Bug 2126243
| Summary: | Podman container got global IPv6 address unexpectedly even when macvlan network is created for pure IPv4 network | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | shuai.ma <shuai.ma> | |
| Component: | netavark | Assignee: | Jindrich Novy <jnovy> | |
| Status: | CLOSED ERRATA | QA Contact: | Joy Pu <ypu> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.6 | CC: | bbaude, bhenders, dornelas, dwalsh, jligon, jnovy, lsm5, mamccoma, mheon, mrussell, pthomas, rmanes, toneata, tsweeney, umohnani, vikas.goel, ypu | |
| Target Milestone: | rc | Keywords: | Triaged, ZStream | |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | netavark-1.5.0-4.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2133390 2133391 (view as bug list) | Environment: | ||
| Last Closed: | 2023-05-16 08:21:12 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2133390, 2133391 | |||
@shuai.ma it might be end of day brain on my part, but I'm not seeing a Podman problem here. The only call I see to Podman that I see in your notes is `podman version`. All of the other calls are to Docker, no? Or have you aliased Podman to Docker? hi Tom, yes Podman aliased to Docker. BTW, i tried to set following parameters during Podman run to workaround the issue, but had no effect. Does these settings not supported in container? net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.all.autoconf=0 BR, Shuai Shuai, thanks for the update. I think this is a Podman versus a podman-container issue, so I've changed the component. @mheon could you take a look please? Please provide the full output of `podman info` so we can determine network backend in use. # podman info
host:
arch: amd64
buildahVersion: 1.26.2
cgroupControllers:
- cpuset
- cpu
- cpuacct
- blkio
- memory
- devices
- freezer
- net_cls
- perf_event
- net_prio
- hugetlb
- pids
- rdma
cgroupManager: systemd
cgroupVersion: v1
conmon:
package: conmon-2.1.2-2.module+el8.6.0+15917+093ca6f8.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.2, commit: 8c4f33ac0dcf558874b453d5027028b18d1502db'
cpuUtilization:
idlePercent: 99.28
systemPercent: 0.17
userPercent: 0.55
cpus: 48
distribution:
distribution: '"rhel"'
version: "8.6"
eventLogger: file
hostname: eagappflx248
idMappings:
gidmap: null
uidmap: null
kernel: 4.18.0-372.19.1.el8_6.x86_64
linkmode: dynamic
logDriver: k8s-file
memFree: 249346179072
memTotal: 269723447296
networkBackend: cni
ociRuntime:
name: runc
package: runc-1.0.3-2.module+el8.6.0+14877+f643d2d6.x86_64
path: /usr/bin/runc
version: |-
runc version 1.0.3
spec: 1.0.2-dev
go: go1.17.7
libseccomp: 2.5.2
os: linux
remoteSocket:
exists: true
path: /run/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: false
seccompEnabled: true
seccompProfilePath: /etc/opt/veritas/flex/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /bin/slirp4netns
package: slirp4netns-1.2.0-2.module+el8.6.0+15917+093ca6f8.x86_64
version: |-
slirp4netns version 1.2.0
commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
libslirp: 4.4.0
SLIRP_CONFIG_VERSION_MAX: 3
libseccomp: 2.5.2
swapFree: 67076734976
swapTotal: 67108859904
uptime: 40h 14m 16.61s (Approximately 1.67 days)
plugins:
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
- filevol
- veritas
registries:
docker.io:
Blocked: true
Insecure: false
Location: docker.io
MirrorByDigestOnly: false
Mirrors: null
Prefix: docker.io
PullFromMirror: ""
flex.io:
Blocked: false
Insecure: false
Location: console:8443
MirrorByDigestOnly: false
Mirrors: null
Prefix: flex.io
PullFromMirror: ""
registry.access.redhat.com:
Blocked: true
Insecure: false
Location: registry.access.redhat.com
MirrorByDigestOnly: false
Mirrors: null
Prefix: registry.access.redhat.com
PullFromMirror: ""
registry.redhat.io:
Blocked: true
Insecure: false
Location: registry.redhat.io
MirrorByDigestOnly: false
Mirrors: null
Prefix: registry.redhat.io
PullFromMirror: ""
search:
- flex.io
store:
configFile: /etc/containers/storage.conf
containerStore:
number: 1
paused: 0
running: 1
stopped: 0
graphDriverName: overlay
graphOptions:
overlay.mountopt: nodev,metacopy=on
graphRoot: /var/lib/containers/storage
graphRootAllocated: 157209591808
graphRootUsed: 5615824896
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "true"
imageCopyTmpDir: /tmp
imageStore:
number: 9
runRoot: /run/containers/storage
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: 4.1.1
Built: 1657551413
BuiltTime: Mon Jul 11 14:56:53 2022
GitCommit: ""
GoVersion: go1.17.7
Os: linux
OsArch: linux/amd64
Version: 4.1.1
` networkBackend: cni` CNI plugins are in use. The Podman team recommends a migration to the Netavark network stack (as we are better able to support those when things go wrong); if that is impossible, we can reassign this issue to the CNI team for investigation. hi Matthew, is Netavark fully supported in RHEL 8.6 ? BR, Shuai update: change the network backend from cni to netavark, still the same problem.
