From e16f14a44d815e38af06152bba12d2ff21e0eb02 Mon Sep 17 00:00:00 2001 From: Michael Zimmermann Date: Mon, 25 Nov 2024 18:29:16 +0100 Subject: [PATCH 1/3] vendor: update containers/common Signed-off-by: Michael Zimmermann --- go.mod | 2 +- go.sum | 4 ++-- .../containers/common/libnetwork/netavark/config.go | 4 ++++ .../github.com/containers/common/libnetwork/types/const.go | 6 ++++++ vendor/modules.txt | 2 +- 5 files changed, 14 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index b786a34b49..83e41c206c 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/checkpoint-restore/go-criu/v7 v7.2.0 github.com/containernetworking/plugins v1.5.1 github.com/containers/buildah v1.38.1-0.20241119213149-52437ef15d33 - github.com/containers/common v0.61.1-0.20241125104856-ceceb404e9aa + github.com/containers/common v0.61.1-0.20241125172552-a801fac4edc0 github.com/containers/conmon v2.0.20+incompatible github.com/containers/gvisor-tap-vsock v0.8.0 github.com/containers/image/v5 v5.33.0 diff --git a/go.sum b/go.sum index 71c6bef976..1f6c5b901e 100644 --- a/go.sum +++ b/go.sum @@ -81,8 +81,8 @@ github.com/containernetworking/plugins v1.5.1 h1:T5ji+LPYjjgW0QM+KyrigZbLsZ8jaX+ github.com/containernetworking/plugins v1.5.1/go.mod h1:MIQfgMayGuHYs0XdNudf31cLLAC+i242hNm6KuDGqCM= github.com/containers/buildah v1.38.1-0.20241119213149-52437ef15d33 h1:Ih6KuyByK7ZGGzkS0M5rVBPLWIyeDvdL5klhsKBo8vA= github.com/containers/buildah v1.38.1-0.20241119213149-52437ef15d33/go.mod h1:RxIuKhwTpRl3ma4d4BF6QzSSeg9zNNvo/xhYJOKeDQs= -github.com/containers/common v0.61.1-0.20241125104856-ceceb404e9aa h1:XetqxHBrm3klRHIe8L1QIOr57B0HUVdihxY1wop0KXg= -github.com/containers/common v0.61.1-0.20241125104856-ceceb404e9aa/go.mod h1:3mUU2/PxkOwvL46fmaRVj0YfBDBxNPOMctIvBHWo4Ak= +github.com/containers/common v0.61.1-0.20241125172552-a801fac4edc0 h1:Vh8IytxprODmjd4sALcSVUzhT28vT537UWsfCXcahWk= +github.com/containers/common v0.61.1-0.20241125172552-a801fac4edc0/go.mod h1:3mUU2/PxkOwvL46fmaRVj0YfBDBxNPOMctIvBHWo4Ak= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I= github.com/containers/gvisor-tap-vsock v0.8.0 h1:Z8ZEWb+Lio0d+lXexONdUWT4rm9lF91vH0g3ARnMy7o= diff --git a/vendor/github.com/containers/common/libnetwork/netavark/config.go b/vendor/github.com/containers/common/libnetwork/netavark/config.go index 8b43a787e4..33ef26acf0 100644 --- a/vendor/github.com/containers/common/libnetwork/netavark/config.go +++ b/vendor/github.com/containers/common/libnetwork/netavark/config.go @@ -207,6 +207,10 @@ func (n *netavarkNetwork) networkCreate(newNetwork *types.Network, defaultNet bo if len(value) == 0 { return nil, errors.New("invalid vrf name") } + case types.ModeOption: + if !slices.Contains(types.ValidBridgeModes, value) { + return nil, fmt.Errorf("unknown bridge mode %q", value) + } default: return nil, fmt.Errorf("unsupported bridge network option %s", key) } diff --git a/vendor/github.com/containers/common/libnetwork/types/const.go b/vendor/github.com/containers/common/libnetwork/types/const.go index a916182007..6e2c3fbf4b 100644 --- a/vendor/github.com/containers/common/libnetwork/types/const.go +++ b/vendor/github.com/containers/common/libnetwork/types/const.go @@ -24,6 +24,9 @@ const ( // DefaultSubnet is the subnet that will be used for the default CNI network. DefaultSubnet = "10.88.0.0/16" + BridgeModeManaged = "managed" + BridgeModeUnmanaged = "unmanaged" + // valid macvlan driver mode values MacVLANModeBridge = "bridge" MacVLANModePrivate = "private" @@ -53,6 +56,9 @@ const ( Netavark NetworkBackend = "netavark" ) +// ValidBridgeModes is the list of valid mode options for the bridge driver +var ValidBridgeModes = []string{BridgeModeManaged, BridgeModeUnmanaged} + // ValidMacVLANModes is the list of valid mode options for the macvlan driver var