# cat pod-config.json { "metadata": { "name": "alpine-sandbox", "namespace": "default", "attempt": 1, "uid": "hdishd83djaidwnduwk28bcsb" }, "log_directory": "/tmp", "linux": { } } # cat container-pod.json { "metadata": { "name": "alpine" }, "image":{ "image": "alpine" }, "command": [ "sleep", "3600" ], "log_path":"alpine.0.log", "linux": { "security_context": { "capabilities": { "add_capabilities": [ "net_raw" ] } } } } # crictl runp --runtime=kata pod-config.json a38230720451583ade7c0b84fa7d08663e3417b52ad2ffadca9b553fb36d82d3 # crictl create a38230720451583ade7c0b84fa7d08663e3417b52ad2ffadca9b553fb36d82d3 container-pod.json pod-config.json 30e947cd0a85eab9634cef2975acd18d3e98367eeac1826506cea9d6d0bb78 # crictl start 30e947cd0a85eab9634cef2975acd18d3e98367eeac1826506cea9d6d0bb78 # crictl stop 30e947cd0a85eab9634cef2975acd18d3e98367eeac1826506cea9d6d0bb78 # crictl rm 30e947cd0a85eab9634cef2975acd18d3e98367eeac1826506cea9d6d0bb78 # crictl stopp a382307204515 FATA[0000] stopping the pod sandbox "a382307204515": rpc error: code = Unknown desc = failed to destroy network for pod sandbox k8s_ubi8-sandbox_default_hdishd83djaidwnduwk28bcsb_1(a38230720451583ade7c0b84fa7d08663e3417b52ad2ffadca9b553fb36d82d3): running [/usr/sbin/ip6tables -t nat -D POSTROUTING -s 1100:200::5/24 -j CNI-7860ea922d1a46225b9c13c1 -m comment --comment name: "crio" id: "a38230720451583ade7c0b84fa7d08663e3417b52ad2ffadca9b553fb36d82d3" --wait]: exit status 1: iptables: Bad rule (does a matching rule exist in that chain?). cri-o-1.20.0-0.rhaos4.7.git845747f.el8.40.x86_64 cri-tools-1.20.0-1.el8.x86_64
This could be reproduced using vanilla containers as well.
what are the contents of the files in `/etc/cni/net.d`
This should be fixed upstream in https://github.com/containernetworking/plugins/pull/563, though there isn't a corresponding release yet. I would build your plugins off of the main branch (or just the bridge plugin, really)
(In reply to Peter Hunt from comment #2) > what are the contents of the files in `/etc/cni/net.d` Just the standard CNI file from cri-o-1.20.0-0.rhaos4.7.git845747f.el8.40.x86_64.
# cat /etc/cni/net.d/100-crio-bridge.conf { "cniVersion": "0.3.1", "name": "crio", "type": "bridge", "bridge": "cni0", "isGateway": true, "ipMasq": true, "hairpinMode": true, "ipam": { "type": "host-local", "routes": [ { "dst": "0.0.0.0/0" }, { "dst": "1100:200::1/24" } ], "ranges": [ [{ "subnet": "10.85.0.0/16" }], [{ "subnet": "1100:200::/24" }] ] } }
*** Bug 1915950 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069