slirp4netns fails when used as networking for rootlesskit in Alpine

[AtelierSnek]

Running rootlesskit with --net=slirp4netns fails to start:

~ ❯ rootlesskit --net=slirp4netns --copy-up=/etc --copy-up=/run \
   --state-dir=/tmp/1000-runtime-dir/rootlesskit-containerd --disable-host-loopback \
  sh -c "rm -f /run/containerd; exec containerd -c config.toml"

BusyBox v1.35.0 (2022-08-01 15:14:44 UTC) multi-call binary.

Usage: ip [OPTIONS] address|route|link|tunnel|neigh|rule [ARGS]

OPTIONS := -f[amily] inet|inet6|link | -o[neline]

ip addr add|del IFADDR dev IFACE | show|flush [dev IFACE] [to PREFIX]
ip route list|flush|add|del|change|append|replace|test ROUTE
ip link set IFACE [up|down] [arp on|off] [multicast on|off]
	[promisc on|off] [mtu NUM] [name NAME] [qlen NUM] [address MAC]
	[master IFACE | nomaster] [netns PID]
ip tunnel add|change|del|show [NAME]
	[mode ipip|gre|sit] [remote ADDR] [local ADDR] [ttl TTL]
ip neigh show|flush [to PREFIX] [dev DEV] [nud STATE]
ip rule [list] | add|del SELECTOR ACTION
[rootlesskit:parent] error: failed to setup network &{logWriter:0xc00014aa00 binary:slirp4netns mtu:65520 ipnet:<nil> disableHostLoopback:true apiSocketPath: enableSandbox:false enableSeccomp:false enableIPv6:false ifname:tap0 infoMu:{w:{state:0 sema:0} writerSem:0 readerSem:0 readerCount:0 readerWait:0} info:<nil>}: setting up tap tap0: executing [[nsenter -t 28875 -n -m -U --preserve-credentials ip tuntap add name tap0 mode tap] [nsenter -t 28875 -n -m -U --preserve-credentials ip link set tap0 up]]: exit status 1
[rootlesskit:child ] error: parsing message from fd 3: EOF                                                                                   

By the looks of this, it seems that the ip commands being issued aren't being accepted.

Fixes tried

• doas modprobe tun (did not help)

Troubleshooting attempted

unshare --user --map-root-user --net --mount sh -exc 'echo $$ > /tmp/pid && sleep 120' + slirp4netns --configure --mtu=65520 --disable-host-loopback --enable-sandbox --enable-seccomp $(cat /tmp/pid) tap0
Output:

~ ❯ slirp4netns --configure --mtu=65520 --disable-host-loopback --enable-sandbox --enable-seccomp $(cat /tmp/pid) tap0WARNING: Support for seccomp is experimental
sent tapfd=5 for tap0
received tapfd=5
Starting slirp
* MTU:             65520
* Network:         10.0.2.0
* Netmask:         255.255.255.0
* Gateway:         10.0.2.2
* DNS:             10.0.2.3
* DHCP begin:      10.0.2.15
* DHCP end:        10.0.2.30
* Recommended IP:  10.0.2.100
seccomp: The following syscalls are blocked: execve lookup_dcookie pidfd_getfd ptrace process_vm_readv process_vm_writev delete_module finit_module init_module chroot fsconfig fsmount fsopen fspick mount move_mount open_tree pivot_root umount umount2 open_by_handle_at execveat pidfd_open pidfd_send_signal prctl setns unshare kexec_file_load kexec_load reboot name_to_handle_at

[AkihiroSuda]

Try apk add iproute2 to install non-busybox version of ip command

[AtelierSnek]

That seems to have fixed it, thanks!