Merge pull request #16034 from rhatdan/VENDOR

Update vendor of containers/buildah v1.28.0
2025-10-30 01:17:00 +08:00 · 2022-10-06 04:31:13 +02:00
parent 94cfe7b7da 11e83a0952
commit 13a1c55d3f
15 changed files with 229 additions and 105 deletions
--- a/vendor/github.com/containers/buildah/CHANGELOG.md
+++ b/vendor/github.com/containers/buildah/CHANGELOG.md
@ -2,6 +2,77 @@

 # Changelog

+## v1.28.0 (2022-09-30)
+
+    Update vendor containers/(common,image)
+    [CI:DOCS] Add quay-description update reminder
+    vendor: bump c/common to v0.49.2-0.20220929111928-2d1b45ae2423
+    build(deps): bump github.com/opencontainers/selinux
+    Vendor in latest containers/storage
+    Changing shell list operators from `;` to `&&`
+    Fix buildahimage container.conf permissions regression
+    Set sysctls from containers.conf
+    refactor: stop using Normalize directly from containerd package
+    config,builder: process variant while populating image spec
+    Proof of concept: nightly dependency treadmill
+    Run codespell on code
+    Check for unset build args after TARGET args
+    pkg/cli: improve completion test
+    vendor in latest containers/(common,storage,image)
+    copier: work around freebsd bug for "mkdir /"
+    vendor: update c/image
+    test: run in the host cgroup namespace
+    vendor: update c/storage
+    vendor: update c/common
+    cmd: check for user UID instead of privileges
+    run,build: conflict --isolation=chroot and --network
+    Fix broken dns test (from merge collision)
+    Fix stutters
+    Fix broken command completion
+    buildah bud --network=none should have no network
+    build: support --skip-unused-stages for multi-stage builds
+    Prevent use of --dns* options with --net=none
+    buildah: make --cache-ttl=0s equivalent to --no-cache
+    parse: make processing flags in --mount order agnostic
+    Minor test fix for podman-remote
+    build: honor <Containerfile>.containerignore as ignore file
+    Update install.md: Debian 11 (Bullseye) is stable
+    build(deps): bump github.com/docker/docker
+    Use constants from containers/common for finding seccomp.json
+    Don't call os.Exit(1) from manifest exist
+    manifest: add support for buildah manifest exists
+    Buildah should ignore /etc/crio/seccomp.json
+    chroot: Fix cross build break
+    chroot: Move isDevNull to run_common.go
+    chroot: Fix setRlimit build on FreeBSD
+    chroot: Move parseRLimits and setRlimits to run_common.go
+    chroot: Fix runUsingChrootExecMain on FreeBSD
+    chroot: Move runUsingChrootExecMain to run_common.go
+    chroot: Factor out Linux-specific unshare options from runUsingChroot
+    chroot: Move runUsingChroot to run_common.go
+    chroot: Move RunUsingChroot and runUsingChrootMain to run_common.go
+    chroot: Factor out /dev/ptmx pty implementation
+    chroot: Add FreeBSD support for run with chroot isolation
+    build(deps): bump github.com/docker/go-units from 0.4.0 to 0.5.0
+    Replace k8s.gcr.io/pause in tests with registry.k8s.io/pause
+    build(deps): bump github.com/onsi/gomega from 1.20.0 to 1.20.1
+    Cirrus: use image with fewer downloaded dependencies
+    build(deps): bump github.com/opencontainers/runc from 1.1.3 to 1.1.4
+    run: add container gid to additional groups
+    buildah: support for --retry and --retry-delay for push/pull failures
+    Makefile: always call $(GO) instead of `go`
+    build(deps): bump github.com/fsouza/go-dockerclient from 1.8.2 to 1.8.3
+    test: use `T.TempDir` to create temporary test directory
+    mount,cache: enable SElinux shared content label option by default
+    commit: use race-free RemoveNames instead of SetNames
+    Drop util/util.Cause()
+    cmd/buildah: add "manifest create --amend"
+    build(deps): bump github.com/fsouza/go-dockerclient from 1.8.1 to 1.8.2
+    docs: specify git protocol is not supported for github hosted repo
+    Scrub user and group names from layer diffs
+    build(deps): bump github.com/containerd/containerd from 1.6.6 to 1.6.8
+    version: bump to 1.28.0-dev
+
 ## v1.27.0 (2022-08-01)

