Closed hakong closed 6 months ago
AFAIK @dgibson is working on some udp fixes in pasta right now. cc @sbrivio-rh
0^20230818.g0af928e
Note that this version is quite old considering that pasta is under active development so I suggest you try with the latest version first and see if it works better.
Graph of failure count (left axis) and ratio (right axis) for slirp4netns vs pasta. Given enough time and/or network traffic the failure ratio has reached >60% for me.
I had an issue with a tcp/udp mixed high-traffic container using pasta last month that caused it to completely lock up the virtual machine it was running on (this happened a few times before I switched back to slirp4netns) and the flooded the hypervisor host with >3Gbps of traffic. Since it only had a 1Gbit physical interface it self-ddosed and I was unable to debug (including the shared IPMI interface timed out). At one point I was able to connect to the container VM and saw a pasta process using 100% cpu. Might possibly be related.
AFAIK @dgibson is working on some udp fixes in pasta right now. cc @sbrivio-rh
0^20230818.g0af928e
Note that this version is quite old considering that pasta is under active development so I suggest you try with the latest version first and see if it works better.
I'm using the latest stable version included in rhel-9-for-x86_64-appstream-rpms. Is there a repo/rpm package I can install an updated version from?
you could try using the static rpm from here: https://passt.top/builds/latest/x86_64/
Are they selinux compatible?
[root@container-2 ~]# rpm -Uvh https://passt.top/builds/latest/x86_64/passt-g3b9098a-1.x86_64.rpm
Retrieving https://passt.top/builds/latest/x86_64/passt-g3b9098a-1.x86_64.rpm
error: Failed dependencies:
passt = 0^20230818.g0af928e-4.el9 is needed by (installed) passt-selinux-0^20230818.g0af928e-4.el9.noarch
So, remove existing passt and passt-selinux, then install latest static rpm?
Sorry I do not know how they are build and never used it, I will refer to @sbrivio-rh in this case
Seems to work:
dnf remove passt passt-selinux
rpm -Uvh https://passt.top/builds/latest/x86_64/passt-g3b9098a-1.x86_64.rpm
I'm using the latest stable version included in rhel-9-for-x86_64-appstream-rpms. Is there a repo/rpm package I can install an updated version from?
EPEL 9 and CentOS Stream 9 packages (they should all be compatible with SELinux's base policy) are available from: https://copr.fedorainfracloud.org/coprs/sbrivio/passt/. If the static RPM build works for you, at least for testing purposes, you can use them too.
CentOS Stream already has a rebased package (see https://gitlab.com/redhat/centos-stream/rpms/passt) which includes several fixes for issues similar to what you're observing.
I strongly suspect this is upstream bug 57. The 2023_08_18 release doesn't have the fix for it and it caused very much the same issue as here: gradually increasing failure rates for UDP traffic the longer the container stayed around.
It was fixed with this commit, which is included in the 2023_11_07 and later releases.
I'm surprised to see such a broken package in RHEL's repos. I suggested to my colleagues at work that we switch our production container hosts to pasta, given it's benefits. Good thing I tested this at home first.
Will the RHEL package be updated soon?
EPEL 9 and CentOS Stream 9 packages (they should all be compatible with SELinux's base policy) are available from: https://copr.fedorainfracloud.org/coprs/sbrivio/passt/. If the static RPM build works for you, at least for testing purposes, you can use them too.
CentOS Stream already has a rebased package (see https://gitlab.co
It installed but with some selinux warnings.
Dependencies resolved.
============================================================================================================================================================================================
Package Architecture Version Repository Size
============================================================================================================================================================================================
Installing:
passt x86_64 0^20240220.g1e6f92b-1.el9 copr:copr.fedorainfracloud.org:sbrivio:passt 185 k
Installing dependencies:
passt-selinux noarch 0^20240220.g1e6f92b-1.el9 copr:copr.fedorainfracloud.org:sbrivio:passt 32 k
Transaction Summary
============================================================================================================================================================================================
Install 2 Packages
Total download size: 217 k
Installed size: 960 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): passt-selinux-0^20240220.g1e6f92b-1.el9.noarch.rpm 63 kB/s | 32 kB 00:00
(2/2): passt-0^20240220.g1e6f92b-1.el9.x86_64.rpm 296 kB/s | 185 kB 00:00
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 344 kB/s | 217 kB 00:00
Copr repo for passt owned by sbrivio 4.3 kB/s | 1.0 kB 00:00
Importing GPG key 0xF021CB9A:
Userid : "sbrivio_passt (None) <sbrivio#passt@copr.fedorahosted.org>"
Fingerprint: E351 69FA D8EE 08F6 C0EF F84A F404 8A96 F021 CB9A
From : https://download.copr.fedorainfracloud.org/results/sbrivio/passt/pubkey.gpg
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing :
1/1 Installing : passt-0^20240220.g1e6f92b-1.el9.x86_64
1/2 Running scriptlet: passt-selinux-0^20240220.g1e6f92b-1.el9.noarch
2/2 Installing : passt-selinux-0^20240220.g1e6f92b-1.el9.noarch
2/2 Running scriptlet: passt-selinux-0^20240220.g1e6f92b-1.el9.noarch
2/2 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/passt/cil:103
Failed to resolve AST
/usr/sbin/semodule: Failed!
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/pasta/cil:104
Failed to resolve AST
/usr/sbin/semodule: Failed!
Verifying : passt-0^20240220.g1e6f92b-1.el9.x86_64
1/2 Verifying : passt-selinux-0^20240220.g1e6f92b-1.el9.noarch
2/2 Installed products updated.
Installed:
passt-0^20240220.g1e6f92b-1.el9.x86_64 passt-selinux-0^20240220.g1e6f92b-1.el9.noarch
Complete!```
I'm surprised to see such a broken package in RHEL's repos. I suggested to my colleagues at work that we switch our production container hosts to pasta, given it's benefits. Good thing I tested this at home first.
It's not broken for the supported, typical use case in RHEL at that point, that is, virtual machines (and passt(1)). However, if that's a priority for you, please file an issue.
Will the RHEL package be updated soon?
Yes, it's already updated and pending release as I mentioned: passt-0^20231204.gb86afe3-1.el9
.
Details about the SELinux scriptlet failure you're seeing at: https://bugzilla.redhat.com/show_bug.cgi?id=2237996 -- the base policy installed on your system is too old to support new SELinux rules we added meanwhile. The Fedora 37 package had a patch for that: https://src.fedoraproject.org/rpms/passt/blob/f37/f/0001-selinux-Drop-user_namespace-class-rules-for-Fedora-3.patch.
Issue Description
DNS resolution fails intermittently when using pasta. This could be just DNS or UDP in general, I have not thoroughly tested other UDP services. Failure rate increases either with time or amount of network traffic.
Steps to reproduce the issue
Steps to reproduce the issue
data/test.sh and data-pasta/test.sh:
Alternative method of testing:
Note in this test only 4% of requests failed but a container running for 20h with some amount of network traffic the failure rate increases to 50-70%.
Describe the results you received
Describe the results you received
Side by side tmux screenshot:
Describe the results you expected
Describe the results you expected
podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
No
Additional environment details
Additional information
Issue replicated with RHEL ubi containers and Debian-based containers as well.
Example from docker.io/louislam/uptime-kuma:
18 hours of network traffic and everything that uses DNS lookups is failing. All 'green' services are using an IP address and not a hostname. Combination of SSH connectivity tests, TCP syn/ack tests, and HTTPS GET requests.
Immediately after restarting the pasta container, all service checks succeed and return to green status:
podman-inspect-ubi9.txt podman-inspect-ubi9-pasta.txt