New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
podman fails setting forward rules #5335
Comments
The same setup works using fedora 30 |
box was installed by this kickstart: https://github.com/RedHatNordicsSA/iot-hack/blob/master/rhel-device/ks.cfg and further configured by this playbook: https://github.com/RedHatNordicsSA/iot-hack/blob/master/setup-rhel-host.yml and not much hand tweaking. Except for removing the firewall part from podman network config. |
|
Important note I forgot to write here! So this happens only with root containers. The non-root containers do work. So it's related to the bridge. |
I got some extra info out of this by accident. I had some containers running, set up with firewalld firewall setting. I changed the network config in /etc/cni back to firewall being iptables. I forgot to remove containers before that. I cleaned them away (podman rm -f) only after changing the podman config back to iptables, and it spit out an error listing all the missing rules that it would have created with iptables :) So here is what is missed by firewalld setup, hopefully it helps to find the place for missing rule creation:
|
it seems ping works, so it's tcp that get's bypassed by nat mangling. |
it's the same with iptables btw, I just didn't notice earlier: but more details, it seems non TCP works, here's
and here's the same with TCP
The NAT doesn't happen on TCP. |
now trying it out with iptables firewall setting, the rules look normal. However the TCP bypasses the masquerade rule:
I believe it should happen on the very last rule |
Is this IPtables backend with firewalld still running? I don't think we want to support that - we should focus on iptables with firewalld off, and firewalld with firewalld on. |
System had some firewalld commands given to open ports. The only thing on RHEL using iptables was the podman network config, until I removed the piece from the config. I also put it back, as I thought podman works with iptables, but it didn't work. So it was the update of the system that broke the podman root containers external networking all together. If I now again remove the iptables stanza from podman config, there is no-one commanding iptables in the system, it's purely on firewalld. |
Tadaa, success! So if I have firewall defined to firewalld, it all starts to work!
If I leave the firewall definition part out, root containers don't get to internet. Myth busted. Probably this should be tested again before removing that part from RHEL8.2? Or perhaps some other changes fix it for 8.2, but on RHEL 8.1 it needs to be this way. Thanks for help. |
Uh-oh. @baude Eeeeeeek. |
A friendly reminder that this issue had no activity for 30 days. |
this also happens on a current rhel8 also tested a centos8 stream, same result |
There is a kbase article already but no bz or link to this issue: https://access.redhat.com/solutions/4859291 |
#5348 is this the fix for this issue? |
Yes. This should be closed, as such. |
/kind bug
Description
I lost all connectivity to network from a pod after switching to firewalld on RHEL8.1.
Steps to reproduce the issue:
Describe the results you received:
It will not be able to fetch anything from internet. Not even DNS works. One can see from tcpdump that outgoing packages are not mangled to have host ip src address. Host sends stuff to internet using the internal 10.88/16 src address.
The noon root pods do work. They also attach to bridge differently than the root pods.
Describe the results you expected:
get the internet page
Additional information you deem important (e.g. issue happens only occasionally):
It works if iptables in use. If changed to firewalld, the CNI_FORWARD rules don't get created. Repeatedly happens on RHEL8.1. Actually, it never works on RHEL.
While you debug this, monitor firewall rules for CNI_FORWARD:
@mccv1r0 already did put some effort debugging this, please ask him for more details.
Output of
podman version
:Output of
podman info --debug
:Package info (e.g. output of
rpm -q podman
orapt list podman
):Additional environment details (AWS, VirtualBox, physical, etc.):
physical hw
The text was updated successfully, but these errors were encountered: