failed to add the address 10.88.0.6/32 to trusted zone

[funkytaco]

cockpit 264.2

cockpit-podman 49.1 Podman version: 4.1.1

OS: Red Hat Enterprise Linux release 8.6 (Ootpa)

Steps to reproduce

1. Add gitlab/gitlab-ce (or any other image)
2. Go to cockpit-podman UI and try to create a container.
3. Container failed to be started.

Error message: Internal Server Error: plugin type="firewall" failed (add): cni plugin firewall failed: failed to add the address 10.88.0.6/32 to trusted zone: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory internal:0:0-0: Error: Could not process rule: No such file or directory internal:0:0-0: Error: Could not process rule: No such file or directory internal:0:0-0: Error: Could not process rule: No such file or directory internal:0:0-0: Error: Could not process rule: No such file or directory internal:0:0-0: Error: Could not process rule: No such file or directory JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES_SOURCE", "expr": [{"match": {"left": {"payload": {"protocol": "ip", "field": "saddr"}}, "op": "==", "right": {"prefix": {"addr": "10.88.0.6", "len": 32}}}}, {"goto": {"target": "filter_IN_trusted"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES_SOURCE", "expr": [{"match": {"left": {"payload": {"protocol": "ip", "field": "daddr"}}, "op": "==", "right": {"prefix": {"addr": "10.88.0.6", "len": 32}}}}, {"goto": {"target": "filter_FWDO_trusted"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES_SOURCE", "expr": [{"match": {"left": {"payload": {"protocol": "ip", "field": "daddr"}}, "op": "==", "right": {"prefix": {"addr": "10.88.0.6", "len": 32}}}}, {"goto": {"target": "nat_POST_trusted"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES_SOURCE", "expr": [{"match": {"left": {"payload": {"protocol": "ip", "field": "saddr"}}, "op": "==", "right": {"prefix": {"addr": "10.88.0.6", "len": 32}}}}, {"goto": {"target": "filter_FWDI_trusted"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES_SOURCE", "expr": [{"match": {"left": {"payload": {"protocol": "ip", "field": "saddr"}}, "op": "==", "right": {"prefix": {"addr": "10.88.0.6", "len": 32}}}}, {"goto": {"target": "nat_PRE_trusted"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES_SOURCE", "expr": [{"match": {"left": {"payload": {"protocol": "ip", "field": "saddr"}}, "op": "==", "right": {"prefix": {"addr": "10.88.0.6", "len": 32}}}}, {"goto": {"target": "mangle_PRE_trusted"}}]}}}]}

We are using firewalld with a custom public zone.

[marusak]

This does not seem like anything cockpit-podman related. Do you just click on 'Run container' or do you edit anything? Do you need any exposed options that you would use on command line?

[funkytaco]

Hmm, good point. I was clicking Create and Run. If I click create, it creates the image. But if I try to run it from cockpit-podman UI, it gives the above error.

Is cockpit-podman not using the same as CLI? CLI launched this simple test container:

podman run -dt -p 8080:80/tcp docker.io/library/httpd Trying to pull docker.io/library/httpd:latest... Getting image source signatures Copying blob 0a22f1af035b done Copying blob 94efcc2978ca done Copying blob f06194b937dc done Copying blob 025c56f98b67 skipped: already exists Copying blob e8f73658d652 done Copying config 157dcdf23d done Writing manifest to image destination Storing signatures b22c4bd2d3942c3cb0ef9e89c74e9ad8d509230573b74f9bdad0c03e9fd0b9f5

$ podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES b596223cef95 docker.io/gitlab/gitlab-ce:latest /assets/wrapper 5 minutes ago Up 5 minutes ago (starting) gitlab-test e2bc8c1fb1d9 docker.io/library/nginx:latest nginx -g daemon o... About a minute ago Up About a minute ago 0.0.0.0:8181->80/tcp mynginx b22c4bd2d394 docker.io/library/httpd:latest httpd-foreground 4 seconds ago Up 3 seconds ago 0.0.0.0:8080->80/tcp objective_buck $ curl localhost:8080

It works!

But the images from cockpit-podman aren't even seen on CLI, so I'm lost. I thought cockpit-podman would mirror podman from CLI.

The server is using firewalld.

[jelly]

Cockpit shows user and system images/containers. So as what user do you start the container and as what user are you logged in in cockpit?