use rootless netns from c/common

Use the new rootlessnetns logic from c/common, drop the podman code
here and make use of the new much simpler API.

ref: https://github.com/containers/common/pull/1761

[NO NEW TESTS NEEDED]

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

vendor/github.com/containers/common/libnetwork/netavark/exec.go

@@ -10,6 +10,7 @@ import (
 	"os"
 	"os/exec"
 	"strconv"
+	"strings"
 
 	"github.com/sirupsen/logrus"
 )
@@ -79,6 +80,15 @@ func getRustLogEnv() string {
 func (n *netavarkNetwork) execNetavark(args []string, needPlugin bool, stdin, result interface{}) error {
 	// set the netavark log level to the same as the podman
 	env := append(os.Environ(), getRustLogEnv())
+	// Netavark need access to iptables in $PATH. As it turns out debian doesn't put
+	// /usr/sbin in $PATH for rootless users. This will break rootless networking completely.
+	// We might break existing users and we cannot expect everyone to change their $PATH so
+	// let's add /usr/sbin to $PATH ourselves.
+	path := os.Getenv("PATH")
+	if !strings.Contains(path, "/usr/sbin") {
+		path += ":/usr/sbin"
+		env = append(env, "PATH="+path)
+	}
 	// if we run with debug log level lets also set RUST_BACKTRACE=1 so we can get the full stack trace in case of panics
 	if logrus.IsLevelEnabled(logrus.DebugLevel) {
 		env = append(env, "RUST_BACKTRACE=1")

vendor/github.com/containers/common/libnetwork/netavark/network.go

@@ -12,6 +12,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/containers/common/libnetwork/internal/rootlessnetns"
 	"github.com/containers/common/libnetwork/internal/util"
 	"github.com/containers/common/libnetwork/types"
 	"github.com/containers/common/pkg/config"
@@ -68,6 +69,9 @@ type netavarkNetwork struct {
 
 	// networks is a map with loaded networks, the key is the network name
 	networks map[string]*types.Network
+
+	// rootlessNetns is used for the rootless network setup/teardown
+	rootlessNetns *rootlessnetns.Netns
 }
 
 type InitConfig struct {
@@ -82,26 +86,12 @@ type InitConfig struct {
 	// NetworkRunDir is where temporary files are stored, i.e.the ipam db, aardvark config
 	NetworkRunDir string
 
-	// FirewallDriver sets the firewall driver to use
-	FirewallDriver string
-
-	// DefaultNetwork is the name for the default network.
-	DefaultNetwork string
-	// DefaultSubnet is the default subnet for the default network.
-	DefaultSubnet string
-
-	// DefaultsubnetPools contains the subnets which must be used to allocate a free subnet by network create
-	DefaultsubnetPools []config.SubnetPool
-
-	// DNSBindPort is set the port to pass to netavark for aardvark
-	DNSBindPort uint16
-
-	// PluginDirs list of directories were netavark plugins are located
-	PluginDirs []string
-
 	// Syslog describes whenever the netavark debug output should be log to the syslog as well.
 	// This will use logrus to do so, make sure logrus is set up to log to the syslog.
 	Syslog bool
+
+	// Config containers.conf options
+	Config *config.Config
 }
 
 // NewNetworkInterface creates the ContainerNetwork interface for the netavark backend.
@@ -118,12 +108,12 @@ func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 		return nil, err
 	}
 
-	defaultNetworkName := conf.DefaultNetwork
+	defaultNetworkName := conf.Config.Network.DefaultNetwork
 	if defaultNetworkName == "" {
 		defaultNetworkName = types.DefaultNetworkName
 	}
 
-	defaultSubnet := conf.DefaultSubnet
+	defaultSubnet := conf.Config.Network.DefaultSubnet
 	if defaultSubnet == "" {
 		defaultSubnet = types.DefaultSubnet
 	}
@@ -140,11 +130,19 @@ func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 		return nil, err
 	}
 
