search

nestybox / sysbox

An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.
Apache License 2.0
2.83k stars 159 forks source link

Impossible to run container with macvlan network due to invalid dnsSwitch config #834

Closed domysh closed 2 months ago

domysh commented 2 months ago

I'm using sysbox to simulate some VMs, but I can't start this container with sysbox using this configuration (This is only a small part of the configuration, for test the bug)

services:
    team0:
        build: .
        runtime: sysbox-runc
        networks:
            vm-team0:
                ipv4_address: 10.60.0.1
networks:
    vm-team0:
        internal: true
        driver: macvlan
        ipam:
            driver: default
            config:
                - subnet: 10.60.0.0/24
                  gateway: 10.60.0.254

and this Dockerfile

FROM cruizba/ubuntu-dind:latest

RUN apt-get update

RUN apt-get install -y \
    iproute2 vim nano tcpdump iputils-ping \
    python3-pip python3-venv screen netcat-openbsd btop htop neovim \
    nano curl git wget unzip zip traceroute net-tools 

# SSH
RUN apt-get install -y openssh-server
RUN mkdir /var/run/sshd
RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
EXPOSE 22

CMD ["/usr/bin/tail", "-f", "/dev/null"]

I'm running sysbox on arm, when I try to start the container I got this error:

Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: container_linux.go:439: starting container process caused: process_linux.go:608: container init caused: process_linux.go:579: handleReqOp caused: rootfs_init_linux.go:427: Docker DNS switch from 127.0.0.11 to  caused: failed to start [/usr/sbin/iptables-restore --wait 30 --wait-interval 100000]: exit status 2: unknown

Reading the source code and this error I think that the problem is that sysbox recieve an empty newDns and a wrong iptables configuration is generated and for this iptables-restore crashes.

domysh commented 2 months ago

I found a fix, see my pull request on https://github.com/nestybox/sysbox-runc/pull/99

rodnymolina commented 2 months ago

@domysh, your fix looks good. Thanks!

rodnymolina commented 2 months ago

Fixed as part of nestybox/sysbox-runc. Closing issue now.