Bug 2319310

Summary: needs porting to nftables and/or missing iptables dependency
Product: [Fedora] Fedora Reporter: Martin Pitt <mpitt>
Component: criuAssignee: Adrian Reber <adrian>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 41CC: adrian, rstoyano
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://artifacts.dev.testing-farm.io/cae003c8-50ff-4261-821e-0e8d7ddfff8b/
Whiteboard: CockpitTest
Fixed In Version: criu-4.0-2.fc41 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-10-26 02:58:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Pitt 2024-10-17 05:24:53 UTC 
In current Fedora 41, installing podman pulls in criu and iptables-nft (via containers-common-extra) as dependencies.
In the next podman-related package releases in Fedora 41, this dependency will be dropped [1][2]. podman will only (indirectly) depend on nftables, as that stack already migrated to nftables.

This breaks criu, and thus container checkpointing (see [3]).

This has already been the case in RHEL/CentOS 10 for a while [4], and will now soon affect Fedora 41 as well.

So in the short term, criu should depend on iptables (which will match iptables-legacy or -nft, either are fine). Medium term, criu needs to be ported to nftables.

[1] https://github.com/containers/common/pull/2099
[2] https://github.com/containers/netavark/pull/1033
[3] https://github.com/containers/podman/pull/24238#issuecomment-2417049948 ff.
[4] https://issues.redhat.com/browse/RHEL-58354

Reproducible: Always

Steps to Reproduce:
1. Enable podman-next COPR, and ensure podman is installed:

dnf copr enable -y rhcontainerbot/podman-next
dnf --repo='copr*' update  -y
dnf install -y podman

2. Remove iptables dependencies. This is now possible with podman-next, and will land in the distro soon:

dnf remove iptables-legacy iptables-nft

3. create and checkpoint a container:

podman run -dit quay.io/libpod/busybox
podman container checkpoint -l

This calls "crun checkpoint" which uses criu under the hood.
Actual Results:  
CRIU checkpointing failed -52.  Please check CRIU logfile /var/lib/containers/storage/overlay-containers/929beb9b9c2974da09b1802d495b39117ebb28068acff3921cb4355f5e232a81/userdata/dump.log

and said log has

(00.142523) net: Unlock network
(00.142543) Running network-unlock scripts
Error (criu/util.c:640): execvp("iptables-restore", ...) failed: No such file or directory
(00.144414) Error (criu/util.c:655): exited, status=1
Error (criu/util.c:640): execvp("ip6tables-restore", ...) failed: No such file or directory
(00.146211) Error (criu/util.c:655): exited, status=1
Error (criu/util.c:640): execvp("iptables-restore", ...) failed: No such file or directory
(00.148778) Error (criu/util.c:655): exited, status=1
Error (criu/util.c:640): execvp("ip6tables-restore", ...) failed: No such file or directory
(00.149322) Error (criu/util.c:655): exited, status=1
(00.149349) Unfreezing tasks into 1
(00.149368) 	Unseizing 2331 into 1
(00.149414) Error (criu/cr-dump.c:2111): Dumping FAILED.


Expected Results:  
checkpointing works
Comment 1 Adrian Reber 2024-10-17 06:14:47 UTC 
CRIU is upstream nftables ready. For Fedora we just need to have a soft dependency on iptables.
Comment 2 Fedora Update System 2024-10-17 12:56:35 UTC 
FEDORA-2024-c6094f0351 (criu-4.0-2.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-c6094f0351
Comment 3 Fedora Update System 2024-10-18 01:47:32 UTC 
FEDORA-2024-c6094f0351 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-c6094f0351`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-c6094f0351

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2024-10-26 02:58:33 UTC 
FEDORA-2024-c6094f0351 (criu-4.0-2.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.