Allow pods to use --net=none

We need an extra field in the pod infra container config. We may want to reevaluate that struct at some point, as storing network modes as bools will rapidly become unsustainable, but that's a discussion for another time. Otherwise, straightforward plumbing. Fixes #9165 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2025-10-24 15:03:45 +08:00 · 2021-02-01 13:53:14 -05:00
parent 182e8414d4
commit 931ea939ac
5 changed files with 55 additions and 12 deletions
--- a/libpod/options.go
+++ b/libpod/options.go
@ -2190,13 +2190,37 @@ func WithPodNetworks(networks []string) PodCreateOption {
 	}
 }

+// WithPodNoNetwork tells the pod to disable external networking.
+func WithPodNoNetwork() PodCreateOption {
+	return func(pod *Pod) error {
+		if pod.valid {
+			return define.ErrPodFinalized
+		}
+
+		if !pod.config.InfraContainer.HasInfraContainer {
+			return errors.Wrapf(define.ErrInvalidArg, "cannot disable pod networking as no infra container is being created")
+		}
+
+		if len(pod.config.InfraContainer.PortBindings) > 0 ||
+			pod.config.InfraContainer.StaticIP != nil ||
+			pod.config.InfraContainer.StaticMAC != nil ||
+			len(pod.config.InfraContainer.Networks) > 0 ||
+			pod.config.InfraContainer.HostNetwork {
+			return errors.Wrapf(define.ErrInvalidArg, "cannot disable pod network if network-related configuration is specified")
+		}
+
+		pod.config.InfraContainer.NoNetwork = true
+
+		return nil
+	}
+}
+
 // WithPodHostNetwork tells the pod to use the host's network namespace.
 func WithPodHostNetwork() PodCreateOption {
 	return func(pod *Pod) error {
 		if pod.valid {
 			return define.ErrPodFinalized
 		}
-
 		if !pod.config.InfraContainer.HasInfraContainer {
 			return errors.Wrapf(define.ErrInvalidArg, "cannot configure pod host networking as no infra container is being created")
 		}
@ -2204,7 +2228,8 @@ func WithPodHostNetwork() PodCreateOption {
 		if len(pod.config.InfraContainer.PortBindings) > 0 ||
 			pod.config.InfraContainer.StaticIP != nil ||
 			pod.config.InfraContainer.StaticMAC != nil ||
-			len(pod.config.InfraContainer.Networks) > 0 {
+			len(pod.config.InfraContainer.Networks) > 0 ||
+			pod.config.InfraContainer.NoNetwork {
 			return errors.Wrapf(define.ErrInvalidArg, "cannot set host network if network-related configuration is specified")
 		}

--- a/libpod/pod.go
+++ b/libpod/pod.go
@ -93,6 +93,7 @@ type podState struct {
 type InfraContainerConfig struct {
 	ConmonPidFile      string               `json:"conmonPidFile"`
 	HasInfraContainer  bool                 `json:"makeInfraContainer"`
+	NoNetwork          bool                 `json:"noNetwork,omitempty"`
 	HostNetwork        bool                 `json:"infraHostNetwork,omitempty"`
 	PortBindings       []ocicni.PortMapping `json:"infraPortBindings"`
 	StaticIP           net.IP               `json:"staticIP,omitempty"`
--- a/libpod/runtime_pod_infra_linux.go
+++ b/libpod/runtime_pod_infra_linux.go
@ -94,8 +94,16 @@ func (r *Runtime) makeInfraContainer(ctx context.Context, p *Pod, imgName, rawIm
 			}
 		}

-		// Since user namespace sharing is not implemented, we only need to check if it's rootless
-		if !p.config.InfraContainer.HostNetwork {
+		switch {
+		case p.config.InfraContainer.HostNetwork:
+			if err := g.RemoveLinuxNamespace(string(spec.NetworkNamespace)); err != nil {
+				return nil, errors.Wrapf(err, "error removing network namespace from pod %s infra container", p.ID())
+			}
+		case p.config.InfraContainer.NoNetwork:
+			// Do nothing - we have a network namespace by default,
+			// but should not configure slirp.
+		default:
+			// Since user namespace sharing is not implemented, we only need to check if it's rootless
 			netmode := "bridge"
 			if isRootless || p.config.InfraContainer.Slirp4netns {
 				netmode = "slirp4netns"
@ -106,8 +114,6 @@ func (r *Runtime) makeInfraContainer(ctx context.Context, p *Pod, imgName, rawIm
 			// PostConfigureNetNS should not be set since user namespace sharing is not implemented
 			// and rootless networking no longer supports post configuration setup
 			options = append(options, WithNetNS(p.config.InfraContainer.PortBindings, false, netmode, p.config.InfraContainer.Networks))
-		} else if err := g.RemoveLinuxNamespace(string(spec.NetworkNamespace)); err != nil {
-			return nil, errors.Wrapf(err, "error removing network namespace from pod %s infra container", p.ID())
 		}

 		// For each option in InfraContainerConfig - if set, pass into