Kind fails creating cluster with Podman using XMARK in ip6 table

[metal3d]

What happened: I only use Podman. I start a simple cluster with kind create cluster.

An error appears:

enabling experimental podman provider
Creating cluster "kind" ...
 ✓ Ensuring node image (kindest/node:v1.31.0) 🖼
 ✗ Preparing nodes 📦
Deleted nodes: ["kind-control-plane"]
ERROR: failed to create cluster: command "podman run --name kind-control-plane --hostname kind-control-plane --label io.x-k8s.kind.role=control-plane --privileged --tmpfs /tmp --tmpfs /run --volume 167b013be7b74a504e45d7ad025350067d03e299806121e21af4e072b5d1f51c:/var:suid,exec,dev --volume /lib/modules:/lib/modules:ro -e KIND_EXPERIMENTAL_CONTAINERD_SNAPSHOTTER --detach --tty --net kind --label io.x-k8s.kind.cluster=kind -e container=podman --cgroupns=private --volume /dev/mapper:/dev/mapper --device /dev/fuse --publish=127.0.0.1:33667:6443/tcp -e KUBECONFIG=/etc/kubernetes/admin.conf docker.io/kindest/node@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865" failed with error: exit status 126
Command Output: Error: netavark: unable to append rule '-j MARK  --set-xmark 0x2000/0x2000' to table 'nat': code: 2, msg: Warning: Extension MARK revision 0 not supported, missing kernel module?
ip6tables v1.8.10 (nf_tables): unknown option "--set-xmark"
Try `ip6tables -h' or 'ip6tables --help' for more information.

What you expected to happen:

The cluster should be up without any error 😄

How to reproduce it (as minimally and precisely as possible):

Using Fedora 40, podman 5.2.3, the error is present.

Anything else we need to know?:

Yes, there is workaround: create the "kind" network myself:

kind delete cluster
# drop the network created by "kind"
podman network rm kind

# create the network
podman network create kind

# and start the cluster
kind create cluster

And then, the cluster starts without any error, and without any problem.

Environment:

• kind version: (use kind version): kind v0.24.0 go1.22.6 linux/amd64
• Runtime info: (use docker info, podman info or nerdctl info):

  host:
  arch: amd64
  buildahVersion: 1.37.3
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
  package: conmon-2.1.12-2.fc40.x86_64
  path: /usr/bin/conmon
  version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
  idlePercent: 92.39
  systemPercent: 3.62
  userPercent: 3.99
  cpus: 12
  databaseBackend: boltdb
  distribution:
  distribution: fedora
  variant: workstation
  version: "40"
  eventLogger: journald
  freeLocks: 1955
  hostname: patrice-laptop-home
  idMappings:
  gidmap:
  - container_id: 0
    host_id: 1000
    size: 1
  - container_id: 1
    host_id: 100000
    size: 65536
  uidmap:
  - container_id: 0
    host_id: 1000
    size: 1
  - container_id: 1
    host_id: 100000
    size: 65536
  kernel: 6.11.4-201.fc40.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 13850968064
  memTotal: 29261127680
  networkBackend: netavark
  networkBackendInfo:
  backend: netavark
  dns:
    package: aardvark-dns-1.12.2-2.fc40.x86_64
    path: /usr/libexec/podman/aardvark-dns
    version: aardvark-dns 1.12.2
  package: netavark-1.12.2-1.fc40.x86_64
  path: /usr/libexec/podman/netavark
  version: netavark 1.12.2
  ociRuntime:
  name: crun
  package: crun-1.17-1.fc40.x86_64
  path: /usr/bin/crun
  version: |-
    crun version 1.17
    commit: 000fa0d4eeed8938301f3bcf8206405315bc1017
    rundir: /run/user/1000/crun
    spec: 1.0.0
    +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
  executable: /usr/bin/pasta
  package: passt-0^20240906.g6b38f07-1.fc40.x86_64
  version: |
    pasta 0^20240906.g6b38f07-1.fc40.x86_64
    Copyright Red Hat
    GNU General Public License, version 2 or later
      <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
  exists: true
  path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
  apparmorEnabled: false
  capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
  rootless: true
  seccompEnabled: true
  seccompProfilePath: /usr/share/containers/seccomp.json
  selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
  executable: ""
  package: ""
  version: ""
  swapFree: 8589930496
  swapTotal: 8589930496
  uptime: 0h 6m 16.00s
  variant: ""
  plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
  registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  store:
  configFile: /home/metal3d/.config/containers/storage.conf
  containerStore:
  number: 0
  paused: 0
  running: 0
  stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/metal3d/.local/share/containers/storage
  graphRootAllocated: 510405902336
  graphRootUsed: 430875996160
  graphStatus:
  Backing Filesystem: btrfs
  Native Overlay Diff: "true"
  Supports d_type: "true"
  Supports shifting: "false"
  Supports volatile: "true"
  Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
  number: 228
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/metal3d/.local/share/containers/storage/volumes
  version:
  APIVersion: 5.2.3
  Built: 1727136000
  BuiltTime: Tue Sep 24 02:00:00 2024
  GitCommit: ""
  GoVersion: go1.22.7
  Os: linux
  OsArch: linux/amd64
  Version: 5.2.3

• OS (e.g. from /etc/os-release): Fedora Linux 40 Workstation Edition
• Kubernetes version: (use kubectl version): v1.30.6
• Any proxies or other special environment settings?: no

[aojea]

Error: netavark: unable to append rule '-j MARK --set-xmark 0x2000/0x2000' to table 'nat': code: 2, msg: Warning: Extension MARK revision 0 not supported, missing kernel module? ip6tables v1.8.10 (nf_tables): unknown option "--set-xmark"

you need that kernel module loaded to avoid this problem ... is a problem of the podman implementation of networks and your particular OS configuration, nothing kind can do I'm afraid

Try to load the corresponding module

sudo modprobe xt_mark

[metal3d]

Yes, but this module is not present in Fedora, however, recent kernel and generally Fedora is up to date...