ValidMacVLANModes = []string{MacVLANModeBridge, MacVLANModePrivate, MacVLANModeVepa, MacVLANModePassthru} diff --git a/vendor/modules.txt b/vendor/modules.txt index 33143d0c44..c0ba1db111 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -174,7 +174,7 @@ github.com/containers/buildah/pkg/sshagent github.com/containers/buildah/pkg/util github.com/containers/buildah/pkg/volumes github.com/containers/buildah/util -# github.com/containers/common v0.61.1-0.20241125104856-ceceb404e9aa +# github.com/containers/common v0.61.1-0.20241125172552-a801fac4edc0 ## explicit; go 1.22.6 github.com/containers/common/internal github.com/containers/common/internal/attributedstring From 697c4181d29708000801746d0114758873c63284 Mon Sep 17 00:00:00 2001 From: Michael Zimmermann Date: Mon, 25 Nov 2024 18:35:05 +0100 Subject: [PATCH 2/3] docs: document bridge mode option Signed-off-by: Michael Zimmermann --- docs/source/markdown/podman-network-create.1.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/source/markdown/podman-network-create.1.md b/docs/source/markdown/podman-network-create.1.md index d22407430d..5be2a3951b 100644 --- a/docs/source/markdown/podman-network-create.1.md +++ b/docs/source/markdown/podman-network-create.1.md @@ -118,6 +118,9 @@ Additionally the `bridge` driver supports the following options: - `com.docker.network.bridge.name`: This option assigns the given name to the created Linux Bridge - `com.docker.network.driver.mtu`: Sets the Maximum Transmission Unit (MTU) and takes an integer value. - `vrf`: This option assigns a VRF to the bridge interface. It accepts the name of the VRF and defaults to none. Can only be used with the Netavark network backend. +- `mode`: This option sets the specified bridge mode on the interface. Defaults to `managed`. Supported values: + - `managed`: Podman creates and deletes the bridge and changes sysctls of it. It adds firewall rules to masquerade outgoing traffic, as well as setup port forwarding for incoming traffic using DNAT. + - `unmanaged`: Podman uses an existing bridge. It must exist by the time you want to start a container which uses the network. There will be no NAT or port forwarding, even if such options were passed while creating the container. The `macvlan` and `ipvlan` driver support the following options: From e60887400459496609d4d104eccfe2b71d364a2f Mon Sep 17 00:00:00 2001 From: Michael Zimmermann Date: Mon, 25 Nov 2024 18:47:47 +0100 Subject: [PATCH 3/3] docs: improve documentation for internal networks This goes into more detail about what this option actually does. Signed-off-by: Michael Zimmermann --- docs/source/markdown/podman-network-create.1.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/source/markdown/podman-network-create.1.md b/docs/source/markdown/podman-network-create.1.md index 5be2a3951b..1a7511f12c 100644 --- a/docs/source/markdown/podman-network-create.1.md +++ b/docs/source/markdown/podman-network-create.1.md @@ -70,6 +70,14 @@ Because it bypasses the host network stack no additional restrictions can be set privileged container is run it can set a default route themselves. If this is a concern then the container connections should be blocked on your actual network gateway. +Using the `bridge` driver with this option has the following effects: + - Global IP forwarding sysctls will not be changed in the host network namespace. + - IP forwarding is disabled on the bridge interface instead of setting up a firewall. + - No default route will be added to the container. + +In all cases, aardvark-dns will only resolve container names with this option enabled. +Other queries will be answered with `NXDOMAIN`. + #### **--ip-range**=*range* Allocate container IP from a range. The range must be a either a complete subnet in CIDR notation or be in