Remove CNI-specific code paths from libpod

Remove CNI-specific conditional logic and update comments throughout
the libpod networking code:

- Simplified DNS configuration logic in container_internal_common.go
  to always use netavark behavior (removed backend checks)
- Removed CNI-specific iptables chain error regex pattern
- Updated all comments referencing 'CNI' to use 'netavark' or
  'network backend'
- Renamed variable 'cniNet' to 'netInfo' for clarity
- Updated field and type documentation to remove CNI references

All networking code now assumes netavark as the sole backend.

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>

libpod/container.go

@@ -218,8 +218,8 @@ type ContainerState struct {
 	// and not delegated to the OCI runtime.
 	ExtensionStageHooks map[string][]spec.Hook `json:"extensionStageHooks,omitempty"`
 
-	// NetInterfaceDescriptions describe the relationship between a CNI
-	// network and an interface names
+	// NetInterfaceDescriptions describe the relationship between a
+	// network and an interface name
 	NetInterfaceDescriptions ContainerNetworkDescriptions `json:"networkDescriptions,omitempty"`
 
 	// Service indicates that container is the service container of a
@@ -324,7 +324,7 @@ type ContainerSecret struct {
 	Target string
 }
 
-// ContainerNetworkDescriptions describes the relationship between the CNI
+// ContainerNetworkDescriptions describes the relationship between the
 // network and the ethN where N is an integer
 type ContainerNetworkDescriptions map[string]int
 

libpod/container_internal_common.go

@@ -2203,7 +2203,6 @@ func (c *Container) addResolvConf() error {
 
 	ipv6 := c.checkForIPv6(netStatus)
 
-	networkBackend := c.runtime.config.Network.NetworkBackend
 	nameservers := make([]string, 0, len(c.runtime.config.Containers.DNSServers.Get())+len(c.config.DNSServer))
 
 	// If NetworkBackend is `netavark` do not populate `/etc/resolv.conf`
@@ -2213,7 +2212,7 @@ func (c *Container) addResolvConf() error {
 
 	// Exception: Populate `/etc/resolv.conf` if container is not connected to any network
 	// with dns enabled then we do not get any nameservers back.
-	if networkBackend != string(types.Netavark) || len(networkNameServers) == 0 {
+	if len(networkNameServers) == 0 {
 		nameservers = append(nameservers, c.runtime.config.Containers.DNSServers.Get()...)
 		for _, ip := range c.config.DNSServer {
 			nameservers = append(nameservers, ip.String())
@@ -2222,9 +2221,9 @@ func (c *Container) addResolvConf() error {
 	// If the user provided dns, it trumps all; then dns masq; then resolv.conf
 	keepHostServers := false
 	if len(nameservers) == 0 {
-		// when no network name servers or not netavark use host servers
+		// when no network name servers use host servers
 		// for aardvark dns we only want our single server in there
-		if len(networkNameServers) == 0 || networkBackend != string(types.Netavark) {
+		if len(networkNameServers) == 0 {
 			keepHostServers = true
 		}
 		if len(networkNameServers) > 0 {

libpod/define/container_inspect.go

@@ -384,8 +384,8 @@ type InspectContainerHostConfig struct {
 	// NetworkMode is the configuration of the container's network
 	// namespace.
 	// Populated as follows:
-	// default - A network namespace is being created and configured via CNI
-	// none - A network namespace is being created, not configured via CNI
+	// default - A network namespace is being created and configured
+	// none - A network namespace is being created, not configured
 	// host - No network namespace created
 	// container:<id> - Using another container's network namespace
 	// ns:<path> - A path to a network namespace has been specified
@@ -703,8 +703,8 @@ type InspectBasicNetworkConfig struct {
 	// MacAddress is the MAC address for the interface in this network.
 	MacAddress string `json:"MacAddress"`
 	// AdditionalMacAddresses is a set of additional MAC Addresses beyond
-	// the first. CNI may configure more than one interface for a single
-	// network, which can cause this.
+	// the first. The network backend may configure more than one interface
+	// for a single network, which can cause this.
 	AdditionalMacAddresses []string `json:"AdditionalMACAddresses,omitempty"`
 }
 

libpod/networking_common.go

@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"os"
-	"regexp"
 	"slices"
 	"sort"
 
@@ -72,7 +71,7 @@ func (c *Container) getNetworkOptions(networkOpts map[string]types.PerNetworkOpt
 	return opts
 }
 
-// setUpNetwork will set up the networks, on error it will also tear down the cni
+// setUpNetwork will set up the networks, on error it will also tear down the
 // networks. If rootless it will join/create the rootless network namespace.
 func (r *Runtime) setUpNetwork(ns string, opts types.NetworkOptions) (map[string]types.StatusBlock, error) {
 	return r.network.Setup(ns, types.SetupOptions{NetworkOptions: opts})
@@ -146,16 +145,7 @@ func (r *Runtime) reloadContainerNetwork(ctr *Container) (map[string]types.Statu
 
