Aug 20, 2020 at 01:39:28AM -0700, Dan wrote:

@lsm5 I've just installed the 1.1.4~10 version of slirp4netns from the OBS repository. This version fixes the problems reported above and works perfectly!

Thanks for taking the time to look into that and providing a fix - much appreciated!

Good to know! Thanks!

On Thu, Aug 20, 2020 at 04:29:07AM -0700, Reinhard Tartler wrote:

The upcoming 20.10 release is current right now.

20.04 and earlier are going to be difficult...

Alrighty, no worries, thanks a lot for owning these on the default distro
side!!

Please see https://github.com/rootless-containers/slirp4netns/pull/232.
This behavior was (at least in my case) triggered by SCMP_ACT_KILL_PROCESS from libseccomp>=4.4 which is not used for the static binary of the GitHub release.

Please disregard my previous comment. I encountered similar symptoms but due to a different cause (older kernel in my case) which is unrelated to the issue reported here.