search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.69k stars 2.41k forks source link

Container Virtual Networks Flapping Up and Down #9694

Closed quantum77 closed 3 years ago

quantum77 commented 3 years ago

Trying to convert Docker's mailu/postfix to podman pod. Setting up for rootless, I put the mailu dir in /home/{user}/. First thing I noticed is that the needed subdirs were not automatically created, so I had to:

# mkdir -p /home/{user}/redis certs overrides/nginx admin dkim overrides/dovecot overrides/postfix spam-virus overrides/rspamd radicale
# chown -R {user}:{user} *
# chmod -R 750 *
# chmod 640 docker-compose.yml 
# chmod 640 mailu.env
docker-compose.yml:
`# This file is auto-generated by the Mailu configuration wizard.
# Please read the documentation before attempting any change.
# Generated for compose flavor

version: '2.2'

services:

  # External dependencies
  redis:
    image: redis:alpine
    restart: always
    volumes:
      - "/home/bill/mailu/redis:/data"

  # Core services
  front:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}nginx:${MAILU_VERSION:-1.7}
    restart: always
    env_file: mailu.env
    logging:
      driver: json-file
    ports:
      - "127.0.0.1:2080:80"
      - "127.0.0.1:20443:443"
      - "127.0.0.1:20587:587"
      - "127.0.0.1:20993:993"
    volumes:
      - "/home/{user}/mailu/certs:/certs"
      - "/home/{user}/mailu/overrides/nginx:/overrides"

  resolver:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-1.7}
    env_file: mailu.env
    restart: always
    networks:
      default:
        ipv4_address: 127.0.0.1

  admin:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}admin:${MAILU_VERSION:-1.7}
    restart: always
    env_file: mailu.env
    volumes:
      - "/home/{user}/mailu/admin:/data"
      - "/home/{user}/mailu/dkim:/dkim"
    depends_on:
      - redis

  imap:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-1.7}
    restart: always
    env_file: mailu.env
    volumes:
      - "/home/{user}/mail:/mail"
      - "/home/{user}/mailu/overrides/dovecot:/overrides"
    depends_on:
      - front

  smtp:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-1.7}
    restart: always
    env_file: mailu.env
    volumes:
      - "/home/{user}/mailu/overrides/postfix:/overrides"
    depends_on:
      - front
      - resolver
    dns:
      - 127.0.0.1

  antispam:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-1.7}
    restart: always
    env_file: mailu.env
    volumes:
      - "/home/{user}/mailu/spam-virus:/var/lib/rspamd"
      - "/home/{user}/mailu/dkim:/dkim"
      - "/home/{user}/mailu/overrides/rspamd:/etc/rspamd/override.d"
    depends_on:
      - front
      - resolver
    dns:
      - 127.0.0.1

  # Optional services
  antivirus:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}clamav:${MAILU_VERSION:-1.7}
    restart: always
    env_file: mailu.env
    volumes:
      - "/home/{user}/mailu/spam-virus:/data"
    depends_on:
      - resolver
    dns:
      - 127.0.0.1

  webdav:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}radicale:${MAILU_VERSION:-1.7}
    restart: always
    env_file: mailu.env
    volumes:
      - "/home/{user}/mailu/radicale:/data"

  fetchmail:
    image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}fetchmail:${MAILU_VERSION:-1.7}
    restart: always
    env_file: mailu.env
    depends_on:
      - resolver
    dns:
      - 127.0.0.1

  # Webmail

networks:
  default:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 10.2.21.0/24
`
mailu.env:
`# Mailu main configuration file
#
# This file is autogenerated by the configuration management wizard for compose flavor.
# For a detailed list of configuration variables, see the documentation at
# https://mailu.io

###################################
# Common configuration variables
###################################

# Set to a 32 byte string
# $ pwgen 32 1
SECRET_KEY=??????????????????????????????????

# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
SUBNET=10.2.20.0/24

# Main mail domain
DOMAIN=mail.quantum-equities.com

# Hostnames for this server, separated with comas
HOSTNAMES=mail.quantum-equities.com,mail.quantum-sci.com,mail.unofficial-tesla-tech.com

