Re: Help with pasta usage

5 Dec 2025

      Hi,

Thanks for your insights! I've tried taking a look at the arguments with
which pasta is being invoked before. Right now, with my additional
dns-host argument,
this is what it looks like:

/usr/bin/pasta --dns-host=192.168.x.y --stderr --ns-ifname=tap0 --mtu=65520
--config-net --address=10.0.2.100 --netmask=24 --gateway=10.0.2.2
--dns-forward=10.0.2.3 --no-map-gw --ipv4-only --tcp-ports=auto
--udp-ports=auto 1722

and rootlesskit is invoked in the following way:

rootlesskit --state-dir=/run/user/1000/dockerd-rootless --net=pasta
--mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto
--disable-host-loopback --port-driver=implicit --copy-up=/etc
--copy-up=/run --propagation=rslave --pasta-binary /home/username/pst
/usr/bin/dockerd-rootless.sh

I've tried getting rid of the --disable-host-loopback option from
rootlesskit and the --no-map-gw option from pasta, but it hasn't helped.

On Wed, Nov 26, 2025 at 12:28 AM David Gibson 
wrote:
...
On Mon, Nov 24, 2025 at 08:10:35PM -0330, Ayon T wrote:
...
Hi, sorry it has been a while, I haven't been able to find the time to
work
on this problem.
However, I think I've managed to narrow down what the problem is, so I'm
writing to you again!
I essentially ended up using a wrapper for pasta to try out a few
different
arguments with it, even though I went down a different route. I used
"DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS" with `rootlesskit` to pass on a new
location to a script wrapping the pasta binary.
I passed on the explicit local network IP of the DNS server that runs on
my
home network, and everything started working fine.
I'll explain: my server PC runs rootless containers – one of them runs a
DNS server. On that PC itself, I redirect local DNS queries to 127.0.0.1
(the first nameserver on /etc/resolv.conf). pasta picks up the first
entry
on /etc/resolv.conf and forwards DNS queries to it. But it seems like it
cannot access localhost (probably by design?)
With its own default options, pasta will generally allow access from
loopback, but docker may (by design) add parameters that override that
behaviour.  Using 'ps' (or your wrapper) to find out the exact
arguments that docker is invoking pasta with would help.
...
Once I add the local network IP (192.168.x.y) explicitly as the DNS
server
to forward queries to, things work, but I find this inefficient as it
feels
like queries shouldn't have to go through the local network for
resolution,
since the DNS server runs on that very device.
So, yes, it arguably should be possible to access the server via
127.0.0.1.  That said, I don't think there's any real inefficiency
here: the kernel will already direct traffic to a public-but-local
address over 'lo', so it won't actually hit the external network.
...
Please advise me on what can be done about this and if I'm on the wrong
track.
Regards,
Ayon
On Tue, Jun 3, 2025 at 8:16 AM Stefano Brivio 
wrote:
...
On Fri, 23 May 2025 00:51:25 -0230
Ayon T  wrote:
...
I know you have been asking me to run pasta with arguments with
docker,
but
I'm not sure how to do this (pardon my inexperience). I use an
override.conf file to set the default network and port driver of
docker,
and that's how I use pasta with docker. I have tried looking up how
to do
it in a different way that gives me more control over the arguments
that
go
in, but I haven't been able to find it. Could you guide me regarding
this
or point me to a resource?
Apologies for the delay. It looks like you need to rebuild rootlesskit
with any option you want to add, here:
https://github.com/rootless-containers/rootlesskit/blob/e83d7635183e1125798b...
...
because there's currently no convenient command-line mechanism like the
one implemented by Podman, here:
https://github.com/containers/common/blob/5a4ca2d5d35571556f6e7d1d5f024c19dc...
...
I guess it would be nice to implement something similar, but I'm not
really familiar with rootlesskit otherwise. An alternative could be to
use a trivial wrapper at /usr/local/bin/pasta, a simple script doing:
--
#!/bin/sh
/usr/bin/pasta $@ --whatever-additional-option-here
--
--
Stefano
...
_______________________________________________
user mailing list -- passt-user@passt.top
To unsubscribe send an email to passt-user-leave@passt.top
--
David Gibson (he or they)       | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you, not the other way
                                | around.
http://www.ozlabs.org/~dgibson