In current Fedora 41, installing podman pulls in criu and iptables-nft (via containers-common-extra) as dependencies. In the next podman-related package releases in Fedora 41, this dependency will be dropped [1][2]. podman will only (indirectly) depend on nftables, as that stack already migrated to nftables. This breaks criu, and thus container checkpointing (see [3]). This has already been the case in RHEL/CentOS 10 for a while [4], and will now soon affect Fedora 41 as well. So in the short term, criu should depend on iptables (which will match iptables-legacy or -nft, either are fine). Medium term, criu needs to be ported to nftables. [1] https://github.com/containers/common/pull/2099 [2] https://github.com/containers/netavark/pull/1033 [3] https://github.com/containers/podman/pull/24238#issuecomment-2417049948 ff. [4] https://issues.redhat.com/browse/RHEL-58354 Reproducible: Always Steps to Reproduce: 1. Enable podman-next COPR, and ensure podman is installed: dnf copr enable -y rhcontainerbot/podman-next dnf --repo='copr*' update -y dnf install -y podman 2. Remove iptables dependencies. This is now possible with podman-next, and will land in the distro soon: dnf remove iptables-legacy iptables-nft 3. create and checkpoint a container: podman run -dit quay.io/libpod/busybox podman container checkpoint -l This calls "crun checkpoint" which uses criu under the hood. Actual Results: CRIU checkpointing failed -52. Please check CRIU logfile /var/lib/containers/storage/overlay-containers/929beb9b9c2974da09b1802d495b39117ebb28068acff3921cb4355f5e232a81/userdata/dump.log and said log has (00.142523) net: Unlock network (00.142543) Running network-unlock scripts Error (criu/util.c:640): execvp("iptables-restore", ...) failed: No such file or directory (00.144414) Error (criu/util.c:655): exited, status=1 Error (criu/util.c:640): execvp("ip6tables-restore", ...) failed: No such file or directory (00.146211) Error (criu/util.c:655): exited, status=1 Error (criu/util.c:640): execvp("iptables-restore", ...) failed: No such file or directory (00.148778) Error (criu/util.c:655): exited, status=1 Error (criu/util.c:640): execvp("ip6tables-restore", ...) failed: No such file or directory (00.149322) Error (criu/util.c:655): exited, status=1 (00.149349) Unfreezing tasks into 1 (00.149368) Unseizing 2331 into 1 (00.149414) Error (criu/cr-dump.c:2111): Dumping FAILED. Expected Results: checkpointing works
CRIU is upstream nftables ready. For Fedora we just need to have a soft dependency on iptables.
FEDORA-2024-c6094f0351 (criu-4.0-2.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-c6094f0351
FEDORA-2024-c6094f0351 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-c6094f0351` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-c6094f0351 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-c6094f0351 (criu-4.0-2.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.