# Postmaster local part (will append the main mail domain)
POSTMASTER=postmaster

# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
TLS_FLAVOR=letsencrypt

# Authentication rate limit (per source IP address)
AUTH_RATELIMIT=10/minute;1000/hour 

# Opt-out of statistics, replace with "True" to opt out
DISABLE_STATISTICS=True

###################################
# Optional features
###################################

# Expose the admin interface (value: true, false)
ADMIN=true

# Choose which webmail to run if any (values: roundcube, rainloop, none)
WEBMAIL=none

# Dav server implementation (value: radicale, none)
WEBDAV=radicale

# Antivirus solution (value: clamav, none)
ANTIVIRUS=clamav

###################################
# Mail settings
###################################

# Message size limit in bytes
# Default: accept messages up to 50MB
# Max attachment size will be 33% smaller
MESSAGE_SIZE_LIMIT=100000000

# Networks granted relay permissions
# Use this with care, all hosts in this networks will be able to send mail without authentication!
RELAYNETS=

# Will relay all outgoing mails if configured
RELAYHOST=

# Fetchmail delay
FETCHMAIL_DELAY=600

# Recipient delimiter, character used to delimiter localpart from custom address part
RECIPIENT_DELIMITER=+

# DMARC rua and ruf email
DMARC_RUA=admin
DMARC_RUF=admin

# Welcome email, enable and set a topic and body if you wish to send welcome
# emails to all users.
WELCOME=false
WELCOME_SUBJECT=Welcome to your new email account
WELCOME_BODY=Welcome to your new email account, if you can read this, then it is configured properly!

# Maildir Compression
# choose compression-method, default: none (value: bz2, gz)
COMPRESSION=
# change compression-level, default: 6 (value: 1-9)
COMPRESSION_LEVEL=

###################################
# Web settings
###################################

# Path to redirect / to
WEBROOT_REDIRECT=

# Path to the admin interface if enabled
WEB_ADMIN=/admin

# Path to the webmail if enabled
WEB_WEBMAIL=

# Website name
SITENAME=quantum

# Linked Website URL
WEBSITE=https://mail.quantum-equities.com

###################################
# Advanced settings
###################################

# Log driver for front service. Possible values:
# json-file (default)
# journald (On systemd platforms, useful for Fail2Ban integration)
# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!)
# LOG_DRIVER=json-file

# Docker-compose project name, this will prepended to containers names.
COMPOSE_PROJECT_NAME=mailu

# Default password scheme used for newly created accounts and changed passwords
# (value: BLF-CRYPT, SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT, CRYPT)
PASSWORD_SCHEME=BLF-CRYPT

# Header to take the real ip from
REAL_IP_HEADER=

# IPs for nginx set_real_ip_from (CIDR list separated by commas)
REAL_IP_FROM=

# choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no)
REJECT_UNLISTED_RECIPIENT=no

# Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET)
LOG_LEVEL=WARNING

###################################
# Database settings
###################################
DB_FLAVOR=sqlite
`
What happens:
`# systemctl stop nft
# dmesg -c
# docker-compose up

