David Gibson
David Gibson
> I need to control nftables for rootless containers and that's not possible. It works ok in rootful with `--userns=auto` arg and oci hook containing iptables, although it's not that...
@vuori I'm a little surprising by this case. pasta *can* run as "root" (mapped UID 0) within a namespace / container - it at least attempts to only prevent running...
> pasta itself runs fine, it's just that pkg/specgen/namespaces.go:validateNetNS actively prevents `--network pasta` when podman is not running in rootless mode. In this case podman will think it runs as...
> pasta is launched from the podman context not from the container context as such the userns is entirely ignored and doesn't chnage anything compared to a container with --userns....
> > But now I guess we can drop the check in validateNetNS(). > > Except it doesn't work when running as real root, it only works when already inside...
Thanks for the report. Alas, ccan is pretty moribund now, so it's probably unlikely that anything will happen about this. CCing @joeyadams who I believe is the author of that...
/cc @bradh
Applied, thanks.
If you just want to skip the actual `phandle` (and `linux,phandle`) properties, we could add an option for that and use it in dtdiff - we already have the sort...
> > If you just want to skip the actual `phandle` (and `linux,phandle`) properties > > Would you recommend handling that in the input side of things or the output?...