Podman: using netavark for rootless networking

Question

I am running podman 4.4.1 on RHEL 8.6 Real-time. I have been having latency issues with the default CNI network in rootless containers and am trying to evaluate netavark as a backend.

What I have tried:

1. I ran podman system reset --force
2. I changed network-backend:"cni" parameter in /usr/share/containers/containers.conf to network-backend:"netavark"
3. I repeated podman system reset --force
4. Running podman info --debug shows networkBackend: netavark
5. Rebooting
6. Running podman network create newnet
7. Running my container with the --network=newnet

The problem is that running a container still starts the slirp4netns process. This leads me to believe that it is not using the netavark backend. Is slirp4netns still required when using netavark on a rootless container?

Answer 1

Firstly, do not modify /usr/share/containers/containers.conf. Instead, copy it to /etc/containers/containers.conf if you plan to modify the libpod configuration.

Secondly, both CNI and Netavark require root privileges and cannot be used by Podman in rootless mode. That is why Podman ignores whatever you have specified in the network-backend. This section of the configuration does not concern rootless networking at all.

In rootless mode, for now, you are required to use slirp4netns unless you are willing to handle networking yourself.

There have been some presentations about the evolution of rootless networking in Podman from the recent DevConf.cz:

• Rootful Networking with Rootless Podman Containers - This should be the most interesting one for you in the current situation.
• Root is Less: Container Networks Get in Shape with PASTA - This one describes the future of rootless networking without slirp4netns.