Merge pull request #9185 from mheon/pod_no_network

Allow pods to use --net=none

libpod/options.go

@@ -2190,13 +2190,37 @@ func WithPodNetworks(networks []string) PodCreateOption {
 	}
 }
 
+// WithPodNoNetwork tells the pod to disable external networking.
+func WithPodNoNetwork() PodCreateOption {
+	return func(pod *Pod) error {
+		if pod.valid {
+			return define.ErrPodFinalized
+		}
+
+		if !pod.config.InfraContainer.HasInfraContainer {
+			return errors.Wrapf(define.ErrInvalidArg, "cannot disable pod networking as no infra container is being created")
+		}
+
+		if len(pod.config.InfraContainer.PortBindings) > 0 ||
+			pod.config.InfraContainer.StaticIP != nil ||
+			pod.config.InfraContainer.StaticMAC != nil ||
+			len(pod.config.InfraContainer.Networks) > 0 ||
+			pod.config.InfraContainer.HostNetwork {
+			return errors.Wrapf(define.ErrInvalidArg, "cannot disable pod network if network-related configuration is specified")
+		}
+
+		pod.config.InfraContainer.NoNetwork = true
+
+		return nil
+	}
+}
+
 // WithPodHostNetwork tells the pod to use the host's network namespace.
 func WithPodHostNetwork() PodCreateOption {
 	return func(pod *Pod) error {
 		if pod.valid {
 			return define.ErrPodFinalized
 		}
-
 		if !pod.config.InfraContainer.HasInfraContainer {
 			return errors.Wrapf(define.ErrInvalidArg, "cannot configure pod host networking as no infra container is being created")
 		}
@@ -2204,7 +2228,8 @@ func WithPodHostNetwork() PodCreateOption {
 		if len(pod.config.InfraContainer.PortBindings) > 0 ||
 			pod.config.InfraContainer.StaticIP != nil ||
 			pod.config.InfraContainer.StaticMAC != nil ||
-			len(pod.config.InfraContainer.Networks) > 0 {
+			len(pod.config.InfraContainer.Networks) > 0 ||
+			pod.config.InfraContainer.NoNetwork {
 			return errors.Wrapf(define.ErrInvalidArg, "cannot set host network if network-related configuration is specified")
 		}
 

libpod/pod.go

@@ -93,6 +93,7 @@ type podState struct {
 type InfraContainerConfig struct {
 	ConmonPidFile      string               `json:"conmonPidFile"`
 	HasInfraContainer  bool                 `json:"makeInfraContainer"`
+	NoNetwork          bool                 `json:"noNetwork,omitempty"`
 	HostNetwork        bool                 `json:"infraHostNetwork,omitempty"`
 	PortBindings       []ocicni.PortMapping `json:"infraPortBindings"`
 	StaticIP           net.IP               `json:"staticIP,omitempty"`

libpod/runtime_pod_infra_linux.go

@@ -94,8 +94,16 @@ func (r *Runtime) makeInfraContainer(ctx context.Context, p *Pod, imgName, rawIm
 			}
 		}
 
-		// Since user namespace sharing is not implemented, we only need to check if it's rootless
-		if !p.config.InfraContainer.HostNetwork {
+		switch {
+		case p.config.InfraContainer.HostNetwork:
+			if err := g.RemoveLinuxNamespace(string(spec.NetworkNamespace)); err != nil {
+				return nil, errors.Wrapf(err, "error removing network namespace from pod %s infra container", p.ID())
+			}
+		case p.config.InfraContainer.NoNetwork:
+			// Do nothing - we have a network namespace by default,
+			// but should not configure slirp.
+		default:
+			// Since user namespace sharing is not implemented, we only need to check if it's rootless
 			netmode := "bridge"
 			if isRootless || p.config.InfraContainer.Slirp4netns {
 				netmode = "slirp4netns"
@@ -106,8 +114,6 @@ func (r *Runtime) makeInfraContainer(ctx context.Context, p *Pod, imgName, rawIm
 			// PostConfigureNetNS should not be set since user namespace sharing is not implemented
 			// and rootless networking no longer supports post configuration setup
 			options = append(options, WithNetNS(p.config.InfraContainer.PortBindings, false, netmode, p.config.InfraContainer.Networks))
-		} else if err := g.RemoveLinuxNamespace(string(spec.NetworkNamespace)); err != nil {
-			return nil, errors.Wrapf(err, "error removing network namespace from pod %s infra container", p.ID())
 		}
 
 		// For each option in InfraContainerConfig - if set, pass into