Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#997976: podman suggests iptables, but "podman run" does not appear to work without it
679 views
Skip to first unread message
Ian Wienand
Oct 28, 2021, 1:40:04 AM10/28/21
to
Package: podman
Version: 3.4.1+ds1-2
Severity: normal
X-Debbugs-Cc: ia...@debian.org
Dear Maintainer,
Somewhere between the bullseye version and current unstable, "iptables" became
a suggets, instead of a reccommends. Looking at the changelogs I wasn't
exactly
clear why, but this appears to make "podman run" not work by default [1]:
---
2021-10-28 03:35:56.042 | ++ podman run -d dib-work-image /bin/sh
2021-10-28 03:35:56.241 | time="2021-10-28T03:35:56Z" level=error msg="error
loading cached network config: network \"podman\" not found in CNI cache"
2021-10-28 03:35:56.241 | time="2021-10-28T03:35:56Z" level=warning
msg="falling back to loading from existing plugins on disk"
2021-10-28 03:35:56.249 | time="2021-10-28T03:35:56Z" level=error msg="Error
tearing down partially created network namespace for container
a7a992e5399d8a8537d945684ac5193b762b2dbf18f29cd3aa724c389158fb65: error
removing pod cool_almeida_cool_almeida from CNI network \"podman\": could not
initialize iptables protocol 0: exec: \"iptables\": executable file not found
in $PATH"
2021-10-28 03:35:56.262 | Error: error configuring network namespace for
container a7a992e5399d8a8537d945684ac5193b762b2dbf18f29cd3aa724c389158fb65:
error adding pod cool_almeida_cool_almeida to CNI network "podman": failed to
locate iptables: exec: "iptables": executable file not found in $PATH
---
I have pulled in the unstable version to workaround bug #994451 which is how I
noticed.
We use --install-recommends in our CI
I had a poke through the changelog but it wasn't clear why this was changed. I
am not
doing anything fancy with the networking, but I will admit it's a bit
convoluted. Basically
we are building an image inside a container; so we use
"cgroup_manager=cgroupfs" [2].
I can just add iptables [3] but it would be helpful to know what is going on
Thanks,
-i
[1]
https://f480170607f99217bcc4-4f7bc0337492030d99b06b8cb4e22e06.ssl.cf5.rackcdn.com/815574/6/check/dib-
nodepool-functional-openstack-fedora-35-containerfile-
src/144981a/nodepool/builds/test-image-0000000001.log
[2] https://opendev.org/zuul/nodepool/src/branch/master/Dockerfile#L102
[3] https://review.opendev.org/c/zuul/nodepool/+/815766
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64
Kernel: Linux 5.14.0-2-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages podman depends on:
pn conmon <none>
ii containerd.io [runc] 1.4.11-1
pn containernetworking-plugins <none>
pn golang-github-containers-common <none>
ii init-system-helpers 1.60
ii libc6 2.32-4
ii libdevmapper1.02.1 2:1.02.175-2.1
ii libgpgme11 1.16.0-1.1
ii libseccomp2 2.5.2-2
Versions of packages podman recommends:
pn buildah <none>
pn catatonit | tini | dumb-init <none>
pn fuse-overlayfs <none>
pn golang-github-containernetworking-plugin-dnsname <none>
ii slirp4netns 1.0.1-2
pn uidmap <none>
Versions of packages podman suggests:
pn containers-storage <none>
pn docker-compose <none>
ii iptables 1.8.7-1
Version: 3.4.1+ds1-2
Severity: normal
X-Debbugs-Cc: ia...@debian.org
Dear Maintainer,
Somewhere between the bullseye version and current unstable, "iptables" became
a suggets, instead of a reccommends. Looking at the changelogs I wasn't
exactly
clear why, but this appears to make "podman run" not work by default [1]:
---
2021-10-28 03:35:56.042 | ++ podman run -d dib-work-image /bin/sh
2021-10-28 03:35:56.241 | time="2021-10-28T03:35:56Z" level=error msg="error
loading cached network config: network \"podman\" not found in CNI cache"
2021-10-28 03:35:56.241 | time="2021-10-28T03:35:56Z" level=warning
msg="falling back to loading from existing plugins on disk"
2021-10-28 03:35:56.249 | time="2021-10-28T03:35:56Z" level=error msg="Error
tearing down partially created network namespace for container
a7a992e5399d8a8537d945684ac5193b762b2dbf18f29cd3aa724c389158fb65: error
removing pod cool_almeida_cool_almeida from CNI network \"podman\": could not
initialize iptables protocol 0: exec: \"iptables\": executable file not found
in $PATH"
2021-10-28 03:35:56.262 | Error: error configuring network namespace for
container a7a992e5399d8a8537d945684ac5193b762b2dbf18f29cd3aa724c389158fb65:
error adding pod cool_almeida_cool_almeida to CNI network "podman": failed to
locate iptables: exec: "iptables": executable file not found in $PATH
---
I have pulled in the unstable version to workaround bug #994451 which is how I
noticed.
