1 files changed, 30 insertions, 19 deletions

diff --git a/libpod/networking_linux.go b/libpod/networking_linux.go
index cfed5a1f2..0e8a4f768 100644
--- a/libpod/networking_linux.go
+++ b/libpod/networking_linux.go
@@ -23,6 +23,7 @@ import (
 	"github.com/containers/podman/v3/libpod/events"
 	"github.com/containers/podman/v3/libpod/network"
 	"github.com/containers/podman/v3/pkg/errorhandling"
+	"github.com/containers/podman/v3/pkg/namespaces"
 	"github.com/containers/podman/v3/pkg/netns"
 	"github.com/containers/podman/v3/pkg/resolvconf"
 	"github.com/containers/podman/v3/pkg/rootless"
@@ -37,16 +38,12 @@ import (
 )
 
 const (
-	// slirp4netnsIP is the IP used by slirp4netns to configure the tap device
-	// inside the network namespace.
-	slirp4netnsIP = "10.0.2.100"
-
-	// slirp4netnsDNS is the IP for the built-in DNS server in the slirp network
-	slirp4netnsDNS = "10.0.2.3"
-
 	// slirp4netnsMTU the default MTU override
 	slirp4netnsMTU = 65520
 
+	// default slirp4ns subnet
+	defaultSlirp4netnsSubnet = "10.0.2.0/24"
+
 	// rootlessCNINSName is the file name for the rootless network namespace bind mount
 	rootlessCNINSName = "rootless-cni-ns"
 )
@@ -360,15 +357,20 @@ func (r *Runtime) GetRootlessCNINetNs(new bool) (*RootlessCNI, error) {
 				}
 
 				// build a new resolv.conf file which uses the slirp4netns dns server address
-				resolveIP := slirp4netnsDNS
+				resolveIP, err := GetSlirp4netnsDNS(nil)
+				if err != nil {
+					return nil, errors.Wrap(err, "failed to determine default slirp4netns DNS address")
+				}
+
 				if netOptions.cidr != "" {
 					_, cidr, err := net.ParseCIDR(netOptions.cidr)
 					if err != nil {
 						return nil, errors.Wrap(err, "failed to parse slirp4netns cidr")
 					}
-					// the slirp dns ip is always the third ip in the subnet
-					cidr.IP[len(cidr.IP)-1] = cidr.IP[len(cidr.IP)-1] + 3
-					resolveIP = cidr.IP.String()
+					resolveIP, err = GetSlirp4netnsDNS(cidr)
+					if err != nil {
+						return nil, errors.Wrapf(err, "failed to determine slirp4netns DNS address from cidr: %s", cidr.String())
+					}
 				}
 				conf, err := resolvconf.Get()
 				if err != nil {
@@ -377,7 +379,7 @@ func (r *Runtime) GetRootlessCNINetNs(new bool) (*RootlessCNI, error) {
 				searchDomains := resolvconf.GetSearchDomains(conf.Content)
 				dnsOptions := resolvconf.GetOptions(conf.Content)
 
-				_, err = resolvconf.Build(filepath.Join(cniDir, "resolv.conf"), []string{resolveIP}, searchDomains, dnsOptions)
+				_, err = resolvconf.Build(filepath.Join(cniDir, "resolv.conf"), []string{resolveIP.String()}, searchDomains, dnsOptions)
 				if err != nil {
 					return nil, errors.Wrap(err, "failed to create rootless cni resolv.conf")
 				}
@@ -577,7 +579,7 @@ func (r *Runtime) setupRootlessNetNS(ctr *Container) error {
 		// set up port forwarder for CNI-in-slirp4netns
 		netnsPath := ctr.state.NetNS.Path()
 		// TODO: support slirp4netns port forwarder as well
-		return r.setupRootlessPortMappingViaRLK(ctr, netnsPath, "")
+		return r.setupRootlessPortMappingViaRLK(ctr, netnsPath)
 	}
 	return nil
 }
@@ -757,6 +759,15 @@ func getContainerNetNS(ctr *Container) (string, error) {
 	return "", nil
 }
 
+// isBridgeNetMode checks if the given network mode is bridge.
+// It returns nil when it is set to bridge and an error otherwise.
+func isBridgeNetMode(n namespaces.NetworkMode) error {
+	if !n.IsBridge() {
+		return errors.Wrapf(define.ErrNetworkModeInvalid, "%q is not supported", n)
+	}
+	return nil
+}
+
 // Reload only works with containers with a configured network.
 // It will tear down, and then reconfigure, the network of the container.
 // This is mainly used when a reload of firewall rules wipes out existing
@@ -770,8 +781,8 @@ func (r *Runtime) reloadContainerNetwork(ctr *Container) ([]*cnitypes.Result, er
 	if ctr.state.NetNS == nil {
 		return nil, errors.Wrapf(define.ErrCtrStateInvalid, "container %s network is not configured, refusing to reload", ctr.ID())
 	}
-	if rootless.IsRootless() || ctr.config.NetMode.IsSlirp4netns() {
-		return nil, errors.Wrapf(define.ErrRootless, "network reload only supported for root containers")
+	if err := isBridgeNetMode(ctr.config.NetMode); err != nil {
+		return nil, err
 	}
 
 	logrus.Infof("Going to reload container %s network", ctr.ID())
@@ -1025,8 +1036,8 @@ func (w *logrusDebugWriter) Write(p []byte) (int, error) {
 // NetworkDisconnect removes a container from the network
 func (c *Container) NetworkDisconnect(nameOrID, netName string, force bool) error {
 	// only the bridge mode supports cni networks
-	if !c.config.NetMode.IsBridge() {
-		return errors.Errorf("network mode %q is not supported", c.config.NetMode)
+	if err := isBridgeNetMode(c.config.NetMode); err != nil {
+		return err
 	}
 
 	networks, err := c.networksByNameIndex()
@@ -1086,8 +1097,8 @@ func (c *Container) NetworkDisconnect(nameOrID, netName string, force bool) erro
 // ConnectNetwork connects a container to a given network
 func (c *Container) NetworkConnect(nameOrID, netName string, aliases []string) error {
 	// only the bridge mode supports cni networks
-	if !c.config.NetMode.IsBridge() {
-		return errors.Errorf("network mode %q is not supported", c.config.NetMode)
+	if err := isBridgeNetMode(c.config.NetMode); err != nil {
+		return err
 	}
 
 	networks, err := c.networksByNameIndex()