Bug 1932399

Summary: IPv6 errors after exiting crictl
Product: Red Hat Enterprise Linux 8 Reporter: Peter Hunt <pehunt>
Component: podmanAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: Sunil Choudhary <schoudha>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.5CC: ajia, aos-bugs, atomic-bugs, bbaude, dornelas, dwalsh, gscrivan, jligon, jnovy, lmiksik, lsm5, mheon, pthomas, schoudha, tsweeney, umohnani, ypu
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: podman-3.3.0-0.4.el8 or newer Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1918417
: 1937847 1942665 1942753 (view as bug list) Environment:
Last Closed: 2021-11-09 17:37:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1915950, 1918417    
Bug Blocks: 1937847, 1942665, 1942753    

Description Peter Hunt 2021-02-24 15:07:30 UTC 
+++ This bug was initially created as a clone of Bug #1918417 +++

# cat pod-config.json
{
    "metadata": {
        "name": "alpine-sandbox",
        "namespace": "default",
        "attempt": 1,
        "uid": "hdishd83djaidwnduwk28bcsb"
    },
    "log_directory": "/tmp",
    "linux": {
    }
}

# cat container-pod.json
{
  "metadata": {
      "name": "alpine"
  },
  "image":{
      "image": "alpine"
  },
  "command": [
      "sleep", "3600"
  ],
  "log_path":"alpine.0.log",
  "linux": {
	"security_context": {
		"capabilities": {
			"add_capabilities": [
				"net_raw"
			]
		}
	}
  }
}

# crictl runp --runtime=kata pod-config.json 
a38230720451583ade7c0b84fa7d08663e3417b52ad2ffadca9b553fb36d82d3

# crictl create a38230720451583ade7c0b84fa7d08663e3417b52ad2ffadca9b553fb36d82d3 container-pod.json pod-config.json 
30e947cd0a85eab9634cef2975acd18d3e98367eeac1826506cea9d6d0bb78

# crictl start 30e947cd0a85eab9634cef2975acd18d3e98367eeac1826506cea9d6d0bb78

# crictl stop 30e947cd0a85eab9634cef2975acd18d3e98367eeac1826506cea9d6d0bb78

# crictl rm 30e947cd0a85eab9634cef2975acd18d3e98367eeac1826506cea9d6d0bb78

# crictl stopp a382307204515
FATA[0000] stopping the pod sandbox "a382307204515": rpc error: code = Unknown desc = failed to destroy network for pod sandbox k8s_ubi8-sandbox_default_hdishd83djaidwnduwk28bcsb_1(a38230720451583ade7c0b84fa7d08663e3417b52ad2ffadca9b553fb36d82d3): running [/usr/sbin/ip6tables -t nat -D POSTROUTING -s 1100:200::5/24 -j CNI-7860ea922d1a46225b9c13c1 -m comment --comment name: "crio" id: "a38230720451583ade7c0b84fa7d08663e3417b52ad2ffadca9b553fb36d82d3" --wait]: exit status 1: iptables: Bad rule (does a matching rule exist in that chain?).

cri-o-1.20.0-0.rhaos4.7.git845747f.el8.40.x86_64
cri-tools-1.20.0-1.el8.x86_64

--- Additional comment from Qian Cai on 2021-01-20 16:43:14 UTC ---

This could be reproduced using vanilla containers as well.

--- Additional comment from Peter Hunt on 2021-01-21 15:51:01 UTC ---

what are the contents of the files in `/etc/cni/net.d`

--- Additional comment from Peter Hunt on 2021-01-21 15:53:29 UTC ---

This should be fixed upstream in https://github.com/containernetworking/plugins/pull/563, though there isn't a corresponding release yet. I would build your plugins off of the main branch (or just the bridge plugin, really)

--- Additional comment from Qian Cai on 2021-01-21 16:08:47 UTC ---

(In reply to Peter Hunt from comment #2)
> what are the contents of the files in `/etc/cni/net.d`

Just the standard CNI file from cri-o-1.20.0-0.rhaos4.7.git845747f.el8.40.x86_64.

--- Additional comment from Qian Cai on 2021-01-21 16:14:22 UTC ---

# cat /etc/cni/net.d/100-crio-bridge.conf
{
    "cniVersion": "0.3.1",
    "name": "crio",
    "type": "bridge",
    "bridge": "cni0",
    "isGateway": true,
    "ipMasq": true,
    "hairpinMode": true,
    "ipam": {
        "type": "host-local",
        "routes": [
            { "dst": "0.0.0.0/0" },
            { "dst": "1100:200::1/24" }
        ],
        "ranges": [
            [{ "subnet": "10.85.0.0/16" }],
            [{ "subnet": "1100:200::/24" }]
        ]
    }
}
Comment 1 Peter Hunt 2021-02-24 15:09:07 UTC 
we'll need containernetworking-plugins version 0.9.1 in rhel 8.4 to have this pulled into openshift
Comment 15 Daniel Walsh 2021-03-11 19:51:15 UTC 
I don't think this fixes anything as far as the CVE since the update will be in the plugins package.  The updated vendor will be in 8.4.0.2 release, so I closed it for the 8.4.0 release.
Comment 27 Daniel Walsh 2021-06-11 14:11:21 UTC 
Should this Bug be closed?
Comment 32 Alex Jia 2021-08-25 04:21:39 UTC 
This bug has been verified on podman-3.3.0-8.module+el8.5.0+12332+af0a4708.

[root@kvm-06-guest20 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.5 Beta (Ootpa)

[root@kvm-06-guest20 ~]# rpm -q podman runc kernel
podman-3.3.0-8.module+el8.5.0+12332+af0a4708.x86_64
runc-1.0.1-5.module+el8.5.0+12234+e4609207.x86_64
kernel-4.18.0-335.el8.x86_64

In terminal 1
[root@kvm-06-guest20 ~]# podman run --pod=new:alpine-sandbox --name alpine --cap-add NET_RAW alpine sleep 3600

In terminal 2
[root@kvm-06-guest20 ~]# podman pod ps
POD ID        NAME            STATUS      CREATED        INFRA ID    # OF CONTAINERS
acf34585a576  alpine-sandbox  Created     3 seconds ago              0
[root@kvm-06-guest20 ~]# podman pod stop alpine-sandbox
acf34585a5761a44c6b7f6c60597d8cd12bc1099bde55cc764852405d6e36748
[root@kvm-06-guest20 ~]# podman pod ps
POD ID        NAME            STATUS      CREATED         INFRA ID      # OF CONTAINERS
acf34585a576  alpine-sandbox  Exited      28 seconds ago  5e6d89752933  2
[root@kvm-06-guest20 ~]# podman pod rm alpine-sandbox
acf34585a5761a44c6b7f6c60597d8cd12bc1099bde55cc764852405d6e36748
[root@kvm-06-guest20 ~]# podman pod ps
POD ID      NAME        STATUS      CREATED     INFRA ID    # OF CONTAINERS
Comment 34 errata-xmlrpc 2021-11-09 17:37:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4154