 	err := r.teardownNetwork(ctr)
 	if err != nil {
-		// teardownNetwork will error if the iptables rules do not exist and this is the case after
-		// a firewall reload. The purpose of network reload is to recreate the rules if they do
-		// not exists so we should not log this specific error as error. This would confuse users otherwise.
-		// iptables-legacy and iptables-nft will create different errors. Make sure to match both.
-		b, rerr := regexp.MatchString("Couldn't load target `CNI-[a-f0-9]{24}':No such file or directory|Chain 'CNI-[a-f0-9]{24}' does not exist", err.Error())
-		if rerr == nil && !b {
-			logrus.Error(err)
-		} else {
-			logrus.Info(err)
-		}
+		logrus.Error(err)
 	}
 
 	networkOpts, err := ctr.networks()
@@ -172,7 +162,7 @@ func (r *Runtime) reloadContainerNetwork(ctr *Container) (map[string]types.Statu
 			for _, netAddress := range netInt.Subnets {
 				perNetOpts.StaticIPs = append(perNetOpts.StaticIPs, netAddress.IPNet.IP)
 			}
-			// Normally interfaces have a length of 1, only for some special cni configs we could get more.
+			// Normally interfaces have a length of 1, only for some special network configs we could get more.
 			// For now just use the first interface to get the ips this should be good enough for most cases.
 			break
 		}
@@ -251,10 +241,10 @@ func (c *Container) getContainerNetworkInfo() (*define.InspectNetworkSettings, e
 		if len(networks) > 0 {
 			settings.Networks = make(map[string]*define.InspectAdditionalNetwork, len(networks))
 			for net, opts := range networks {
-				cniNet := new(define.InspectAdditionalNetwork)
-				cniNet.NetworkID = getNetworkID(net)
-				cniNet.Aliases = opts.Aliases
-				settings.Networks[net] = cniNet
+				netInfo := new(define.InspectAdditionalNetwork)
+				netInfo.NetworkID = getNetworkID(net)
+				netInfo.Aliases = opts.Aliases
+				settings.Networks[net] = netInfo
 			}
 		} else {
 			setDefaultNetworks()
@@ -313,8 +303,8 @@ func (c *Container) getContainerNetworkInfo() (*define.InspectNetworkSettings, e
 	return settings, nil
 }
 
-// resultToBasicNetworkConfig produces an InspectBasicNetworkConfig from a CNI
-// result
+// resultToBasicNetworkConfig produces an InspectBasicNetworkConfig from a
+// network result
 func resultToBasicNetworkConfig(result types.StatusBlock) define.InspectBasicNetworkConfig {
 	config := define.InspectBasicNetworkConfig{}
 	interfaceNames := make([]string, 0, len(result.Interfaces))
@@ -358,7 +348,7 @@ func resultToBasicNetworkConfig(result types.StatusBlock) define.InspectBasicNet
 
 // NetworkDisconnect removes a container from the network
 func (c *Container) NetworkDisconnect(nameOrID, netName string, _ bool) error {
-	// only the bridge mode supports cni networks
+	// only the bridge mode supports networks
 	if err := isBridgeNetMode(c.config.NetMode); err != nil {
 		return err
 	}
@@ -372,7 +362,7 @@ func (c *Container) NetworkDisconnect(nameOrID, netName string, _ bool) error {
 	}
 
 	// check if network exists and if the input is an ID we get the name
-	// CNI and netavark and the libpod db only uses names so it is important that we only use the name
+	// The libpod db only uses names so it is important that we only use the name
 	netName, _, err = c.runtime.normalizeNetworkName(netName)
 	if err != nil {
 		return err
@@ -495,7 +485,7 @@ func (c *Container) NetworkConnect(nameOrID, netName string, netOpts types.PerNe
 	}
 
 	// check if network exists and if the input is an ID we get the name
-	// CNI and netavark and the libpod db only uses names so it is important that we only use the name
+	// The libpod db only uses names so it is important that we only use the name
 	var nicName string
 	netName, nicName, err = c.runtime.normalizeNetworkName(netName)
 	if err != nil {

libpod/networking_linux.go

@@ -122,7 +122,7 @@ func (r *Runtime) teardownNetNS(ctr *Container) error {
 
 	// Do not check the error here, we want to always umount the netns
 	// This will ensure that the container interface will be deleted
-	// even when there is a CNI or netavark bug.
+	// even when there is a network backend bug.
 	prevErr := r.teardownNetwork(ctr)
 
 	// First unmount the namespace

pkg/specgen/namespaces.go

@@ -45,7 +45,7 @@ const (
 	// be joined.  loopback should still exist.
 	// Only used with the network namespace, invalid otherwise.
 	NoNetwork NamespaceMode = "none"
-	// Bridge indicates that the network backend (CNI/netavark)
+	// Bridge indicates that the network backend (netavark)
 	// should be used.
 	// Only used with the network namespace, invalid otherwise.
 	Bridge NamespaceMode = "bridge"

pkg/specgenutil/util.go

@@ -179,7 +179,7 @@ func parseSplitPort(hostIP, hostPort *string, ctrPort string, protocol *string)
 		if *hostIP == "" {
 			return newPort, errors.New("must provide a non-empty container host IP to publish")
 		} else if *hostIP != "0.0.0.0" {
-			// If hostIP is 0.0.0.0, leave it unset - CNI treats
+			// If hostIP is 0.0.0.0, leave it unset - netavark treats
 			// 0.0.0.0 and empty differently, Docker does not.
 			testIP := net.ParseIP(*hostIP)
 			if testIP == nil {