[root@eagappflx223 ~]# podman network inspect nic0
[
{
"name": "nic0",
"id": "a43c59dd854a14e83516a321688546b85dc593f220c21af728d961414435180a",
"driver": "macvlan",
"network_interface": "nic0",
"created": "2022-09-16T06:39:30.925390932Z",
"subnets": [
{
"subnet": "10.85.40.0/21",
"gateway": "10.85.40.1"
}
],
"ipv6_enabled": false,
"internal": false,
"dns_enabled": true,
"ipam_options": {
"driver": "host-local"
}
}
]
[root@eagappflx223 ~]# podman info | grep netav
networkBackend: netavark
[root@eagappflx223 ~]# podman network inspect nic0
[
{
"name": "nic0",
"id": "a43c59dd854a14e83516a321688546b85dc593f220c21af728d961414435180a",
"driver": "macvlan",
"network_interface": "nic0",
"created": "2022-09-16T06:39:30.925390932Z",
"subnets": [
{
"subnet": "10.85.40.0/21",
"gateway": "10.85.40.1"
}
],
"ipv6_enabled": false,
"internal": false,
"dns_enabled": true,
"ipam_options": {
"driver": "host-local"
}
}
]
[root@eagappflx223 ~]# podman info | grep netav
networkBackend: netavark
[root@eagappflx223 ~]# podman run -itd --name c1 --ip=10.85.41.247 --network nic0 flex.io/uss-engine:15.0.2
d6fe18855b222abe8df478da52d8a387e03f6f6afff1817934b2db031f4beafe
[root@eagappflx223 ~]# podman exec -it c1 bash
engine : ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.85.41.247 netmask 255.255.248.0 broadcast 10.85.47.255
inet6 2001:db8:1:0:9008:aeff:fe4e:cb97 prefixlen 64 scopeid 0x0<global>
inet6 fe80::9008:aeff:fe4e:cb97 prefixlen 64 scopeid 0x20<link>
ether 92:08:ae:4e:cb:97 txqueuelen 1000 (Ethernet)
RX packets 319 bytes 21071 (20.5 KiB)
RX errors 0 dropped 39 overruns 0 frame 0
TX packets 13 bytes 1102 (1.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Paul - mind taking a look? We're probably missing one of the v6 sysctls in macvlan. hi Matthew, Paul, we see two issues in this mail. 1. as titled, in a pure ipv4 macvlan network, creating a container got ipv6 global address. This is unexpected behaviour. 2. to workaround the #1 issue, i tried following parameters but all/any of them has no effect. net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.all.autoconf=0 net.ipv6.conf.default.autoconf=0 Are you planning to fix this or do you have any workaournd for any of the above 2 issues? our product is blocked by this issue. BR, Shuai Ma 2) You cannot set sysctls because we setup the namespace before the oci runtime applies any sysctls. I think what you can try is running with a custom user namespace, e.g. --userns auto, in this case we have to setup the namespace after the oci runtime creates the namespace. I think we have to fix it so netavark sets automatically the sysctls. i tried like this, but no effect. # docker run -itd --name c1 --ip=10.85.41.247 --network nic0 --sysctl net.ipv6.conf.all.autoconf=0 flex.io/uss-engine:17.0 tried set net.ipv6.conf.all.forwarding=1, it has effect. Does net.ipv6.conf.all.forwarding and net.ipv6.conf.all.autoconf applied at differnet phase? BTW, when would we expect a fix for this? Thanks a lot! please be noticed that any 'docker' command here is actually 'podman' as we aliased Podman to Docker. I'm hoping to clear up some of the confusion between teams. The sysctl must be set before you run Podman or it will not effect things. Can you confirm whether you have set the