From 4c9a9dae821446235380d2581416c14128df7901 Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Mon, 7 Feb 2022 15:04:04 +0100
Subject: [PATCH] move rootless netns slirp4netns process to systemd user.slice

When running podman inside systemd user units, it is possible that
systemd kills the rootless netns slirp4netns process because it was
started in the default unit cgroup. When the unit is stopped all
processes in that cgroup are killed. Since the slirp4netns process is
run once for all containers it should not be killed. To make sure
systemd will not kill the process we move it to the user.slice.

Fixes #13153

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
 libpod/networking_linux.go   |  7 +++++++
 test/system/250-systemd.bats | 26 ++++++++++++++++++++++++++
 utils/utils.go               | 22 ++++++++++++++++++----
 3 files changed, 51 insertions(+), 4 deletions(-)

diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
index f490ac626eb1..e55e9d1143d0 100644
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@@ -28,6 +28,7 @@ import (
 	"github.com/containers/podman/v4/pkg/resolvconf"
 	"github.com/containers/podman/v4/pkg/rootless"
 	"github.com/containers/podman/v4/pkg/util"
+	"github.com/containers/podman/v4/utils"
 	"github.com/containers/storage/pkg/lockfile"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
@@ -495,6 +496,12 @@ func (r *Runtime) GetRootlessNetNs(new bool) (*RootlessNetNS, error) {
 			return nil, err
 		}
 
+		// move to systemd scope to prevent systemd from killing it
+		err = utils.MoveRootlessNetnsSlirpProcessToUserSlice(cmd.Process.Pid)
+		if err != nil {
+			logrus.Errorf("failed to move the rootless netns slirp4netns process to the systemd user.slice: %v", err)
+		}
+
 		// build a new resolv.conf file which uses the slirp4netns dns server address
 		resolveIP, err := GetSlirp4netnsDNS(nil)
 		if err != nil {
diff --git a/test/system/250-systemd.bats b/test/system/250-systemd.bats
index c476799045e4..008ee38aeae7 100644
--- a/test/system/250-systemd.bats
+++ b/test/system/250-systemd.bats
@@ -281,4 +281,30 @@ LISTEN_FDNAMES=listen_fdnames" | sort)
     is "$output" "" "output should be empty"
 }
 
+# https://github.com/containers/podman/issues/13153
+@test "podman rootless-netns slirp4netns process should be in different cgroup" {
+    cname=$(random_string)
+    local netname=testnet-$(random_string 10)
+
+    # create network and container with network
+    run_podman network create $netname
+    run_podman create --name $cname --network $netname $IMAGE top
+
+    # run container in systemd unit
+    service_setup
+
+    # run second container with network
+    cname2=$(random_string)
+    run_podman run -d --name $cname2 --network $netname $IMAGE top
+
+    # stop systemd container
+    service_cleanup
+
+    # now check that the rootless netns slirp4netns process is still alive and working
+    run_podman exec $cname2 ping -c1 8.8.8.8
+
+    run_podman rm -f -t0 $cname2
+    run_podman network rm -f $netname
+}
+
 # vim: filetype=sh
diff --git a/utils/utils.go b/utils/utils.go
index 52586b937b0a..22f0cb12f3a7 100644
--- a/utils/utils.go
+++ b/utils/utils.go
@@ -174,7 +174,7 @@ func RunsOnSystemd() bool {
 	return runsOnSystemd
 }
 
-func moveProcessToScope(pidPath, slice, scope string) error {
+func moveProcessPIDFileToScope(pidPath, slice, scope string) error {
 	data, err := ioutil.ReadFile(pidPath)
 	if err != nil {
 		// do not raise an error if the file doesn't exist
@@ -187,18 +187,32 @@ func moveProcessToScope(pidPath, slice, scope string) error {
 	if err != nil {
 		return errors.Wrapf(err, "cannot parse pid file %s", pidPath)
 	}
-	err = RunUnderSystemdScope(int(pid), slice, scope)
 
+	return moveProcessToScope(int(pid), slice, scope)
+}
+
+func moveProcessToScope(pid int, slice, scope string) error {
+	err := RunUnderSystemdScope(int(pid), slice, scope)
 	// If the PID is not valid anymore, do not return an error.
 	if dbusErr, ok := err.(dbus.Error); ok {
 		if dbusErr.Name == "org.freedesktop.DBus.Error.UnixProcessIdUnknown" {
 			return nil
 		}
 	}
-
 	return err
 }
 
+// MoveRootlessNetnsSlirpProcessToUserSlice moves the slirp4netns process for the rootless netns
+// into a different scope so that systemd does not kill it with a container.
+func MoveRootlessNetnsSlirpProcessToUserSlice(pid int) error {
+	randBytes := make([]byte, 4)
+	_, err := rand.Read(randBytes)
+	if err != nil {
+		return err
+	}
+	return moveProcessToScope(pid, "user.slice", fmt.Sprintf("rootless-netns-%x.scope", randBytes))
+}
+
 // MovePauseProcessToScope moves the pause process used for rootless mode to keep the namespaces alive to
 // a separate scope.
 func MovePauseProcessToScope(pausePidPath string) {
@@ -211,7 +225,7 @@ func MovePauseProcessToScope(pausePidPath string) {
 			logrus.Errorf("failed to read random bytes: %v", err)
 			continue
 		}
-		err = moveProcessToScope(pausePidPath, "user.slice", fmt.Sprintf("podman-pause-%x.scope", randBytes))
+		err = moveProcessPIDFileToScope(pausePidPath, "user.slice", fmt.Sprintf("podman-pause-%x.scope", randBytes))
 		if err == nil {
 			return
 		}