    build: support filtering cache by duration using `--cache-ttl`.
--- a/vendor/github.com/containers/buildah/Makefile
+++ b/vendor/github.com/containers/buildah/Makefile
@ -113,7 +113,7 @@ gopath:
 	test $(shell pwd) = $(shell cd ../../../../src/github.com/containers/buildah ; pwd)

 codespell:
-	codespell -S Makefile,buildah.spec.rpkg,AUTHORS,bin,vendor,.git,go.mod,go.sum,CHANGELOG.md,changelog.txt,seccomp.json,.cirrus.yml,"*.xz,*.gz,*.tar,*.tgz,*ico,*.png,*.1,*.5,*.orig,*.rej" -L uint,iff,od,ERRO -w
+	codespell -S Makefile,buildah.spec.rpkg,AUTHORS,bin,vendor,.git,go.mod,go.sum,CHANGELOG.md,changelog.txt,seccomp.json,.cirrus.yml,"*.xz,*.gz,*.tar,*.tgz,*ico,*.png,*.1,*.5,*.orig,*.rej" -L uint,iff,od,erro -w

 .PHONY: validate
 validate: install.tools
@ -187,7 +187,7 @@ vendor-in-container:

 .PHONY: vendor
 vendor:
-	GO111MODULE=on $(GO) mod tidy
+	GO111MODULE=on $(GO) mod tidy -compat=1.17
 	GO111MODULE=on $(GO) mod vendor
 	GO111MODULE=on $(GO) mod verify

--- a/vendor/github.com/containers/buildah/changelog.txt
+++ b/vendor/github.com/containers/buildah/changelog.txt
@ -1,3 +1,73 @@
+- Changelog for v1.28.0 (2022-09-30)
+  * Update vendor containers/(common,image)
+  * [CI:DOCS] Add quay-description update reminder
+  * vendor: bump c/common to v0.49.2-0.20220929111928-2d1b45ae2423
+  * build(deps): bump github.com/opencontainers/selinux
+  * Vendor in latest containers/storage
+  * Changing shell list operators from `;` to `&&`
+  * Fix buildahimage container.conf permissions regression
+  * Set sysctls from containers.conf
+  * refactor: stop using Normalize directly from containerd package
+  * config,builder: process variant while populating image spec
+  * Proof of concept: nightly dependency treadmill
+  * Run codespell on code
+  * Check for unset build args after TARGET args
+  * pkg/cli: improve completion test
+  * vendor in latest containers/(common,storage,image)
+  * copier: work around freebsd bug for "mkdir /"
+  * vendor: update c/image
+  * test: run in the host cgroup namespace
+  * vendor: update c/storage
+  * vendor: update c/common
+  * cmd: check for user UID instead of privileges
+  * run,build: conflict --isolation=chroot and --network
+  * Fix broken dns test (from merge collision)
+  * Fix stutters
+  * Fix broken command completion
+  * buildah bud --network=none should have no network
+  * build: support --skip-unused-stages for multi-stage builds
+  * Prevent use of --dns* options with --net=none
+  * buildah: make --cache-ttl=0s equivalent to --no-cache
+  * parse: make processing flags in --mount order agnostic
+  * Minor test fix for podman-remote
+  * build: honor <Containerfile>.containerignore as ignore file
+  * Update install.md: Debian 11 (Bullseye) is stable
+  * build(deps): bump github.com/docker/docker
+  * Use constants from containers/common for finding seccomp.json
+  * Don't call os.Exit(1) from manifest exist
+  * manifest: add support for buildah manifest exists
+  * Buildah should ignore /etc/crio/seccomp.json
+  * chroot: Fix cross build break
+  * chroot: Move isDevNull to run_common.go
+  * chroot: Fix setRlimit build on FreeBSD
+  * chroot: Move parseRLimits and setRlimits to run_common.go
+  * chroot: Fix runUsingChrootExecMain on FreeBSD
+  * chroot: Move runUsingChrootExecMain to run_common.go
+  * chroot: Factor out Linux-specific unshare options from runUsingChroot
+  * chroot: Move runUsingChroot to run_common.go
+  * chroot: Move RunUsingChroot and runUsingChrootMain to run_common.go
+  * chroot: Factor out /dev/ptmx pty implementation
+  * chroot: Add FreeBSD support for run with chroot isolation
+  * build(deps): bump github.com/docker/go-units from 0.4.0 to 0.5.0
+  * Replace k8s.gcr.io/pause in tests with registry.k8s.io/pause
+  * build(deps): bump github.com/onsi/gomega from 1.20.0 to 1.20.1
+  * Cirrus: use image with fewer downloaded dependencies
+  * build(deps): bump github.com/opencontainers/runc from 1.1.3 to 1.1.4
+  * run: add container gid to additional groups
+  * buildah: support for --retry and --retry-delay for push/pull failures
+  * Makefile: always call $(GO) instead of `go`
+  * build(deps): bump github.com/fsouza/go-dockerclient from 1.8.2 to 1.8.3
+  * test: use `T.TempDir` to create temporary test directory
+  * mount,cache: enable SElinux shared content label option by default
+  * commit: use race-free RemoveNames instead of SetNames
+  * Drop util/util.Cause()
+  * cmd/buildah: add "manifest create --amend"
+  * build(deps): bump github.com/fsouza/go-dockerclient from 1.8.1 to 1.8.2
+  * docs: specify git protocol is not supported for github hosted repo
+  * Scrub user and group names from layer diffs
+  * build(deps): bump github.com/containerd/containerd from 1.6.6 to 1.6.8
+  * version: bump to 1.28.0-dev
+
 - Changelog for v1.27.0 (2022-08-01)
  * build: support filtering cache by duration using `--cache-ttl`.
  * build: support building from commit when using git repo as build context.
--- a/vendor/github.com/containers/buildah/config.go
+++ b/vendor/github.com/containers/buildah/config.go
@ -9,9 +9,9 @@ import (
 	"strings"
 	"time"