We use --install-recommends in our CI
I had a poke through the changelog but it wasn't clear why this was changed. I
am not
doing anything fancy with the networking, but I will admit it's a bit
convoluted. Basically
we are building an image inside a container; so we use
"cgroup_manager=cgroupfs" [2].
I can just add iptables [3] but it would be helpful to know what is going on
Thanks,
-i
[1]
https://f480170607f99217bcc4-4f7bc0337492030d99b06b8cb4e22e06.ssl.cf5.rackcdn.com/815574/6/check/dib-
nodepool-functional-openstack-fedora-35-containerfile-
src/144981a/nodepool/builds/test-image-0000000001.log
[2] https://opendev.org/zuul/nodepool/src/branch/master/Dockerfile#L102
[3] https://review.opendev.org/c/zuul/nodepool/+/815766
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64
Kernel: Linux 5.14.0-2-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages podman depends on:
pn conmon <none>
ii containerd.io [runc] 1.4.11-1
pn containernetworking-plugins <none>
pn golang-github-containers-common <none>
ii init-system-helpers 1.60
ii libc6 2.32-4
ii libdevmapper1.02.1 2:1.02.175-2.1
ii libgpgme11 1.16.0-1.1
ii libseccomp2 2.5.2-2
Versions of packages podman recommends:
pn buildah <none>
pn catatonit | tini | dumb-init <none>
pn fuse-overlayfs <none>
pn golang-github-containernetworking-plugin-dnsname <none>
ii slirp4netns 1.0.1-2
pn uidmap <none>
Versions of packages podman suggests:
pn containers-storage <none>
pn docker-compose <none>
ii iptables 1.8.7-1
Reinhard Tartler
Oct 28, 2021, 11:40:04 AM10/28/21
to
Hi Ian,
Thank you for reaching out.
On Thu, Oct 28, 2021 at 1:39 AM Ian Wienand <ia...@debian.org> wrote:
---
2021-10-28 03:35:56.042 | ++ podman run -d dib-work-image /bin/sh
2021-10-28 03:35:56.241 | time="2021-10-28T03:35:56Z" level=error msg="error
loading cached network config: network \"podman\" not found in CNI cache"
2021-10-28 03:35:56.241 | time="2021-10-28T03:35:56Z" level=warning
msg="falling back to loading from existing plugins on disk"
2021-10-28 03:35:56.249 | time="2021-10-28T03:35:56Z" level=error msg="Error
tearing down partially created network namespace for container
a7a992e5399d8a8537d945684ac5193b762b2dbf18f29cd3aa724c389158fb65: error
removing pod cool_almeida_cool_almeida from CNI network \"podman\": could not
initialize iptables protocol 0: exec: \"iptables\": executable file not found
in $PATH"
2021-10-28 03:35:56.262 | Error: error configuring network namespace for
container a7a992e5399d8a8537d945684ac5193b762b2dbf18f29cd3aa724c389158fb65:
error adding pod cool_almeida_cool_almeida to CNI network "podman": failed to
locate iptables: exec: "iptables": executable file not found in $PATH
---
podman itself does not invoke iptables or nft directly, but uses
so-call CNI Plugins for setting up the networking. The code for this
I'm not super familiar with those CNI plugins and how podman interacts with them
in detail. May I ask you to create a new issue upstream https://github.com/containers/podman/issues/new and
mention me with @siretart in the message? -- I'd like to hear upstream's opinion on this.
Cheers!
-rt
Cheers!
-rt
Reinhard Tartler
Oct 29, 2021, 3:10:02 PM10/29/21
to
Control: forwarded -1 https://github.com/containers/podman/issues/12134
Control: reassign -1 containernetworking-plugins
On Thu, Oct 28, 2021 at 11:26 AM Reinhard Tartler <sire...@gmail.com> wrote:
I'd like to hear upstream's opinion on this.
Thanks for reaching out to upstream. I agree with Paul's assessment, and am re-assigning this accordingly.
regards,
Reinhard
Reinhard
0 new messages