[metal3d]

Ho... wait... actually the "modprobe" completion doesn't show it, but I can load it... let me make some tests

[metal3d]

No, doesn't work:

$ lsmod | grep xt_mark
xt_mark                12288  0

$ kind delete cluster
enabling experimental podman provider
Deleting cluster "kind" ...

$ podman network rm kind
kind

$ kind create cluster
enabling experimental podman provider
Creating cluster "kind" ...
 ✓ Ensuring node image (kindest/node:v1.31.0) 🖼
 ✗ Preparing nodes 📦
Deleted nodes: ["kind-control-plane"]
ERROR: failed to create cluster: command "podman run --name kind-control-plane --hostname kind-control-plane --label io.x-k8s.kind.role=control-plane --privileged --tmpfs /tmp --tmpfs /run --volume b8218fbeb32376fcea0e90df379c12b53260ead2bd182fad649e122d57b967f3:/var:suid,exec,dev --volume /lib/modules:/lib/modules:ro -e KIND_EXPERIMENTAL_CONTAINERD_SNAPSHOTTER --detach --tty --net kind --label io.x-k8s.kind.cluster=kind -e container=podman --cgroupns=private --volume /dev/mapper:/dev/mapper --device /dev/fuse --publish=127.0.0.1:39289:6443/tcp -e KUBECONFIG=/etc/kubernetes/admin.conf docker.io/kindest/node@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865" failed with error: exit status 126
Command Output: Error: netavark: unable to append rule '-j MARK  --set-xmark 0x2000/0x2000' to table 'nat': code: 2, msg: Warning: Extension MARK revision 0 not supported, missing kernel module?
ip6tables v1.8.10 (nf_tables): unknown option "--set-xmark"
Try `ip6tables -h' or 'ip6tables --help' for more information.

[metal3d]

Jus in case of, here is the network created by "kind" command:

[
     {
          "name": "kind",
          "id": "0a5e5508fc0854972d8389af663c33ec25a8eb891c52152b33a8f733be298440",
          "driver": "bridge",
          "network_interface": "podman5",
          "created": "2024-10-25T10:30:31.43505612+02:00",
          "subnets": [
               {
                    "subnet": "fc00:f853:ccd:e793::/64",
                    "gateway": "fc00:f853:ccd:e793::1"
               },
               {
                    "subnet": "10.89.4.0/24",
                    "gateway": "10.89.4.1"
               }
          ],
          "ipv6_enabled": true,
          "internal": false,
          "dns_enabled": true,
          "ipam_options": {
               "driver": "host-local"
          },
          "containers": {}
     }
]

And the one created manyally:

[
     {
          "name": "kind",
          "id": "a7f61d4f9239270fcd5e59e15911333fd77f8b0a8b1f17e1499dc6c0f6708aaa",
          "driver": "bridge",
          "network_interface": "podman5",
          "created": "2024-10-25T10:35:29.751360901+02:00",
          "subnets": [
               {
                    "subnet": "10.89.4.0/24",
                    "gateway": "10.89.4.1"
               }
          ],
          "ipv6_enabled": false,
          "internal": false,
          "dns_enabled": true,
          "ipam_options": {
               "driver": "host-local"
          },
          "containers": {}
     }
]

It means that the problem resides with ipv6 only I guess.

[metal3d]

OK, if I create the network with --ipv6, kind fails to start the cluster.

So, the problem is the MARK option on ip6tables.

[aojea]

OK, if I create the network with --ipv6, kind fails to start the cluster.

So, the problem is the MARK option on ip6tables.

can you report this to podman maintainers?

it seems they have this dependency on netavark, that is IIRC how podman implements the containers networks

Command Output: Error: netavark: unable to append rule '-j MARK --set-xmark 0x2000/0x2000' to table 'nat': code: 2, msg: Warning: Extension MARK revision 0 not supported, missing kernel module? ip6tables v1.8.10 (nf_tables): unknown option "--set-xmark"

[metal3d]

Actually it seems that Fedora has no "xt_CONNMARK" module (this is where the --set-xmark option is managed, looking inside the source here: https://www.netfilter.org/pub/iptables/iptables-1.4.1-rc2/extensions/libxt_CONNMARK.c).

I will check if it's not to Fedora project I need to report this. For now, creating the network without ipv6 is the workaround that make it working.

[aojea]

Thanks for the investigation and explanation

[metal3d]

Issue filled in Fedora BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2321716

Thanks for your help on investigation :)

[metal3d]

That was reported a few times before actually: https://bugzilla.redhat.com/show_bug.cgi?id=2321325

Bug will be resolved in a while

[grooverdan]

https://bugzilla.redhat.com/show_bug.cgi?id=2321325#c12 this work around worked for me on f40.