ioctl TUNSETIFF fails with EPERM inside a podman container, in Ubuntu Noble

Question

I have a podman container which used to run on Ubuntu Focal (20.04) and Ubuntu Jammy (22.04) (using podman 3.4.4+ds1-1ubuntu1.22.04.3_, and now I am trying to use it on Ubuntu Noble (24.04) (using podman 4.9.3+ds1-1ubuntu0.2).

In the container, it eventually calls a command similar to this one, which fails:

root@host:/# ip tuntap add testdev mode tap
ioctl(TUNSETIFF): Operation not permitted

This command works outside the container. It also worked when running the container on Focal.

The usual possible causes that one finds with google do not seem to apply:

• /dev/net/tun is present inside the container
• CAP_NET_ADMIN is set, in fact, the container already runs with --privileged for other reasons.
• I tried adding --cap-add=ALL to the podman command anyway, but it made no difference.
• apparmor is not blocking the action. It still fails when the apparmor profile is set to "complain mode".

Further aguments to podman include --network host, --security-opt=apparmor=our-own-profile (but for testing I set it to complain mode so it should not block anything), --user nova --userns=keep-id, --storage-opt "overlay.mount_program=/usr/bin/fuse-overlayfs".

The container is based on Ubuntu Bionic (18.04).

I was at some point suspecting a possible ABI incompatibility between the ip command inside the container and the Noble host. But when I copied the ip command inside the container to the outside, it worked fine to create the testdev tap device.

I looked at the kernel source code drivers/net/tun.c of a recent kernel tree to see if any restrictions had been added recently, but this file seems fairly constant over the years.

Any ideas what other things I can check?

Answer 1

It seems I found the issue.

I built podman from source, without the Ubuntu patches, from vesions 3.4.4 to 4.9.3 (the versions I used before) and confirmed they behaved the same as the Ubuntu versions.

I started to bisect the issue: in which version of podman is it introduced? I used a VM running Noble to build. I had to install golang libsystemd-dev libgpgme-dev libseccomp-dev.

I tried the versions we already had to see if their behaviour would match the Ubuntu versions (3.4.4 and 4.9.3). They did.

The last working versions are 4.3.1 and 4.4.4. The first broken one was 4.6.2.

4.5.x could not be tested, it complained about users nova or root not being in the passwd file.

For 4.3.1 and 4.4.4 I had to remove the option --userns=keep-id because these versions errored out with the text podman[1002404]: Error: keep-id is only supported in rootless mode.

As an experiment, I removed the option also when trying the regular podman again.

Then the ip command worked.

So, podman 4.3.x and 4.4.x rejects --userns=keep-id when running as root.

From 4.5.x or 4.6.x on, podman accepts the option --userns=keep-id when running as root, but does not ignore it. Instead it is doing something which has the subtle effect of breaking ioctl TUNSETIFF.