antivirus_1  | Thu Mar 11 14:48:58 2021 -> ClamAV update process started at Thu Mar 11 14:48:58 2021
antivirus_1  | Thu Mar 11 14:49:03 2021 -> ^dn_expand failed
antivirus_1  | Thu Mar 11 14:49:03 2021 -> ^Invalid DNS reply. Falling back to HTTP mode.
antivirus_1  | Thu Mar 11 14:49:08 2021 -> ^Can't get information about database.clamav.net: Try again
antivirus_1  | Thu Mar 11 14:49:08 2021 -> ^Can't download main.cvd from database.clamav.net
antivirus_1  | Thu Mar 11 14:49:08 2021 -> Trying again in 5 secs...
antivirus_1  | Thu Mar 11 14:49:18 2021 -> ^dn_expand failed
antivirus_1  | Thu Mar 11 14:49:18 2021 -> ^Invalid DNS reply. Falling back to HTTP mode.
antivirus_1  | Thu Mar 11 14:49:23 2021 -> ^Can't get information about database.clamav.net: Try again
antivirus_1  | Thu Mar 11 14:49:23 2021 -> ^Can't download main.cvd from database.clamav.net
antivirus_1  | Thu Mar 11 14:49:23 2021 -> Trying again in 5 secs...
antivirus_1  | Thu Mar 11 14:49:33 2021 -> ^dn_expand failed
antivirus_1  | Thu Mar 11 14:49:33 2021 -> ^Invalid DNS reply. Falling back to HTTP mode.
antivirus_1  | Thu Mar 11 14:49:38 2021 -> !Can't get information about database.clamav.net: Try again
antivirus_1  | Thu Mar 11 14:49:38 2021 -> !Can't download main.cvd from database.clamav.net
antivirus_1  | Thu Mar 11 14:49:38 2021 -> Giving up on database.clamav.net...
antivirus_1  | Thu Mar 11 14:49:38 2021 -> Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check https://www.clamav.net/documents/official-mirror-faq for possible reasons.
antivirus_1  | WARNING: Ignoring deprecated option DetectBrokenExecutables at /etc/clamav/clamd.conf:30
antivirus_1  | LibClamAV Error: cli_loaddbdir(): No supported database files found in /data
antivirus_1  | Thu Mar 11 14:49:38 2021 -> !Can't open file or directory
mailu_antivirus_1 exited with code 0

