Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1932399

Summary: IPv6 errors after exiting crictl
Product: Red Hat Enterprise Linux 8 Reporter: Peter Hunt <pehunt>
Component: podmanAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: Sunil Choudhary <schoudha>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.5CC: ajia, aos-bugs, atomic-bugs, bbaude, dornelas, dwalsh, gscrivan, jligon, jnovy, lmiksik, lsm5, mheon, pthomas, schoudha, tsweeney, umohnani, ypu
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: podman-3.3.0-0.4.el8 or newer Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1918417
: 1937847 1942665 1942753 (view as bug list) Environment:
Last Closed: 2021-11-09 17:37:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1915950, 1918417    
Bug Blocks: 1937847, 1942665, 1942753    

Description Peter Hunt 2021-02-24 15:07:30 UTC 
+++ This bug was initially created as a clone of Bug #1918417 +++

# cat pod-config.json
{
    "metadata": {
        "name": "alpine-sandbox",
        "namespace": "default",
        "attempt": 1,
        "uid": "hdishd83djaidwnduwk28bcsb"
    },
    "log_directory": "/tmp",
    "linux": {
    }
}

# cat container-pod.json
{
  "metadata": {
      "name": "alpine"
  },
  "image":{
      "image": "alpine"
  },
  "command": [
      "sleep", "3600"
  ],
  "log_path":"alpine.0.log",
  "linux": {
	"security_context": {
		"capabilities": {
			"add_capabilities": [
				"net_raw"
			]
		}
	}
  }
}

# crictl runp --runtime=kata pod-config.json 
a38230720451583ade7c0b84fa7d08663e3417b52ad2ffadca9b553fb36d82d3

# crictl create a38230720451583ade7c0b84fa7d08663e3417b52ad2ffadca9b553fb36d82d3 container-pod.json pod-config.json 
30e947cd0a85eab9634cef2975acd18d3e98367eeac1826506cea9d6d0bb78

# crictl start 30e947cd0a85eab9634cef2975acd18d3e98367eeac1826506cea9d6d0bb78

# crictl stop 30e947cd0a85eab9634cef2975acd18d3e98367eeac1826506cea9d6d0bb78

# crictl rm 30e947cd0a85eab9634cef2975acd18d3e98367eeac1826506cea9d6d0bb78

# crictl stopp a382307204515
FATA[0000] stopping the pod sandbox "a382307204515": rpc error: code = Unknown desc = failed to destroy network for pod sandbox k8s_ubi8-sandbox_default_hdishd83djaidwnduwk28bcsb_1(a38230720451583ade7c0b84fa7d08663e3417b52ad2ffadca9b553fb36d82d3): running [/usr/sbin/ip6tables -t nat -D POSTROUTING -s 1100:200::5/24 -j CNI-7860ea922d1a46225b9c13c1 -m comment --comment name: "crio" id: "a38230720451583ade7c0b84fa7d08663e3417b52ad2ffadca9b553fb36d82d3" --wait]: exit status 1: iptables: Bad rule (does a matching rule exist in that chain?).

cri-o-1.20.0-0.rhaos4.7.git845747f.el8.40.x86_64
cri-tools-1.20.0-1.el8.x86_64

--- Additional comment from Qian Cai on 2021-01-20 16:43:14 UTC ---

This could be reproduced using vanilla containers as well.

--- Additional comment from Peter Hunt on 2021-01-21 15:51:01 UTC ---

what are the contents of the files in `/etc/cni/net.d`

--- Additional comment from Peter Hunt on 2021-01-21 15:53:29 UTC ---

This should be fixed upstream in https://github.com/containernetworking/plugins/pull/563, though there isn't a corresponding release yet. I would build your plugins off of the main branch (or just the bridge plugin, really)

--- Additional comment from Qian Cai on 2021-01-21 16:08:47 UTC ---

(In reply to Peter Hunt from comment #2)
> what are the contents of the files in `/etc/cni/net.d`

Just the standard CNI file from cri-o-1.20.0-0.rhaos4.7.git845747f.el8.40.x86_64.

--- Additional comment from Qian Cai on 2021-01-21 16:14:22 UTC ---

# cat /etc/cni/net.d/100-crio-bridge.conf
{
    "cniVersion": "0.3.1",
    "name": "crio",
    "type": "bridge",
    "bridge": "cni0",
    "isGateway": true,
    "ipMasq": true,
    "hairpinMode": true,
    "ipam": {
        "type": "host-local",
        "routes": [
            { "dst": "0.0.0.0/0" },
            { "dst": "1100:200::1/24" }
        ],
        "ranges": [
            [{ "subnet": "10.85.0.0/16" }],
            [{ "subnet": "1100:200::/24" }]
        ]
    }
}
Comment 1 Peter Hunt 2021-02-24 15:09:07 UTC 
we'll need containernetworking-plugins version 0.9.1 in rhel 8.4 to have this pulled into openshift
Comment 15 Daniel Walsh 2021-03-11 19:51:15 UTC 
I don't think this fixes anything as far as the CVE since the update will be in the plugins package.  The updated vendor will be in 8.4.0.2 release, so I closed it for the 8.4.0 release.
Comment 27 Daniel Walsh 2021-06-11 14:11:21 UTC 
Should this Bug be closed?
Comment 32 Alex Jia 2021-08-25 04:21:39 UTC 
This bug has been verified on podman-3.3.0-8.module+el8.5.0+12332+af0a4708.

[root@kvm-06-guest20 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.5 Beta (Ootpa)

[root@kvm-06-guest20 ~]# rpm -q podman runc kernel
podman-3.3.0-8.module+el8.5.0+12332+af0a4708.x86_64
runc-1.0.1-5.module+el8.5.0+12234+e4609207.x86_64
kernel-4.18.0-335.el8.x86_64

In terminal 1
[root@kvm-06-guest20 ~]# podman run --pod=new:alpine-sandbox --name alpine --cap-add NET_RAW alpine sleep 3600

In terminal 2
[root@kvm-06-guest20 ~]# podman pod ps
POD ID        NAME            STATUS      CREATED        INFRA ID    # OF CONTAINERS
acf34585a576  alpine-sandbox  Created     3 seconds ago              0
[root@kvm-06-guest20 ~]# podman pod stop alpine-sandbox
acf34585a5761a44c6b7f6c60597d8cd12bc1099bde55cc764852405d6e36748
[root@kvm-06-guest20 ~]# podman pod ps
POD ID        NAME            STATUS      CREATED         INFRA ID      # OF CONTAINERS
acf34585a576  alpine-sandbox  Exited      28 seconds ago  5e6d89752933  2
[root@kvm-06-guest20 ~]# podman pod rm alpine-sandbox
acf34585a5761a44c6b7f6c60597d8cd12bc1099bde55cc764852405d6e36748
[root@kvm-06-guest20 ~]# podman pod ps
POD ID      NAME        STATUS      CREATED     INFRA ID    # OF CONTAINERS
Comment 34 errata-xmlrpc 2021-11-09 17:37:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4154