-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Firewalld issue #5568
Comments
@mheon PTAL |
I don't think this is an SELinux issue, but I am willing to be proven wrong? If you put the machine in permissive mode, does it still fail with the file wall rules up? Are there any AVC messages in the audit.log. This issue looks a lot like a firewall rules. From the podman info this looks like it is happening with root. BTW There should be a newer version of podman available for centos. |
check out it's not the same I had a while back, confusion between iptables and firewalld: #5335 |
I have updated the main issue with more information and also the title, this issues is focused in firewalld. I've talked yesterday with @mheon and he asked me to do some tests and here's the output:
When i try to restart the pod and get back to live again, i receive the following error:
The output after start firewalld again:
|
I have found this links about the same issue in the same env: |
@mheon that's perfect for me, could you please share to me this repo and then i'll test if it's already fixed. Awaiting! |
I don't maintain the virt-sig repo anymore. All non-fedora and non-rhel is on OBS now. 1.8.2 should be available for centos 7 via the OBS stable repo. See the Kubic project section under CentOS at https://podman.io/getting-started/installation for installation instructions |
Still failing after update to 1.8.2 and doing the same thing to reproduce the same with the old version. |
Hello, is there any progress on this? I am experiencing the same issue on CentOS 8. When firewalld is enabled. Basically name resolution does not work whereas routing works fine when using ips directly. |
@mccv1r0 Any thoughts on this one? |
This may be related to #5335. I am currently not using the kubic repos but with the version provided in AppStream repos for CentOS 8
a wrong CNI configuration is created containing iptables as backend for the firewall plugin. This is easy to reproduce using:
when removing the backend line name resolution works fine. |
this is a known issue and is fixed upstream ... both the network create code and default cni config |
any chance getting this into the releases shipped with the base/appstream repos on rhel? |
Is it fixed in podman-1.16.4? Which should be released in rhel8.2 release. |
We will release podman-1.9.* in RHEL8.2.1 in the summer time. |
Looking forward to see this and hopefully dnsmasq plugin in the next release. Meanwhile I can workaround this by myself. Thanks a lot. |
Can you confirm whether there is a firewall block in the base network we ship ( |
For
|
Alright. So we are at least shipping a vaguely working config, here. |
A friendly reminder that this issue had no activity for 30 days. |
@mheon Is this still an issue with the upstream? |
This should be fixed on upstream CNI configs. |
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Once we deploy the microservices within podman with selinux and firewalld (both activated)...services start not responding requests properly. If you connect to the container and try to ping, dig any internal or external domain, any action to verify the connection, the pod is not able no do nothing, if we restart the pod but first with firewalld and selinux disabled...everything is ok and all back to normality.
Steps to reproduce the issue:
Activate Firewalld
Deploy two containers:
podman run --name nginx01 -d -p 8080:80 nginx
podman run --name nginx02 -d -p 8081:80 nginx
Stop firewalld
Try to make internal DNS query or external such as google or something...
Describe the results you received:
root@4d01a46cd8c7:/# ping 10.88.0.3
PING 10.88.0.3 (10.88.0.3) 56(84) bytes of data.
From 10.88.0.2 icmp_seq=10 Destination Host Unreachable
From 10.88.0.2 icmp_seq=11 Destination Host Unreachable
From 10.88.0.2 icmp_seq=12 Destination Host Unreachable
From 10.88.0.2 icmp_seq=13 Destination Host Unreachable
root@8d9d9097cc6e:/app# ping subdomain.domain.com
ping: subdomain.domain.com: Temporary failure in name resolution
When the microservice try to connec to SQL Server:
SqlExceptionHelper","message":"The connection attempt failed."
Describe the results you expected:
Additional information you deem important (e.g. issue happens only occasionally):
Output of
podman version
:Output of
podman info --debug
:Package info (e.g. output of
rpm -q podman
orapt list podman
):Additional environment details (AWS, VirtualBox, physical, etc.):
The text was updated successfully, but these errors were encountered: