Podman build cannot access internet using passt

[empire-penguin]

Issue Description

We are unable to connect to the internet during the build stage.
However we can connect to the internet after it is already built and running.

Steps to reproduce the issue

1. Create a very simple docker container

FROM docker.io/ubuntu:latest
RUN apt-get update

2. Build the docker container: docker build --no-cache -t test:latest .

Describe the results you received

The build stage is not able to connect to the internet as evident by:

STEP 1/2: FROM docker.io/ubuntu:latest
STEP 2/2: RUN apt-get update
Ign:1 http://archive.ubuntu.com/ubuntu noble InRelease
Ign:2 http://security.ubuntu.com/ubuntu noble-security InRelease
Ign:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease
Ign:4 http://archive.ubuntu.com/ubuntu noble-backports InRelease
Ign:2 http://security.ubuntu.com/ubuntu noble-security InRelease
Ign:1 http://archive.ubuntu.com/ubuntu noble InRelease
Ign:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease
Ign:4 http://archive.ubuntu.com/ubuntu noble-backports InRelease
Ign:1 http://archive.ubuntu.com/ubuntu noble InRelease
Ign:2 http://security.ubuntu.com/ubuntu noble-security InRelease
Ign:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease
Ign:4 http://archive.ubuntu.com/ubuntu noble-backports InRelease
Err:1 http://archive.ubuntu.com/ubuntu noble InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Err:2 http://security.ubuntu.com/ubuntu noble-security InRelease
  Temporary failure resolving 'security.ubuntu.com'
Err:3 http://archive.ubuntu.com/ubuntu noble-updates InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Err:4 http://archive.ubuntu.com/ubuntu noble-backports InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Reading package lists...
COMMIT test:latest
--> fad7281bfd25
Successfully tagged localhost/test:latest
fad7281bfd25cd192cea159552cae41068c52023426b39fec6cddebf1e7aaa84

Describe the results you expected

I expected to be able to connect to the internet and perform an apt update

STEP 1/2: FROM docker.io/ubuntu:latest
STEP 2/2: RUN apt-get update
Get:1 http://security.ubuntu.com/ubuntu noble-security InRelease [126 kB]
Get:2 http://archive.ubuntu.com/ubuntu noble InRelease [256 kB]
Get:3 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Packages [356 kB]
Get:4 http://security.ubuntu.com/ubuntu noble-security/restricted amd64 Packages [362 kB]
Get:5 http://security.ubuntu.com/ubuntu noble-security/multiverse amd64 Packages [13.7 kB]
Get:6 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages [413 kB]
Get:7 http://archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]
Get:8 http://archive.ubuntu.com/ubuntu noble-backports InRelease [126 kB]
Get:9 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages [1808 kB]
Get:10 http://archive.ubuntu.com/ubuntu noble/multiverse amd64 Packages [331 kB]
Get:11 http://archive.ubuntu.com/ubuntu noble/restricted amd64 Packages [117 kB]
Get:12 http://archive.ubuntu.com/ubuntu noble/universe amd64 Packages [19.3 MB]
Get:13 http://archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages [634 kB]
Get:14 http://archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 Packages [17.8 kB]
Get:15 http://archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages [469 kB]
Get:16 http://archive.ubuntu.com/ubuntu noble-updates/restricted amd64 Packages [402 kB]
Get:17 http://archive.ubuntu.com/ubuntu noble-backports/universe amd64 Packages [11.5 kB]
Fetched 24.9 MB in 3s (7170 kB/s)
Reading package lists...
COMMIT test:latest
--> b56b33c171ed
Successfully tagged localhost/test:latest
b56b33c171ed378fcf3b0a7c7540f85dda579a585dd3db0ec7dfb2d907048672

podman info output

host:
  arch: amd64
  buildahVersion: 1.37.2
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: Unknown
    path: /usr/libexec/podman/conmon
    version: 'conmon version 2.1.12, commit: f363b49bbd4daee434d5cf0099f567502a94fbbb'
  cpuUtilization:
    idlePercent: 99.82
    systemPercent: 0.12
    userPercent: 0.06
  cpus: 64
  databaseBackend: boltdb
  distribution:
    codename: jammy
    distribution: ubuntu
    version: "22.04"
  eventLogger: journald
  freeLocks: 2032
  hostname: wcsng-42
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 3141
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 3141
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
  kernel: 6.8.0-40-generic
  linkmode: dynamic
  logDriver: journald
  memFree: 519108964352
  memTotal: 540454256640
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.12.2
    package: Unknown
    path: /usr/libexec/podman/netavark
    version: netavark 1.12.2
  ociRuntime:
    name: crun
    package: Unknown
    path: /usr/local/bin/crun
    version: |-
      crun version 1.17
      commit: 000fa0d4eeed8938301f3bcf8206405315bc1017
      rundir: /run/user/3141/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  pasta:
    executable: /usr/local/bin/pasta
    package: Unknown
    version: |
      pasta 2024_09_06.6b38f07
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/3141/podman/podman.sock
  rootlessNetworkCmd: slirp4netns
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/local/bin/slirp4netns
    package: Unknown
    version: slirp4netns-like wrapper for pasta
  swapFree: 0
  swapTotal: 0
  uptime: 2h 19m 4.00s (Approximately 0.08 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/groberts/.config/containers/storage.conf
  containerStore:
    number: 11
    paused: 0
    running: 1
    stopped: 10
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/groberts/.local/share/containers/storage
  graphRootAllocated: 479557844992
  graphRootUsed: 25651802112
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 84
  runRoot: /run/user/3141/containers
  transientStore: false
  volumePath: /mnt/intA-ssdr1-480gb/groberts/.local/share/containers/storage/volumes
version:
  APIVersion: 5.2.2
  Built: 1725995609
  BuiltTime: Tue Sep 10 12:13:29 2024
  GitCommit: fcee48106a12dd531702d729d17f40f6e152027f-dirty
  GoVersion: go1.23.1
  Os: linux
  OsArch: linux/amd64
  Version: 5.2.2

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

1. If sudo docker build --no-cache -t test:latest . is ran then the build can connect to the internet and complete successfully.

2. Using a prebuild container we are able to connect to the internet and perform a sudo apt update.

3. To debug we tried isolate the problem by testing for DNS by using the following dockerfile:

FROM docker.io/wbitt/network-multitool
RUN nslookup google.com

and produced the following results:

STEP 1/2: FROM docker.io/wbitt/network-multitool
STEP 2/2: RUN nslookup google.com
;; UDP setup with 10.0.2.3#53(10.0.2.3) for google.com failed: network unreachable.
;; UDP setup with 10.0.2.3#53(10.0.2.3) for google.com failed: network unreachable.
;; UDP setup with 10.0.2.3#53(10.0.2.3) for google.com failed: network unreachable.
;; UDP setup with 8.8.8.8#53(8.8.8.8) for google.com failed: network unreachable.
;; UDP setup with 1.1.1.1#53(1.1.1.1) for google.com failed: network unreachable.

Error: building at STEP "RUN nslookup google.com": while running runtime: exit status 1

But it seems to be a complete network connectivity issue, not just DNS.

4. By installing and using slirp4netns instead of passt the issue is resolved

[rhatdan]

This must be a local issue, this works everywhere. If it did not, we would see thousands of these issues.

Try with --network=host and see if this works, it could be a bad version of Pasta.

[edsantiago]

rootlessNetworkCmd: slirp4netns
...
slirp4netns:
executable: /usr/local/bin/slirp4netns
package: Unknown
version: slirp4netns-like wrapper for pasta

[eriksjolund]

Maybe related to this?

version: slirp4netns-like wrapper for pasta

https://github.com/search?q=%22slirp4netns-like+wrapper+for+pasta%22&type=code

[Luap99]

We support pasta directly so you should not use the wrapper and slirp4netns.