-------------------------------------------------------------------------------------
# dmesg
[Thu Mar 11 06:48:54 2021] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[Thu Mar 11 06:48:54 2021] cni-podman1: port 1(veth66db90c3) entered blocking state
[Thu Mar 11 06:48:54 2021] cni-podman1: port 1(veth66db90c3) entered disabled state
[Thu Mar 11 06:48:54 2021] device veth66db90c3 entered promiscuous mode
[Thu Mar 11 06:48:54 2021] cni-podman1: port 1(veth66db90c3) entered blocking state
[Thu Mar 11 06:48:54 2021] cni-podman1: port 1(veth66db90c3) entered forwarding state
[Thu Mar 11 06:48:54 2021] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[Thu Mar 11 06:48:54 2021] cni-podman1: port 2(vethd5820398) entered blocking state
[Thu Mar 11 06:48:54 2021] cni-podman1: port 2(vethd5820398) entered disabled state
[Thu Mar 11 06:48:54 2021] device vethd5820398 entered promiscuous mode
[Thu Mar 11 06:48:54 2021] cni-podman1: port 2(vethd5820398) entered blocking state
[Thu Mar 11 06:48:54 2021] cni-podman1: port 2(vethd5820398) entered forwarding state
[Thu Mar 11 06:48:54 2021] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[Thu Mar 11 06:48:54 2021] cni-podman1: port 3(veth1235a6b2) entered blocking state
[Thu Mar 11 06:48:54 2021] cni-podman1: port 3(veth1235a6b2) entered disabled state
[Thu Mar 11 06:48:54 2021] device veth1235a6b2 entered promiscuous mode
[Thu Mar 11 06:48:54 2021] cni-podman1: port 3(veth1235a6b2) entered blocking state
[Thu Mar 11 06:48:54 2021] cni-podman1: port 3(veth1235a6b2) entered forwarding state
[Thu Mar 11 06:48:55 2021] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[Thu Mar 11 06:48:55 2021] cni-podman1: port 4(veth221d22bb) entered blocking state
[Thu Mar 11 06:48:55 2021] cni-podman1: port 4(veth221d22bb) entered disabled state
[Thu Mar 11 06:48:55 2021] device veth221d22bb entered promiscuous mode
[Thu Mar 11 06:48:55 2021] cni-podman1: port 4(veth221d22bb) entered blocking state
[Thu Mar 11 06:48:55 2021] cni-podman1: port 4(veth221d22bb) entered forwarding state
[Thu Mar 11 06:48:55 2021] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[Thu Mar 11 06:48:55 2021] cni-podman1: port 5(veth3883d7b5) entered blocking state
[Thu Mar 11 06:48:55 2021] cni-podman1: port 5(veth3883d7b5) entered disabled state
[Thu Mar 11 06:48:55 2021] device veth3883d7b5 entered promiscuous mode
[Thu Mar 11 06:48:55 2021] cni-podman1: port 5(veth3883d7b5) entered blocking state
[Thu Mar 11 06:48:55 2021] cni-podman1: port 5(veth3883d7b5) entered forwarding state
[Thu Mar 11 06:48:55 2021] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[Thu Mar 11 06:48:55 2021] cni-podman1: port 6(vethf105b98d) entered blocking state
[Thu Mar 11 06:48:55 2021] cni-podman1: port 6(vethf105b98d) entered disabled state
[Thu Mar 11 06:48:55 2021] device vethf105b98d entered promiscuous mode
[Thu Mar 11 06:48:55 2021] cni-podman1: port 6(vethf105b98d) entered blocking state
[Thu Mar 11 06:48:55 2021] cni-podman1: port 6(vethf105b98d) entered forwarding state
[Thu Mar 11 06:48:56 2021] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[Thu Mar 11 06:48:56 2021] cni-podman1: port 7(veth21d679e9) entered blocking state
[Thu Mar 11 06:48:56 2021] cni-podman1: port 7(veth21d679e9) entered disabled state
[Thu Mar 11 06:48:56 2021] device veth21d679e9 entered promiscuous mode
[Thu Mar 11 06:48:56 2021] cni-podman1: port 7(veth21d679e9) entered blocking state
[Thu Mar 11 06:48:56 2021] cni-podman1: port 7(veth21d679e9) entered forwarding state
[Thu Mar 11 06:48:56 2021] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[Thu Mar 11 06:48:56 2021] cni-podman1: port 8(vethfcc045bf) entered blocking state
[Thu Mar 11 06:48:56 2021] cni-podman1: port 8(vethfcc045bf) entered disabled state
[Thu Mar 11 06:48:56 2021] device vethfcc045bf entered promiscuous mode
[Thu Mar 11 06:48:56 2021] cni-podman1: port 8(vethfcc045bf) entered blocking state
[Thu Mar 11 06:48:56 2021] cni-podman1: port 8(vethfcc045bf) entered forwarding state
[Thu Mar 11 06:48:56 2021] cni-podman1: port 9(veth6faa2b99) entered blocking state
[Thu Mar 11 06:48:56 2021] cni-podman1: port 9(veth6faa2b99) entered disabled state
[Thu Mar 11 06:48:56 2021] device veth6faa2b99 entered promiscuous mode
[Thu Mar 11 06:48:56 2021] cni-podman1: port 9(veth6faa2b99) entered blocking state
[Thu Mar 11 06:48:56 2021] cni-podman1: port 9(veth6faa2b99) entered forwarding state
[Thu Mar 11 06:48:56 2021] cni-podman1: port 10(veth05858c2b) entered blocking state
[Thu Mar 11 06:48:56 2021] cni-podman1: port 10(veth05858c2b) entered disabled state
[Thu Mar 11 06:48:56 2021] device veth05858c2b entered promiscuous mode
[Thu Mar 11 06:48:56 2021] cni-podman1: port 10(veth05858c2b) entered blocking state
[Thu Mar 11 06:48:56 2021] cni-podman1: port 10(veth05858c2b) entered forwarding state
[Thu Mar 11 06:48:56 2021] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[Thu Mar 11 06:48:56 2021] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[Thu Mar 11 06:49:41 2021] cni-podman1: port 2(vethd5820398) entered disabled state
[Thu Mar 11 06:49:41 2021] device vethd5820398 left promiscuous mode
[Thu Mar 11 06:49:41 2021] cni-podman1: port 2(vethd5820398) entered disabled state
[Thu Mar 11 06:49:51 2021] cni-podman1: port 7(veth21d679e9) entered disabled state
[Thu Mar 11 06:49:51 2021] device veth21d679e9 left promiscuous mode
[Thu Mar 11 06:49:51 2021] cni-podman1: port 7(veth21d679e9) entered disabled state
[Thu Mar 11 06:49:51 2021] cni-podman1: port 5(veth3883d7b5) entered disabled state
[Thu Mar 11 06:49:51 2021] device veth3883d7b5 left promiscuous mode
[Thu Mar 11 06:49:51 2021] cni-podman1: port 5(veth3883d7b5) entered disabled state
[Thu Mar 11 06:49:51 2021] cni-podman1: port 6(vethf105b98d) entered disabled state
[Thu Mar 11 06:49:51 2021] device vethf105b98d left promiscuous mode
[Thu Mar 11 06:49:51 2021] cni-podman1: port 6(vethf105b98d) entered disabled state
[Thu Mar 11 06:49:51 2021] cni-podman1: port 10(veth05858c2b) entered disabled state
[Thu Mar 11 06:49:51 2021] device veth05858c2b left promiscuous mode
[Thu Mar 11 06:49:51 2021] cni-podman1: port 10(veth05858c2b) entered disabled state
[Thu Mar 11 06:49:52 2021] cni-podman1: port 4(veth221d22bb) entered disabled state
[Thu Mar 11 06:49:52 2021] device veth221d22bb left promiscuous mode
[Thu Mar 11 06:49:52 2021] cni-podman1: port 4(veth221d22bb) entered disabled state
[Thu Mar 11 06:50:01 2021] cni-podman1: port 9(veth6faa2b99) entered disabled state
[Thu Mar 11 06:50:01 2021] device veth6faa2b99 left promiscuous mode
[Thu Mar 11 06:50:01 2021] cni-podman1: port 9(veth6faa2b99) entered disabled state
[Thu Mar 11 06:50:02 2021] cni-podman1: port 8(vethfcc045bf) entered disabled state
[Thu Mar 11 06:50:02 2021] device vethfcc045bf left promiscuous mode
[Thu Mar 11 06:50:02 2021] cni-podman1: port 8(vethfcc045bf) entered disabled state
[Thu Mar 11 06:50:02 2021] cni-podman1: port 1(veth66db90c3) entered disabled state
[Thu Mar 11 06:50:02 2021] device veth66db90c3 left promiscuous mode
[Thu Mar 11 06:50:02 2021] cni-podman1: port 1(veth66db90c3) entered disabled state
[Thu Mar 11 06:50:12 2021] cni-podman1: port 3(veth1235a6b2) entered disabled state
[Thu Mar 11 06:50:12 2021] device veth1235a6b2 left promiscuous mode
[Thu Mar 11 06:50:12 2021] cni-podman1: port 3(veth1235a6b2) entered disabled state
# 