-	"github.com/containerd/containerd/platforms"
 	"github.com/containers/buildah/define"
 	"github.com/containers/buildah/docker"
+	internalUtil "github.com/containers/buildah/internal/util"
 	"github.com/containers/common/pkg/util"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/pkg/compression"
@ -136,7 +136,16 @@ func (b *Builder) fixupConfig(sys *types.SystemContext) {
 			b.SetArchitecture(runtime.GOARCH)
 		}
 		// in case the arch string we started with was shorthand for a known arch+variant pair, normalize it
-		ps := platforms.Normalize(ociv1.Platform{OS: b.OS(), Architecture: b.Architecture(), Variant: b.Variant()})
+		ps := internalUtil.NormalizePlatform(ociv1.Platform{OS: b.OS(), Architecture: b.Architecture(), Variant: b.Variant()})
+		b.SetArchitecture(ps.Architecture)
+		b.SetVariant(ps.Variant)
+	}
+	if b.Variant() == "" {
+		if sys != nil && sys.VariantChoice != "" {
+			b.SetVariant(sys.VariantChoice)
+		}
+		// in case the arch string we started with was shorthand for a known arch+variant pair, normalize it
+		ps := internalUtil.NormalizePlatform(ociv1.Platform{OS: b.OS(), Architecture: b.Architecture(), Variant: b.Variant()})
 		b.SetArchitecture(ps.Architecture)
 		b.SetVariant(ps.Variant)
 	}
--- a/vendor/github.com/containers/buildah/copier/copier.go
+++ b/vendor/github.com/containers/buildah/copier/copier.go
@ -1794,7 +1794,9 @@ func copierHandlerPut(bulkReader io.Reader, req request, idMappings *idtools.IDM
 					}
 				}
 			case tar.TypeDir:
-				if err = os.Mkdir(path, 0700); err != nil && errors.Is(err, os.ErrExist) {
+				// FreeBSD can return EISDIR for "mkdir /":
+				// https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=59739.
+				if err = os.Mkdir(path, 0700); err != nil && (errors.Is(err, os.ErrExist) || errors.Is(err, syscall.EISDIR)) {
 					if st, stErr := os.Lstat(path); stErr == nil && !st.IsDir() {
 						if req.PutOptions.NoOverwriteNonDirDir {
 							break
--- a/vendor/github.com/containers/buildah/define/types.go
+++ b/vendor/github.com/containers/buildah/define/types.go
@ -30,7 +30,7 @@ const (
 	Package = "buildah"
 	// Version for the Package.  Bump version in contrib/rpm/buildah.spec
 	// too.
-	Version = "1.28.0-dev"
+	Version = "1.28.0"

