Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Podman not using Pasta in certain cases #24285

Closed
jjhidalgar opened this issue Oct 15, 2024 · 0 comments
Closed

Podman not using Pasta in certain cases #24285

jjhidalgar opened this issue Oct 15, 2024 · 0 comments

Comments

@jjhidalgar
Copy link

jjhidalgar commented Oct 15, 2024
edited
Loading

Issue Description

Podman not using Pasta in certain cases. This makes it NOT work when going rootless.

These cases are

Steps to reproduce the issue

This works:

podman run -d -p 8000:8000/udp ubuntu:latest sleep infinity

This doesn't work:

podman network create infra
podman run --network=infra -d -p 8000:8000/udp ubuntu:latest sleep infinity

Error: netavark: iptables: No such file or directory (os error 2)

Describe the results you received

Error: netavark: iptables: No such file or directory (os error 2)

You can see how the container that works fine (without --network, or without docker compose), has pasta in the NetworkMode, while the other doesn't

[rocky@aws-infra-vm:~/Logstash]$ podman inspect 743411ef0e78 | grep Net
          "NetworkSettings": {
               "Networks": {
                         "NetworkID": "infra",
               "NetworkMode": "bridge",
[rocky@aws-infra-vm:~/Logstash]$ podman inspect 4a065dcdba50 | grep Net
          "NetworkSettings": {
               "NetworkMode": "pasta",

Describe the results you expected

No errors

podman info output

podman info
host:
  arch: amd64
  buildahVersion: 1.37.0
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.10-1.20240313132120223048.main.19.gaffab49.el9.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: '
  cpuUtilization:
    idlePercent: 97.43
    systemPercent: 0.58
    userPercent: 1.98
  cpus: 2
  databaseBackend: sqlite
  distribution:
    distribution: rocky
    version: "9.4"
  eventLogger: journald
  freeLocks: 2045
  hostname: aws-infra-vm.aws.cccis.com
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.14.0-427.16.1.el9_4.x86_64
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 2688086016
  memTotal: 4022386688
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.12.1-1.20241015153705227287.main.42.g25bf0c8.el9.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.0-dev
    package: netavark-1.10.3-1.el9.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.10.3
  ociRuntime:
    name: crun
    package: crun-1.17-1.20241014095439306722.main.20.g53cd1c1.el9.x86_64
    path: /usr/bin/crun
    version: |-
      crun version UNKNOWN
      commit: 34286c495ef155194388d1b953dfbf9a586d6e71
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20231204.gb86afe3-1.el9.x86_64
    version: |
      pasta 0^20231204.gb86afe3-1.el9.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 1h 15m 25.00s (Approximately 0.04 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /home/rocky/.config/containers/storage.conf
  containerStore:
    number: 3
    paused: 0
    running: 1
    stopped: 2
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.13-1.el9.x86_64
      Version: |-
        fusermount3 version: 3.10.2
        fuse-overlayfs: version 1.13-dev
        FUSE library version 3.10.2
        using FUSE kernel interface version 7.31
  graphRoot: /home/rocky/.local/share/containers/storage
  graphRootAllocated: 10587451392
  graphRootUsed: 1761443840
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/rocky/.local/share/containers/storage/volumes
version:
  APIVersion: 5.3.0-dev-29eb8ce09
  Built: 1725235200
  BuiltTime: Mon Sep  2 00:00:00 2024
  GitCommit: ""
  GoVersion: go1.21.11 (Red Hat 1.21.11-1.el9_4)
  Os: linux
  OsArch: linux/amd64
  Version: 5.3.0-dev-29eb8ce09

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

AWS instance

Additional information

I can fix the issue if I configure this in the system:

dnf install netavark # this would also install dependencies: iptables-libs, iptables-legacy and iptables-legacy-libs
modprobe ip_tables

Then, it works, but I'm not sure if it's using Pasta when doing so

podman inspect 28c2d0e259f2acc96287552db59d7bd788b140fcfb818fe9b17a81cf30c2a9c4 | grep Net
          "NetworkSettings": {
               "Networks": {
                         "NetworkID": "infra",
               "NetworkMode": "bridge",

If we compare to the above case (when not specifying --network, and not using compose), we see the containers with this:

"NetworkMode": "pasta",
@jjhidalgar jjhidalgar added the kind/bug Categorizes issue or PR as related to a bug. label Oct 15, 2024
@Luap99 Luap99 removed the kind/bug Categorizes issue or PR as related to a bug. label Oct 16, 2024
@containers containers locked and limited conversation to collaborators Oct 16, 2024
@Luap99 Luap99 converted this issue into discussion #24290 Oct 16, 2024

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jjhidalgar @Luap99