sysctl before running Podman with netavark? If not, please try and report back. The good news is one of our engineers has been able to reproduce the bug you observe. One of us will update this bugzilla with results. Update: disregard the suggestion for a work-around. We have verified it does not work. As mentioned before you have to create a custom userns, only then the sysctl will be applied before netavark is called. This works for me `podman run --uidmap=0:0:4294967295 --sysctl net.ipv6.conf.default.autoconf=0 ...`, the important bit is --uidmap=0:0:4294967295 but any other userns (e.g. --userns auto) should also work. upstream fix -> https://github.com/containers/netavark/pull/434 i see the fix is in netavark, do you plan to add that fix in cni as well? repeat my question - does netavak fully support RHEL8.6? BR, Shuai @mrussell can you answer https://bugzilla.redhat.com/show_bug.cgi?id=2126243#c24 please? @shuai.ma Netavark was Tech Preview in 8.6 but we are changing that to fully supported in the documentation soon. You can consider it supported in 8.6 now. hi, our product is now using CNI backend instead of Netavark, can you provide fix to Cni as well? BR, Shuai @shuai.ma That should be raised in a new bug, however, we are not planning to make this fix in CNI. We understand that workaround is being tested with a plan to converge on Netavark in the future. Thank you and regards. Test with netavark-1.5.0-4.module+el8.8.0+18060+3f21f2cc.x86_64. The auto_conf_ipv6 already disabled inside container. And checked inside container only a linked-local ipv6 addr set. So move it to verified. More details:
[root@kvm-04-guest09 ~]# podman network create -d macvlan --subnet=10.85.40.0/21 --gateway=10.85.40.1 -o parent=ens3 ens3
ens3
[root@kvm-04-guest09 ~]# podman network inspect ens3
[
{
"name": "ens3",
"id": "0c738066b2f06e0cb663a6fa5a2d05d776e41e4f2d6841f64207c4692fee3e4e",
"driver": "macvlan",
"network_interface": "ens3",
"created": "2023-02-13T04:31:17.569829276-05:00",
"subnets": [
{
"subnet": "10.85.40.0/21",
"gateway": "10.85.40.1"
}
],
"ipv6_enabled": false,
"internal": false,
"dns_enabled": false,
"ipam_options": {
"driver": "host-local"
}
}
]
[root@kvm-04-guest09 ~]# podman --log-level debug run -itd --name c1 --ip=10.85.41.247 --network ens3 quay.io/libpod/busybox
INFO[0000] podman filtering at log level debug
DEBU[0000] Called run.PersistentPreRunE(podman --log-level debug run -itd --name c1 --ip=10.85.41.247 --network ens3 quay.io/libpod/busybox)
DEBU[0000] Using conmon: "/usr/bin/conmon"
DEBU[0000] Initializing boltdb state at /var/lib/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /var/lib/containers/storage
DEBU[0000] Using run root /run/containers/storage
DEBU[0000] Using static dir /var/lib/containers/storage/libpod
DEBU[0000] Using tmp dir /run/libpod
DEBU[0000] Using volume path /var/lib/containers/storage/volumes
DEBU[0000] Using transient store: false
DEBU[0000] Set libpod namespace to ""
DEBU[0000] [graphdriver] trying provided driver "overlay"
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that metacopy is being used
DEBU[0000] Cached value indicated that native-diff is not being used
INFO[0000] Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=true
DEBU[0000] Initializing event backend file