 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"
--- a/vendor/github.com/containers/buildah/imagebuildah/build.go
+++ b/vendor/github.com/containers/buildah/imagebuildah/build.go
@ -17,6 +17,7 @@ import (

 	"github.com/containerd/containerd/platforms"
 	"github.com/containers/buildah/define"
+	internalUtil "github.com/containers/buildah/internal/util"
 	"github.com/containers/buildah/util"
 	"github.com/containers/common/libimage"
 	"github.com/containers/common/pkg/config"
@ -216,12 +217,12 @@ func BuildDockerfiles(ctx context.Context, store storage.Store, options define.B
 	systemContext := options.SystemContext
 	for _, platform := range options.Platforms {
 		platformContext := *systemContext
-		platformSpec := platforms.Normalize(v1.Platform{
+		platformSpec := internalUtil.NormalizePlatform(v1.Platform{
 			OS:           platform.OS,
 			Architecture: platform.Arch,
 			Variant:      platform.Variant,
 		})
-		// platforms.Normalize converts an empty os value to GOOS
+		// internalUtil.NormalizePlatform converts an empty os value to GOOS
 		// so we have to check the original value here to not overwrite the default for no reason
 		if platform.OS != "" {
 			platformContext.OSChoice = platformSpec.OS
@ -248,7 +249,7 @@ func BuildDockerfiles(ctx context.Context, store storage.Store, options define.B
 			loggerPerPlatform := logger
 			if platformOptions.LogFile != "" && platformOptions.LogSplitByPlatform {
 				logFile := platformOptions.LogFile + "_" + platformOptions.OS + "_" + platformOptions.Architecture
-				f, err := os.OpenFile(logFile, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
+				f, err := os.OpenFile(logFile, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0o600)
 				if err != nil {
 					return fmt.Errorf("opening logfile: %q: %w", logFile, err)
 				}
@ -285,7 +286,7 @@ func BuildDockerfiles(ctx context.Context, store storage.Store, options define.B
 		return "", nil, merr.ErrorOrNil()
 	}

-	// Reasons for this id, ref assigment w.r.t to use-case:
+	// Reasons for this id, ref assignment w.r.t to use-case:
 	//
 	// * Single-platform build: On single platform build we only
 	//   have one built instance i.e on indice 0 of built instances,
@ -294,7 +295,7 @@ func BuildDockerfiles(ctx context.Context, store storage.Store, options define.B
 	// * Multi-platform build with manifestList: If this is a build for
 	//   multiple platforms ( more than one platform ) and --manifest
 	//   option then this assignment is insignificant since it will be
-	//   overriden anyways with the id and ref of manifest list later in
+	//   overridden anyways with the id and ref of manifest list later in
 	//   in this code.
 	//
 	// * Multi-platform build without manifest list: If this is a build for
@ -377,8 +378,6 @@ func buildDockerfilesOnce(ctx context.Context, store storage.Store, logger *logr
 		return "", nil, fmt.Errorf("parsing main Dockerfile: %s: %w", containerFiles[0], err)
 	}

-	warnOnUnsetBuildArgs(logger, mainNode, options.Args)
-
 	// --platform was explicitly selected for this build
 	// so set correct TARGETPLATFORM in args if it is not
 	// already selected by the user.
@ -413,6 +412,8 @@ func buildDockerfilesOnce(ctx context.Context, store storage.Store, logger *logr
 		}
 	}

