move rootless netns slirp4netns process to systemd user.slice

When running podman inside systemd user units, it is possible that
systemd kills the rootless netns slirp4netns process because it was
started in the default unit cgroup. When the unit is stopped all
processes in that cgroup are killed. Since the slirp4netns process is
run once for all containers it should not be killed. To make sure
systemd will not kill the process we move it to the user.slice.

Fixes #13153

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

1 files changed, 7 insertions, 0 deletions

diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
index f490ac626..e55e9d114 100644
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@@ -28,6 +28,7 @@ import (
 	"github.com/containers/podman/v4/pkg/resolvconf"
 	"github.com/containers/podman/v4/pkg/rootless"
 	"github.com/containers/podman/v4/pkg/util"
+	"github.com/containers/podman/v4/utils"
 	"github.com/containers/storage/pkg/lockfile"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/pkg/errors"
@@ -495,6 +496,12 @@ func (r *Runtime) GetRootlessNetNs(new bool) (*RootlessNetNS, error) {
 			return nil, err
 		}
 
+		// move to systemd scope to prevent systemd from killing it
+		err = utils.MoveRootlessNetnsSlirpProcessToUserSlice(cmd.Process.Pid)
+		if err != nil {
+			logrus.Errorf("failed to move the rootless netns slirp4netns process to the systemd user.slice: %v", err)
+		}
+
 		// build a new resolv.conf file which uses the slirp4netns dns server address
 		resolveIP, err := GetSlirp4netnsDNS(nil)
 		if err != nil {