-------------------------------------------------------------------------------------
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:c5:7c:ab brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 10.2.10.20/24 brd 10.2.10.255 scope global noprefixroute ens3
       valid_lft forever preferred_lft forever
3: cni-podman1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 4a:09:13:76:c3:d2 brd ff:ff:ff:ff:ff:ff
    inet 10.2.21.1/24 brd 10.2.21.255 scope global cni-podman1
       valid_lft forever preferred_lft forever
94: veth66db90c3@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman1 state UP group default 
    link/ether 96:9c:67:7d:32:17 brd ff:ff:ff:ff:ff:ff link-netns cni-ef3fde35-0b6c-a2fa-f0c6-28b037440c8b
95: vethd5820398@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman1 state UP group default 
    link/ether a2:c6:e8:08:b0:be brd ff:ff:ff:ff:ff:ff link-netns cni-8a82c438-4ec0-b915-8468-fb7dc6701827
96: veth1235a6b2@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman1 state UP group default 
    link/ether ce:e2:2c:2d:33:3c brd ff:ff:ff:ff:ff:ff link-netns cni-fa284e3a-847b-a6f1-4660-2da130ef074e
97: veth221d22bb@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman1 state UP group default 
    link/ether a2:42:14:bd:cb:a3 brd ff:ff:ff:ff:ff:ff link-netns cni-68f83313-659c-80fd-395e-b2638ba6b424
98: veth3883d7b5@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman1 state UP group default 
    link/ether 16:d3:6c:db:de:b9 brd ff:ff:ff:ff:ff:ff link-netns cni-96220dbe-b24a-b86f-0d3c-fde5a245ee35
99: vethf105b98d@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman1 state UP group default 
    link/ether 72:44:cb:43:6d:16 brd ff:ff:ff:ff:ff:ff link-netns cni-c851a24a-fcd3-71ba-7caf-f287220a599a
100: veth21d679e9@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman1 state UP group default 
    link/ether 3e:27:79:1a:d4:3c brd ff:ff:ff:ff:ff:ff link-netns cni-c0659123-8711-06fb-a810-4a6e60365c63
101: vethfcc045bf@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman1 state UP group default 
    link/ether 12:2a:1d:43:ca:2f brd ff:ff:ff:ff:ff:ff link-netns cni-9f519b13-d996-ce8f-11e8-78f8ebf83730
102: veth6faa2b99@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman1 state UP group default 
    link/ether ce:67:46:da:41:f3 brd ff:ff:ff:ff:ff:ff link-netns cni-fffa0899-a82a-c5e8-f8bc-2c80760bf0ce
103: veth05858c2b@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman1 state UP group default 
    link/ether 8a:ef:7b:a0:5c:7e brd ff:ff:ff:ff:ff:ff link-netns cni-62b8cb8c-28e7-7c85-8e5d-103206a463ed
# 
`
The firewall:
` iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
CNI-FORWARD  all  --  anywhere             anywhere             /* CNI firewall plugin rules */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain CNI-ADMIN (1 references)
target     prot opt source               destination         