DEBU[0000] Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument
DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument
DEBU[0000] Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument
DEBU[0000] Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument
DEBU[0000] Using OCI runtime "/usr/bin/runc"
INFO[0000] Setting parallel job count to 4
DEBU[0000] Successfully loaded network dual: &{dual 165ffe44b63c23701966a3cf82e649be209e75d52e1881bd6a5c270a3c718f7c bridge podman3 2023-02-13 02:36:33.980492564 -0500 EST [{{{10.89.2.0 ffffff00}} 10.89.2.1 <nil>} {{{fdeb:da7c:92fd:8eef:: ffffffffffffffff0000000000000000}} fdeb:da7c:92fd:8eef::1 <nil>}] true false true [] map[] map[] map[driver:host-local]}
DEBU[0000] Successfully loaded network ens3: &{ens3 0c738066b2f06e0cb663a6fa5a2d05d776e41e4f2d6841f64207c4692fee3e4e macvlan ens3 2023-02-13 04:31:17.569829276 -0500 EST [{{{10.85.40.0 fffff800}} 10.85.40.1 <nil>}] false false false [] map[] map[] map[driver:host-local]}
DEBU[0000] Successfully loaded network test100: &{test100 c4971f987fb3ca7ac37ead96182f72a9e2410e074ad564f9316c36b11e52ac33 bridge podman1 2023-02-13 02:20:21.659441618 -0500 EST [{{{10.89.0.0 ffffff00}} 10.89.0.1 <nil>}] false false true [] map[] map[metric:100] map[driver:host-local]}
DEBU[0000] Successfully loaded network test200: &{test200 e54facbdb6598ccca45bc5482791b04600f4393e864eb9c8d419ddca9a549340 bridge podman2 2023-02-13 02:20:35.520580531 -0500 EST [{{{10.89.1.0 ffffff00}} 10.89.1.1 <nil>}] false false true [] map[] map[metric:200] map[driver:host-local]}
DEBU[0000] Successfully loaded 5 networks
DEBU[0000] Pulling image quay.io/libpod/busybox (policy: missing)
DEBU[0000] Looking up image "quay.io/libpod/busybox" in local containers storage
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux [] }
DEBU[0000] Trying "quay.io/libpod/busybox:latest" ...
DEBU[0000] parsed reference into "[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f"
DEBU[0000] Found image "quay.io/libpod/busybox" as "quay.io/libpod/busybox:latest" in local containers storage
DEBU[0000] Found image "quay.io/libpod/busybox" as "quay.io/libpod/busybox:latest" in local containers storage ([overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f)
DEBU[0000] exporting opaque data as blob "sha256:f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f"
DEBU[0000] Looking up image "quay.io/libpod/busybox:latest" in local containers storage
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux [] }
DEBU[0000] Trying "quay.io/libpod/busybox:latest" ...
DEBU[0000] parsed reference into "[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f"
DEBU[0000] Found image "quay.io/libpod/busybox:latest" as "quay.io/libpod/busybox:latest" in local containers storage
DEBU[0000] Found image "quay.io/libpod/busybox:latest" as "quay.io/libpod/busybox:latest" in local containers storage ([overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f)
DEBU[0000] exporting opaque data as blob "sha256:f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f"
DEBU[0000] Looking up image "quay.io/libpod/busybox" in local containers storage
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux [] }
DEBU[0000] Trying "quay.io/libpod/busybox:latest" ...