+	warnOnUnsetBuildArgs(logger, mainNode, options.Args)
+
 	for i, d := range dockerfilecontents[1:] {
 		additionalNode, err := imagebuilder.ParseDockerfile(bytes.NewReader(d))
 		if err != nil {
@ -622,7 +623,7 @@ func platformsForBaseImages(ctx context.Context, logger *logrus.Logger, dockerfi
 				if instance.Platform == nil {
 					continue
 				}
-				platform := platforms.Normalize(*instance.Platform)
+				platform := internalUtil.NormalizePlatform(*instance.Platform)
 				targetPlatforms[platforms.Format(platform)] = struct{}{}
 				logger.Debugf("image %q supports %q", baseImage, platforms.Format(platform))
 			}
@ -633,7 +634,7 @@ func platformsForBaseImages(ctx context.Context, logger *logrus.Logger, dockerfi
 				if instance.Platform == nil {
 					continue
 				}
-				platform := platforms.Normalize(*instance.Platform)
+				platform := internalUtil.NormalizePlatform(*instance.Platform)
 				imagePlatforms[platforms.Format(platform)] = struct{}{}
 				logger.Debugf("image %q supports %q", baseImage, platforms.Format(platform))
 			}
--- a/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go
+++ b/vendor/github.com/containers/buildah/imagebuildah/stage_executor.go
@ -1677,7 +1677,7 @@ func (s *StageExecutor) tagExistingImage(ctx context.Context, cacheID, output st
 // generateCacheKey returns a computed digest for the current STEP
 // running its history and diff against a hash algorithm and this
 // generated CacheKey is further used by buildah to lock and decide
-// tag for the intermeidate image which can be pushed and pulled to/from
+// tag for the intermediate image which can be pushed and pulled to/from
 // the remote repository.
 func (s *StageExecutor) generateCacheKey(ctx context.Context, currNode *parser.Node, addedContentDigest string, buildAddsLayer bool) (string, error) {
 	hash := sha256.New()
--- a/vendor/github.com/containers/buildah/info.go
+++ b/vendor/github.com/containers/buildah/info.go
@ -9,7 +9,7 @@ import (
 	"strconv"
 	"strings"

-	"github.com/containerd/containerd/platforms"
+	internalUtil "github.com/containers/buildah/internal/util"
 	putil "github.com/containers/buildah/pkg/util"
 	"github.com/containers/buildah/util"
 	"github.com/containers/storage"
@ -43,7 +43,7 @@ func Info(store storage.Store) ([]InfoData, error) {

 func hostInfo() map[string]interface{} {
 	info := map[string]interface{}{}
-	ps := platforms.Normalize(v1.Platform{OS: runtime.GOOS, Architecture: runtime.GOARCH})
+	ps := internalUtil.NormalizePlatform(v1.Platform{OS: runtime.GOOS, Architecture: runtime.GOARCH})
 	info["os"] = ps.OS
 	info["arch"] = ps.Architecture
 	info["variant"] = ps.Variant
--- a/vendor/github.com/containers/buildah/internal/util/util.go
+++ b/vendor/github.com/containers/buildah/internal/util/util.go
@ -15,6 +15,7 @@ import (
 	"github.com/containers/storage/pkg/archive"
 	"github.com/containers/storage/pkg/chrootarchive"
 	"github.com/containers/storage/pkg/unshare"
+	v1 "github.com/opencontainers/image-spec/specs-go/v1"
 )

 // LookupImage returns *Image to corresponding imagename or id
@ -34,6 +35,22 @@ func LookupImage(ctx *types.SystemContext, store storage.Store, image string) (*
 	return localImage, nil
 }

+// NormalizePlatform validates and translate the platform to the canonical value.
+//
+// For example, if "Aarch64" is encountered, we change it to "arm64" or if
+// "x86_64" is encountered, it becomes "amd64".
+//
+// Wrapper around libimage.NormalizePlatform to return and consume
+// v1.Platform instead of independent os, arch and variant.
+func NormalizePlatform(platform v1.Platform) v1.Platform {
+	os, arch, variant := libimage.NormalizePlatform(platform.OS, platform.Architecture, platform.Variant)
+	return v1.Platform{
+		OS:           os,
+		Architecture: arch,
+		Variant:      variant,
+	}
+}
+
 // GetTempDir returns base for a temporary directory on host.
 func GetTempDir() string {
 	if tmpdir, ok := os.LookupEnv("TMPDIR"); ok {
--- a/vendor/github.com/containers/buildah/release.sh
+++ b/vendor/github.com/containers/buildah/release.sh
@ -21,28 +21,6 @@ write_go_version()
 	sed -i "s/^\(.*Version = \"\).*/\1${LOCAL_VERSION}\"/" define/types.go
 }

