Bug#997976: podman suggests iptables, but "podman run" does not appear to work without it

2021-10-29 Thread Reinhard Tartler 
Control: forwarded -1 https://github.com/containers/podman/issues/12134
Control: reassign -1 containernetworking-plugins

On Thu, Oct 28, 2021 at 11:26 AM Reinhard Tartler 
wrote:

>  I'd like to hear upstream's opinion on this.
>

Thanks for reaching out to upstream. I agree with Paul's assessment, and am
re-assigning this accordingly.

-- 
regards,
Reinhard

Bug#997976: podman suggests iptables, but "podman run" does not appear to work without it

2021-10-28 Thread Reinhard Tartler 
Hi Ian,

Thank you for reaching out.

On Thu, Oct 28, 2021 at 1:39 AM Ian Wienand  wrote:

>
>
> ---
> 2021-10-28 03:35:56.042 | ++ podman run -d dib-work-image /bin/sh
> 2021-10-28 03:35:56.241 | time="2021-10-28T03:35:56Z" level=error
> msg="error
> loading cached network config: network \"podman\" not found in CNI cache"
> 2021-10-28 03:35:56.241 | time="2021-10-28T03:35:56Z" level=warning
> msg="falling back to loading from existing plugins on disk"
> 2021-10-28 03:35:56.249 | time="2021-10-28T03:35:56Z" level=error
> msg="Error
> tearing down partially created network namespace for container
> a7a992e5399d8a8537d945684ac5193b762b2dbf18f29cd3aa724c389158fb65: error
> removing pod cool_almeida_cool_almeida from CNI network \"podman\": could
> not
> initialize iptables protocol 0: exec: \"iptables\": executable file not
> found
> in $PATH"
> 2021-10-28 03:35:56.262 | Error: error configuring network namespace for
> container a7a992e5399d8a8537d945684ac5193b762b2dbf18f29cd3aa724c389158fb65:
> error adding pod cool_almeida_cool_almeida to CNI network "podman": failed
> to
> locate iptables: exec: "iptables": executable file not found in $PATH
> ---
>

podman itself does not invoke iptables or nft directly, but uses
so-call CNI Plugins for setting up the networking. The code for this
can be seen at
https://github.com/containers/podman/blob/main/libpod/networking_linux.go

I'm not super familiar with those CNI plugins and how podman interacts with
them
in detail. May I ask you to create a new issue upstream
https://github.com/containers/podman/issues/new and
mention me with @siretart in the message? -- I'd like to hear
upstream's opinion on this.

Cheers!
-rt

Bug#997976: podman suggests iptables, but "podman run" does not appear to work without it

2021-10-27 Thread Ian Wienand 
Package: podman
Version: 3.4.1+ds1-2
Severity: normal
X-Debbugs-Cc: i...@debian.org

Dear Maintainer,

Somewhere between the bullseye version and current unstable, "iptables" became
a suggets, instead of a reccommends.  Looking at the changelogs I wasn't
exactly
clear why, but this appears to make "podman run" not work by default [1]:

---
2021-10-28 03:35:56.042 | ++ podman run -d dib-work-image /bin/sh
2021-10-28 03:35:56.241 | time="2021-10-28T03:35:56Z" level=error msg="error
loading cached network config: network \"podman\" not found in CNI cache"
2021-10-28 03:35:56.241 | time="2021-10-28T03:35:56Z" level=warning
msg="falling back to loading from existing plugins on disk"
2021-10-28 03:35:56.249 | time="2021-10-28T03:35:56Z" level=error msg="Error
tearing down partially created network namespace for container
a7a992e5399d8a8537d945684ac5193b762b2dbf18f29cd3aa724c389158fb65: error
removing pod cool_almeida_cool_almeida from CNI network \"podman\": could not
initialize iptables protocol 0: exec: \"iptables\": executable file not found
in $PATH"
2021-10-28 03:35:56.262 | Error: error configuring network namespace for
container a7a992e5399d8a8537d945684ac5193b762b2dbf18f29cd3aa724c389158fb65:
error adding pod cool_almeida_cool_almeida to CNI network "podman": failed to
locate iptables: exec: "iptables": executable file not found in $PATH
---

I have pulled in the unstable version to workaround bug #994451 which is how I
noticed.
We use --install-recommends in our CI

I had a poke through the changelog but it wasn't clear why this was changed.  I
am not
doing anything fancy with the networking, but I will admit it's a bit
convoluted.  Basically
we are building an image inside a container; so we use
"cgroup_manager=cgroupfs" [2].

I can just add iptables [3] but it would be helpful to know what is going on

Thanks,

-i

[1]
https://f480170607f99217bcc4-4f7bc0337492030d99b06b8cb4e22e06.ssl.cf5.rackcdn.com/815574/6/check/dib-
nodepool-functional-openstack-fedora-35-containerfile-
src/144981a/nodepool/builds/test-image-01.log
[2] https://opendev.org/zuul/nodepool/src/branch/master/Dockerfile#L102
[3] https://review.opendev.org/c/zuul/nodepool/+/815766


-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64

Kernel: Linux 5.14.0-2-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages podman depends on:
pn  conmon   
ii  containerd.io [runc] 1.4.11-1
pn  containernetworking-plugins  
pn  golang-github-containers-common  
ii  init-system-helpers  1.60
ii  libc62.32-4
ii  libdevmapper1.02.1   2:1.02.175-2.1
ii  libgpgme11   1.16.0-1.1
ii  libseccomp2  2.5.2-2

Versions of packages podman recommends:
pn  buildah   
pn  catatonit | tini | dumb-init  
pn  fuse-overlayfs
pn  golang-github-containernetworking-plugin-dnsname  
ii  slirp4netns   1.0.1-2
pn  uidmap

Versions of packages podman suggests:
pn  containers-storage  
pn  docker-compose  
ii  iptables1.8.7-1