running podman with systemd-run --property "RestrictAddressFamilies=AF_UNIX AF_NETLINK" ...

[eriksjolund]

This is just a follow-up to

• How to use the systemd directive "RestrictAddressFamilies" with "podman run"? #14311

In that discussion thread from May 2022, the command systemd-run was not discussed (only the use of systemd service units).

I just want to add that it seems to work with systemd-run too.

Minimal demo with systemd-run

This demo shows that it's possible to use podman even when the podman command itself has no access to the internet. For this to work add --pull never --network none

I created three scripts

script	arguments	result
test1.sh	--pull always --network none	failure
test2.sh	--pull never --network none	success
test3.sh	--pull never	failure

Details

test1.sh contains

#!/bin/bash
systemd-run --user --quiet \
            --property "RestrictAddressFamilies=AF_UNIX AF_NETLINK" \
            --property NoNewPrivileges=yes \
            --collect \
            --pipe \
            --wait \
            podman run \
               --pull=always \
               --rm \
               --net=none \
               docker.io/library/alpine \
                 sh -c "echo hello"

test2.sh has almost the same contents as test1.sh

--- test1.sh	2023-04-15 20:34:15.284554931 +0000
+++ test2.sh	2023-04-15 20:34:27.634310669 +0000
@@ -6,7 +6,7 @@
             --pipe \
             --wait \
             podman run \
-               --pull=always \
+               --pull=never \
                --rm \
                --net=none \
                docker.io/library/alpine \

test3.sh has almost the same contents as test2.sh

--- test2.sh	2023-04-15 21:25:46.904766804 +0000
+++ test3.sh	2023-04-15 21:25:35.356664684 +0000
@@ -8,6 +8,5 @@
             podman run \
                --pull=never \
                --rm \
-               --net=none \
                docker.io/library/alpine \
                  sh -c "echo hello"

Run commands

$ podman pull -q docker.io/library/alpine
51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260
$ bash test1.sh 
Trying to pull docker.io/library/alpine:latest...
Error: initializing source docker://alpine:latest: pinging container registry registry-1.docker.io: Get "https://registry-1.docker.io/v2/": dial tcp 34.194.164.123:443: socket: address family not supported by protocol
$ bash test2.sh 
hello
$ bash test3.sh
Error: /usr/bin/slirp4netns failed: "cannot create socket: Address family not supported by protocol\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\nchild failed(1)\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\n"
$

[vrothberg]

Thanks for sharing, @eriksjolund !