Chain CNI-FORWARD (1 references)
target     prot opt source               destination         
CNI-ADMIN  all  --  anywhere             anywhere             /* CNI firewall plugin admin overrides */
ACCEPT     all  --  anywhere             10.2.21.133          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             10.2.21.134          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.2.21.134          anywhere            
ACCEPT     all  --  10.2.21.133          anywhere            
ACCEPT     all  --  anywhere             10.2.21.135          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.2.21.135          anywhere            
ACCEPT     all  --  anywhere             10.2.21.132          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.2.21.132          anywhere            
ACCEPT     all  --  anywhere             10.2.21.136          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.2.21.136          anywhere            
ACCEPT     all  --  anywhere             10.2.21.137          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.2.21.137          anywhere            
ACCEPT     all  --  anywhere             10.2.21.138          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.2.21.138          anywhere            
ACCEPT     all  --  anywhere             10.2.21.139          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.2.21.139          anywhere            
ACCEPT     all  --  anywhere             10.2.21.140          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             10.2.21.141          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.2.21.140          anywhere            
ACCEPT     all  --  10.2.21.141          anywhere `

So the system nftables firewall is ACCEPT ALL and the iptables firewall made by CNI is open.

Yet clamd can not reach the network through DNS or HTTP. Only oddity I see is those CNI virtual NICs flapping up and down.

/kind bug

mheon commented 3 years ago

@baude Could this be Compose doing a repeated network connect / network disconnect? Do those make events that we can monitor with podman events?

mheon commented 3 years ago

@quantum77 Can you check podman events while the flapping is going on, for any events happening? Would help us know if this is Podman or the CNI network stack.

quantum77 commented 3 years ago

Would but that I could. any podman command just hangs.

`~/mailu# docker-compose up -d Starting mailu_front_1 ... done Starting mailu_webdav_1 ... done Starting mailu_redis_1 ... done Starting mailu_resolver_1 ... done Starting mailu_antivirus_1 ... done Starting mailu_fetchmail_1 ... done Starting mailu_admin_1 ... done Starting mailu_smtp_1 ... done Starting mailu_antispam_1 ... done Starting mailu_imap_1 ... done ~/mailu# podman pod ls

`

vrothberg commented 3 years ago

Closing as requested in another issue.