DEBU[0000] parsed reference into "[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f"
DEBU[0000] Found image "quay.io/libpod/busybox" as "quay.io/libpod/busybox:latest" in local containers storage
DEBU[0000] Found image "quay.io/libpod/busybox" as "quay.io/libpod/busybox:latest" in local containers storage ([overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f)
DEBU[0000] exporting opaque data as blob "sha256:f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f"
DEBU[0000] Inspecting image f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f
DEBU[0000] exporting opaque data as blob "sha256:f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f"
DEBU[0000] exporting opaque data as blob "sha256:f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f"
DEBU[0000] Inspecting image f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f
DEBU[0000] Inspecting image f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f
DEBU[0000] Inspecting image f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f
DEBU[0000] Inspecting image f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f
DEBU[0000] using systemd mode: false
DEBU[0000] setting container name c1
DEBU[0000] No hostname set; container's hostname will default to runtime default
DEBU[0000] Loading seccomp profile from "/usr/share/containers/seccomp.json"
DEBU[0000] Allocated lock 8 for container 1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c
DEBU[0000] parsed reference into "[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f"
DEBU[0000] exporting opaque data as blob "sha256:f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f"
DEBU[0000] Cached value indicated that idmapped mounts for overlay are not supported
DEBU[0000] Check for idmapped mounts support
DEBU[0000] Created container "1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c"
DEBU[0000] Container "1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c" has work directory "/var/lib/containers/storage/overlay-containers/1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c/userdata"
DEBU[0000] Container "1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c" has run directory "/run/containers/storage/overlay-containers/1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c/userdata"
DEBU[0000] overlay: mount_data=lowerdir=/var/lib/containers/storage/overlay/l/WNEF277CUMEDPUVLH7KHH4V3UK,upperdir=/var/lib/containers/storage/overlay/fed4a754c7533300311548b8b3d4de58138c94c422819dcea9b1eb5076211fbf/diff,workdir=/var/lib/containers/storage/overlay/fed4a754c7533300311548b8b3d4de58138c94c422819dcea9b1eb5076211fbf/work,nodev,metacopy=on,context="system_u:object_r:container_file_t:s0:c366,c453"
DEBU[0000] Mounted container "1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c" at "/var/lib/containers/storage/overlay/fed4a754c7533300311548b8b3d4de58138c94c422819dcea9b1eb5076211fbf/merged"
DEBU[0000] Created root filesystem for container 1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c at /var/lib/containers/storage/overlay/fed4a754c7533300311548b8b3d4de58138c94c422819dcea9b1eb5076211fbf/merged
DEBU[0000] Made network namespace at /run/netns/netns-58ad2df5-dfd5-6fcc-ae38-979a21d26571 for container 1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c
[DEBUG netavark::network::validation] "Validating network namespace..."
[DEBUG netavark::commands::setup] "Setting up..."
[INFO netavark::firewall] Using iptables firewall driver
[DEBUG netavark::network::vlan] Setup network ens3
[DEBUG netavark::network::vlan] Container interface name: eth0 with IP addresses [10.85.41.247/21]
[DEBUG netavark::network::core_utils] Setting sysctl value for /proc/sys/net/ipv6/conf/eth0/autoconf to 0
[INFO netavark::network::netlink] Adding route (dest: 0.0.0.0/0 ,gw: 10.85.40.1, metric 100)
[INFO netavark::commands::setup] dns disabled because aardvark-dns path does not exists
[DEBUG netavark::commands::setup] {
"ens3": StatusBlock {
dns_search_domains: Some(
[],
),
dns_server_ips: Some(
[],
),
interfaces: Some(
{
"eth0": NetInterface {
mac_address: "2a:ed:b7:d3:8b:a1",
subnets: Some(
[
NetAddress {
gateway: Some(
10.85.40.1,
),
ipnet: 10.85.41.247/21,
},
],
),
},
},
),
},
}
[DEBUG netavark::commands::setup] "Setup complete"
DEBU[0000] Adding nameserver(s) from network status of '[]'
DEBU[0000] Adding search domain(s) from network status of '[]'
DEBU[0000] /etc/system-fips does not exist on host, not mounting FIPS mode subscription
DEBU[0000] Setting Cgroups for container 1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c to machine.slice:libpod:1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c
DEBU[0000] reading hooks from /usr/share/containers/oci/hooks.d
DEBU[0000] Workdir "/" resolved to host path "/var/lib/containers/storage/overlay/fed4a754c7533300311548b8b3d4de58138c94c422819dcea9b1eb5076211fbf/merged"
