search

greenpau / cni-plugins

CNI Plugins compatible with nftables
Apache License 2.0
48 stars 13 forks source link

Support for RHEL 8.7? #21

Closed 7underlines closed 1 year ago

7underlines commented 1 year ago

I'm unable to get this working in RHEL 8.7. Is it even possible? I followed the instructions from https://github.com/greenpau/cni-plugins#getting-started (instead of go get I had to run go install) I cannot see that the cni-plugin gets loaded. The directory /usr/local/lib/cni/ didn't exist for me - so I created it as root.

podman network inspect podman
WARN[0000] Failed to unmount check directory /home/4conf/.local/share/containers/storage/overlay/opaque-bug-check19536174/merged: device or resource b
usy 
WARN[0000] Failed to remove check directory /home/4conf/.local/share/containers/storage/overlay/opaque-bug-check19536174: unlinkat /home/4conf/.local/
share/containers/storage/overlay/opaque-bug-check19536174: directory not empty 
[
     {
          "name": "podman",
          "id": "2f259bab93aaaaa2542ba43ef33eb990d0999ee1b9924b557b7be53c0b7a1bb9",
          "driver": "bridge",
          "network_interface": "cni-podman0",
          "created": "2023-02-20T09:19:22.809445058Z",
          "subnets": [
               {
                    "subnet": "10.88.0.0/16",
                    "gateway": "10.88.0.1"
               }
          ],
          "ipv6_enabled": false,
          "internal": false,
          "dns_enabled": false,
          "ipam_options": {
               "driver": "host-local"
          }
     }
]

podman network ls
NETWORK ID    NAME        DRIVER
2f259bab93aa  podman      bridge

Containers with network always fail to start with this error:

WARN[0000] Failed to load cached network config: network 4conform-enterprise-deployment-tools_4conform-frontend not found in CNI cache, falling back t
o loading network 4conform-enterprise-deployment-tools_4conform-frontend from disk 
Error: unable to start container 54e78abb4cb4e6e0f877caf13635b01bc4b27b61c16b4ff35ca6a0e86e986fb6: plugin type="firewall" failed (add): cni plugin fir
ewall failed: failed to list iptables chains: running [/sbin/iptables -t filter -S --wait]: exit status 1: iptables v1.8.4 (nf_tables): table `filter'
 is incompatible, use 'nft' tool.

Related: https://github.com/containers/podman/issues/5569

greenpau commented 1 year ago

Error: unable to start container 54e78abb4cb4e6e0f877caf13635b01bc4b27b61c16b4ff35ca6a0e86e986fb6: plugin type="firewall"

@thomaspeissl , I don't think you are using this plugin.

ctrlaltdel121 commented 1 year ago

I'm having a similar issue in a slightly different context. On a EL 8.7 machine, iptables -L runs successfully, until this plugin is used once. Subsequent calls to iptables -L returns iptables v1.8.4 (nf_tables): table 'filter' is incompatible, use 'nft' tool.. So I assume these plugins are altering the default tables such that you can't read them with the legacy iptables command anymore.

This unfortunately interferes with the CNI bridge plugin with ipmasq: true which reads/alters the nat table using legacy iptables command.

I found this issue: https://github.com/containernetworking/plugins/issues/461 which led to the creation of these nftables plugins for firewall and portmap. Did you ever solve the issue with the bridge plugin needing legacy iptables, or did you work around it somehow?

7underlines commented 1 year ago

@ctrlaltdel121 Unfortunately, my only workaround that worked was switching to Docker.