-	defaultSubnetPools := conf.DefaultsubnetPools
+	defaultSubnetPools := conf.Config.Network.DefaultSubnetPools
 	if defaultSubnetPools == nil {
 		defaultSubnetPools = config.DefaultSubnetPools
 	}
 
+	var netns *rootlessnetns.Netns
+	if unshare.IsRootless() {
+		netns, err = rootlessnetns.New(conf.NetworkRunDir, rootlessnetns.Netavark, conf.Config)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	n := &netavarkNetwork{
 		networkConfigDir:   conf.NetworkConfigDir,
 		networkRunDir:      conf.NetworkRunDir,
@@ -152,14 +150,15 @@ func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 		aardvarkBinary:     conf.AardvarkBinary,
 		networkRootless:    unshare.IsRootless(),
 		ipamDBPath:         filepath.Join(conf.NetworkRunDir, "ipam.db"),
-		firewallDriver:     conf.FirewallDriver,
+		firewallDriver:     conf.Config.Network.FirewallDriver,
 		defaultNetwork:     defaultNetworkName,
 		defaultSubnet:      defaultNet,
 		defaultsubnetPools: defaultSubnetPools,
-		dnsBindPort:        conf.DNSBindPort,
-		pluginDirs:         conf.PluginDirs,
+		dnsBindPort:        conf.Config.Network.DNSBindPort,
+		pluginDirs:         conf.Config.Network.NetavarkPluginDirs.Get(),
 		lock:               lock,
 		syslog:             conf.Syslog,
+		rootlessNetns:      netns,
 	}
 
 	return n, nil

vendor/github.com/containers/common/libnetwork/netavark/run.go

@@ -72,12 +72,24 @@ func (n *netavarkNetwork) Setup(namespacePath string, options types.SetupOptions
 	}
 
 	result := map[string]types.StatusBlock{}
-	err = n.execNetavark([]string{"setup", namespacePath}, needPlugin, netavarkOpts, &result)
-	if err != nil {
-		// lets dealloc ips to prevent leaking
-		if err := n.deallocIPs(&options.NetworkOptions); err != nil {
-			logrus.Error(err)
+	setup := func() error {
+		err := n.execNetavark([]string{"setup", namespacePath}, needPlugin, netavarkOpts, &result)
+		if err != nil {
+			// lets dealloc ips to prevent leaking
+			if err := n.deallocIPs(&options.NetworkOptions); err != nil {
+				logrus.Error(err)
+			}
+			return err
 		}
+		return nil
+	}
+
+	if n.rootlessNetns != nil {
+		err = n.rootlessNetns.Setup(len(options.Networks), setup)
+	} else {
+		err = setup()
+	}
+	if err != nil {
 		return nil, err
 	}
 
@@ -112,7 +124,16 @@ func (n *netavarkNetwork) Teardown(namespacePath string, options types.TeardownO
 		return fmt.Errorf("failed to convert net opts: %w", err)
 	}
 
-	retErr := n.execNetavark([]string{"teardown", namespacePath}, needPlugin, netavarkOpts, nil)
+	var retErr error
+	teardown := func() error {
+		return n.execNetavark([]string{"teardown", namespacePath}, needPlugin, netavarkOpts, nil)
+	}
+
+	if n.rootlessNetns != nil {
+		retErr = n.rootlessNetns.Teardown(len(options.Networks), teardown)
+	} else {
+		retErr = teardown()
+	}
 
 	// when netavark returned an error we still free the used ips
 	// otherwise we could end up in a state where block the ips forever
@@ -160,3 +181,10 @@ func (n *netavarkNetwork) convertNetOpts(opts types.NetworkOptions) (*netavarkOp
 	}
 	return &netavarkOptions, needsPlugin, nil
 }
+
+func (n *netavarkNetwork) RunInRootlessNetns(toRun func() error) error {
+	if n.rootlessNetns == nil {
+		return types.ErrNotRootlessNetns
+	}
+	return n.rootlessNetns.Run(n.lock, toRun)
+}