-write_spec_version()
-{
-	LOCAL_VERSION="$1"
-	sed -i "s/^\(Version: *\).*/\1${LOCAL_VERSION}/" contrib/rpm/buildah.spec
-}
-
-write_spec_changelog()
-{
-	sed '/\*.*-dev-1/d' -i ./contrib/rpm/buildah.spec
-	VERSION=$1
-	date=$(date "+%a %b %d, %Y")
-	name=$(getent passwd $USERNAME | cut -d ':' -f 5)
-	echo "* ${date} ${name} <${USER}@redhat.com> ${VERSION}-1" >.changelog.txt
-	if [[ "${VERSION}" != *-dev ]]; then
-	   git log --no-merges --format='- %s' "${LAST_TAG}..HEAD" >>.changelog.txt
-	else
-	    echo "" >>.changelog.txt
-	fi
-	sed '/^%changelog.*/r .changelog.txt' -i ./contrib/rpm/buildah.spec
-	rm -f .changelog.txt
-}
-
 write_makefile_epoch()
 {
 	LOCAL_EPOCH="$1"
@ -68,8 +46,6 @@ write_changelog()
 release_commit()
 {
 	write_go_version "${VERSION}" &&
-	write_spec_version "${VERSION}" &&
-	write_spec_changelog "${VERSION}" &&
 	write_changelog &&
 	git commit -asm "Bump to v${VERSION}

@ -80,8 +56,6 @@ release_commit()
 dev_version_commit()
 {
 	write_go_version "${NEXT_VERSION}-dev" &&
-	write_spec_version "${NEXT_VERSION}-dev" &&
-	write_spec_changelog "${NEXT_VERSION}-dev" &&
 	git commit -asm "Bump to v${NEXT_VERSION}-dev

 [NO TESTS NEEDED]
--- a/vendor/github.com/containers/buildah/run_linux.go
+++ b/vendor/github.com/containers/buildah/run_linux.go
@ -605,11 +605,37 @@ func runMakeStdioPipe(uid, gid int) ([][]int, error) {
 }

 func setupNamespaces(logger *logrus.Logger, g *generate.Generator, namespaceOptions define.NamespaceOptions, idmapOptions define.IDMappingOptions, policy define.NetworkConfigurationPolicy) (configureNetwork bool, configureNetworks []string, configureUTS bool, err error) {
+	defaultContainerConfig, err := config.Default()
+	if err != nil {
+		return false, nil, false, fmt.Errorf("failed to get container config: %w", err)
+	}
+
+	addSysctl := func(prefixes []string) error {
+		for _, sysctl := range defaultContainerConfig.Sysctls() {
+			splitn := strings.SplitN(sysctl, "=", 2)
+			if len(splitn) > 2 {
+				return fmt.Errorf("sysctl %q defined in containers.conf must be formatted name=value", sysctl)
+			}
+			for _, prefix := range prefixes {
+				if strings.HasPrefix(splitn[0], prefix) {
+					g.AddLinuxSysctl(splitn[0], splitn[1])
+				}
+			}
+		}
+		return nil
+	}
+
 	// Set namespace options in the container configuration.
 	configureUserns := false
 	specifiedNetwork := false
 	for _, namespaceOption := range namespaceOptions {
 		switch namespaceOption.Name {
+		case string(specs.IPCNamespace):
+			if !namespaceOption.Host {
+				if err := addSysctl([]string{"fs.mqueue"}); err != nil {
+					return false, nil, false, err
+				}
+			}
 		case string(specs.UserNamespace):
 			configureUserns = false
 			if !namespaceOption.Host && namespaceOption.Path == "" {
@ -627,8 +653,13 @@ func setupNamespaces(logger *logrus.Logger, g *generate.Generator, namespaceOpti
 			}
 		case string(specs.UTSNamespace):
 			configureUTS = false
-			if !namespaceOption.Host && namespaceOption.Path == "" {
-				configureUTS = true
+			if !namespaceOption.Host {
+				if namespaceOption.Path == "" {
+					configureUTS = true
+				}
+				if err := addSysctl([]string{"kernel.hostname", "kernel.domainame"}); err != nil {
+					return false, nil, false, err
+				}
 			}
 		}
 		if namespaceOption.Host {
@ -684,7 +715,10 @@ func setupNamespaces(logger *logrus.Logger, g *generate.Generator, namespaceOpti
 			}
 		}
 	}
-	if configureNetwork && !unshare.IsRootless() {
+	if configureNetwork {
+		if err := addSysctl([]string{"net"}); err != nil {
+			return false, nil, false, err
+		}
 		for name, val := range define.DefaultNetworkSysctl {
 			// Check that the sysctl we are adding is actually supported
 			// by the kernel