DEBU[0000] Created OCI spec for container 1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c at /var/lib/containers/storage/overlay-containers/1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c/userdata/config.json
DEBU[0000] /usr/bin/conmon messages will be logged to syslog
DEBU[0000] running conmon: /usr/bin/conmon args="[--api-version 1 -c 1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c -u 1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c -r /usr/bin/runc -b /var/lib/containers/storage/overlay-containers/1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c/userdata -p /run/containers/storage/overlay-containers/1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c/userdata/pidfile -n c1 --exit-dir /run/libpod/exits --full-attach -s -l k8s-file:/var/lib/containers/storage/overlay-containers/1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c/userdata/ctr.log --log-level debug --syslog -t --conmon-pidfile /run/containers/storage/overlay-containers/1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /var/lib/containers/storage --exit-command-arg --runroot --exit-command-arg /run/containers/storage --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/libpod --exit-command-arg --network-config-dir --exit-command-arg --exit-command-arg --network-backend --exit-command-arg netavark --exit-command-arg --volumepath --exit-command-arg /var/lib/containers/storage/volumes --exit-command-arg --transient-store=false --exit-command-arg --runtime --exit-command-arg runc --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --storage-opt --exit-command-arg overlay.mountopt=nodev,metacopy=on --exit-command-arg --events-backend --exit-command-arg file --exit-command-arg --syslog --exit-command-arg container --exit-command-arg cleanup --exit-command-arg 1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c]"
INFO[0000] Running conmon under slice machine.slice and unitName libpod-conmon-1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c.scope
DEBU[0000] Received: 42456
INFO[0000] Got Conmon PID as 42448
DEBU[0000] Created container 1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c in OCI runtime
DEBU[0000] Starting container 1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c with command [sh]
DEBU[0000] Started container 1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c
DEBU[0000] Notify sent successfully
1c403e41d9847cf99fd020a5b31d91e9ada4806bafc3eb80571ac5a40a88954c
DEBU[0000] Called run.PersistentPostRunE(podman --log-level debug run -itd --name c1 --ip=10.85.41.247 --network ens3 quay.io/libpod/busybox)
DEBU[0000] Shutting down engines
[root@kvm-04-guest09 ~]# podman exec -ti c1 ifconfig
eth0 Link encap:Ethernet HWaddr 2A:ED:B7:D3:8B:A1
inet addr:10.85.41.247 Bcast:10.85.47.255 Mask:255.255.248.0
inet6 addr: fe80::28ed:b7ff:fed3:8ba1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:65 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3902 (3.8 KiB) TX bytes:516 (516.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:2758 |
Description of problem: macvlan network is created for pure IPv4 network, but Podman container got global IPv6 address unexpectedly Version-Release number of selected component (if applicable): [root@eagappflx248 ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.6 (Ootpa) [root@eagappflx248 ~]# podman version Client: Podman Engine Version: 4.1.1 API Version: 4.1.1 Go Version: go1.17.7 Built: Mon Jul 11 14:56:53 2022 OS/Arch: linux/amd64 How reproducible: Steps to Reproduce: 1. Create macvlan network with pure ipv4 network docker network create -d macvlan --subnet=10.85.40.0/21 --gateway=10.85.40.1 -o parent=nic0 nic0 2. docker run -itd --name c1 --ip=10.85.41.247 --network nic0 flex.io/uss-engine:17.0 3. check container ip, and find there are a global ipv6 address and a local-link ipv6 address there. [root@eagappflx223 ~]# docker exec -ti c1 bash engine : ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.85.42.1 netmask 255.255.248.0 broadcast 10.85.47.255 inet6 2001:db8:1:0:1023:21ff:fef5:974d prefixlen 64 scopeid 0x0<global> inet6 fe80::1023:21ff:fef5:974d prefixlen 64 scopeid 0x20<link> ether 12:23:21:f5:97:4d txqueuelen 0 (Ethernet) RX packets 363 bytes 23318 (22.7 KiB) RX errors 0 dropped 41 overruns 0 frame 0 TX packets 12 bytes 980 (980.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Actual results: there are ipv6 addresses auto-configured for container which is in pure ipv4 address. Expected results: there should be no ipv6 addresses auto-configured for container which is in pure ipv4 address. Additional info: our lab environment has DHCP server configured, and our DNS server can resolve a hostname to both ipv4 and ipv6 address. for example [root@eagappflx128 hostadmin]# nslookup eagappflx128p1 Server: 172.16.8.12 Address: 172.16.8.12#53 Name: eagappflx128p1.engba.veritas.com Address: 10.85.41.137 Name: eagappflx128p1.engba.veritas.com Address: 2620:128:f021:9014::1b