Closed deajan closed 11 months ago
Did you make sure your unit is started after firewalld? On start firewalld will also flush all rules so the container unit must be started after that.
I've added After=firewalld.service
to my systemd file, and then rebooted the machine. Same issue.
Did you actually make sure no other service is flushing the iptables afterwards? Podman is not deleting stuff on its own. You have to figure out what is clearing your iptables and then start the podman units after that. In any case this is not a podman bug so I am closing this but feel free to continue the discussion.
@Luap99 The servers I installed podman are only running podman and mysql so I don't think anything would reload firewalld/iptables rules.
I've pushed the analysis a bit further. Both servers don't show the same behavior actually (sorry, wasn't precise enough).
Server 1: single podman container only, no other software installed (RHEL 9 minimal setup)
On reboot, firewalld zone and iptables rules aren't created until I launch podman network reload --all
Added After=firewalld.service
in the unit file of the podman container. Nothing changes.
I have yet to discover if/when the firewalld/iptables rules get flushed.
Any idea how to proceed ?
Server 2: 17 podman containers, all running the same software, each with one systemd unit file, all those podman containers speak to a mysql server which is insalled on the same server directly. On reboot, firewalld zone and iptables exist and look good.
Server 2's special hell case:
Surprisingly, of the 17 instances, only some cannot be reached. Each instance uses a local port (8001-8017) which is forwarded to the podman instance on port 8080 (eg -P 8002:8080).
When I do a curl localhost:8001 up to 8017, some containers cannot don't respond until I launch podman reload network --all
.
Again, I have no clue where to search. I've looked at the bridge slaves, they are all up.
I can also ping each container IP without problem.
I just cannot reach random containers on the redirected local port.
EDIT: The containers that cannot be reached aren't random, they're always the same ones. As said, they run the same software as the others, and are configured the same way, except of the local port that changes. I compared the systemd unit files, the only differences being the names and the mapped ports.
Checked SELinux logs, nothing. Checked dmesg, only got the generic podman0 port x(vethy) entered forwarding state
messages.
Container logs show the application inside the container is running. If I happen to podman exec -it <container> bash
then execute curl localhost:8080
, application responds properly. Interestingly, from inside the container, I can also see the sql server using curl host.containers.internal:3306
.
Of course, using a HTTP client for an SQL server produces an error (I don't have other tools in the container), but at least I know the SQL server is reachable.
Using ss -lataupen
, I see the ports that don't work listening. Eg, one container that doesn't work has app port 8080 mapped to port 8006, and of course I see that the local port 8006 listens on the host server:
tcp LISTEN 26 4096 0.0.0.0:8006 0.0.0.0:* users:(("conmon",pid=1671,fd=6)) ino:26454 sk:b cgroup:/system.slice/demo.service <->
tcp ESTAB 199 0 192.168.161.1:8006 192.168.201.4:38412 ino:0 sk:1003 cgroup:/system.slice/example.service <->
tcp CLOSE-WAIT 79 0 127.0.0.1:8006 127.0.0.1:37688 ino:0 sk:25 cgroup:/system.slice/example.service -->
tcp CLOSE-WAIT 79 0 127.0.0.1:8006 127.0.0.1:40564 ino:0 sk:29 cgroup:/system.slice/example.service -->
So each container app works and can reach the host sql server, but some cannot be reached from the host server, without any proper explanation.
I must admit I'm all out of things to check. Any idea perhaps ? I'm pretty lost, as I did all the server-fu that I know.
I've even tried to see whether firewall rules change:
# reboot machine
# good container
curl localhost:8001 -m 4
<!doctype html>[...]
# bad container
curl localhost:8003 -m 4
curl: (28) Operation timed out after 4001 milliseconds with 0 bytes received
ip a > before_ipa
ss -lataupn > before_ss
firewall-cmd --list-all-zones > before_fw
iptables -L --list-all-zones > before_iptables
# Now restart network
podman network reload all
# good container
curl localhost:8001 -m 4
<!doctype html>[...]
# bad container now works too
curl localhost:8003 -m 4
<!doctype html>[...]
ip a > after_ipa
ss -lataupn > after_ss
firewall-cmd --list-all-zones > after_fw
iptables -L --list-all-zones > after_iptables
Running a diff
on iptables and firewall files show nothing changed. Other difference analysis didn't show anything shocking to me.
Another thing, after a couple of test reboots, I can confirm that the containers that won't respond are indeed random. Containers that didn't work after reboot now work, and others stopped working until I reload networks with podman.
Really needing advice here.
Ahem... any ideas perhaps ?
Okay, it looks like latest update batch containing the following resolved my issue:
firewalld-1.2.1-1.el9.noarch to firewalld-1.2.5-2.el9_3.noarch
firewalld-filesystem-1.2.1-1.el9.noarch to firewalld-filesystem-1.2.5-2.el9_3.noarch0
netavark-1.7.0-1.el9.x86_64 to netavark-1.7.0-2.el9_3.x86_64
podman.-4.6.1-5.el9.x86_64 to podman-4.6.1-7.el9_3.x86_64
python3-firewall-1.2.1-1.el9.noarch python3-firewall-1.2.5-2.el9_3.noarch
No idea whether it was a podman or firewalld issue. But yet it works ^^
Issue Description
I'm running a rootless podman container on a RHEL 9 machine. I've created a systemd unit file from the container using
podman systemd generate > /etc/systemd/system/mycontainer.service
On every system reboot, my container isn't reachable from the host:
I have to run
podman reload network mycontainer
for the container to become reachable.Searching around, I noticed that firewalld hasn't got the container network in trused, and iptables hasn't got any forwarding rules until I've reloaded the networks using podman: Before
podman network reload mycontainer
After
podman network reload mycontainer
So my wild guess is that the podman generated systemd file doesn't provide the necessary steps at boot time.
Steps to reproduce the issue
Steps to reproduce the issue
podman generate systemd mycontainer > /etc/systemd/system/mycontainer.service
systemctl enable --now mycontainer
Describe the results you received
As described, missing iptables and firewalld rules.
Describe the results you expected
Automatic iptables and firewalld rules creation on service start.
I do understand that running
firewall-cmd --reload
will reset firewalld rules though, but these seem missing on startup already.podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
No
Additional environment details
Here's my systemd service file generated via podman
Additional information
I have two servers like this setup, one with RHEL 9.2 and the other with AlmaLinux 9.2, both running podman 4.4.1. Both servers share the almose exact behavior.