Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creating network with CNI DHCP only outputs 'No route to host" #14352

Closed
peterlobster opened this issue May 25, 2022 · 33 comments
Closed

Creating network with CNI DHCP only outputs 'No route to host" #14352

peterlobster opened this issue May 25, 2022 · 33 comments
Assignees
@baude
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@peterlobster
Copy link

peterlobster commented May 25, 2022
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

I've been following the steps on here to create a macvlan setup, but they don't work.

After creating the container with $ sudo podman run -dt --name webserver --network webnetwork quay.io/libpod/banner and verify the ip with sudo podman exec webserver ip address show eth0 I get curl: (7) Failed to connect to 192.168.8.119 port 80 after 3068 ms: No route to host

Describe the results you received:

$  sudo podman network inspect home
[
     {
          "name": "webnetwork",
          "id": "4ea140588150773ce3aace786aeef7f4049ce100fa649c94fbbddb960f1da942",
          "driver": "macvlan",
          "network_interface": "eno1",
          "created": "2022-05-24T18:31:27.889228163-07:00",
          "ipv6_enabled": false,
          "internal": false,
          "dns_enabled": false,
          "ipam_options": {
               "driver": "dhcp"
          }
     }
]


$  sudo podman run -dt --name webserver --network webnetwork quay.io/libpod/banner
Trying to pull quay.io/libpod/banner:latest...
Getting image source signatures
Copying blob e3ecd43a8bc5 done  
Copying blob a0d0a0d46f8b done  
Copying blob c6f282ad3b41 done  
Copying blob db9deeff4a88 done  
Copying config 4d50a7b41a done  
Writing manifest to image destination
Storing signatures
5b488c0d3cf0593ec2181f3c924aa8a88f5f7508afd225a1b4cecf2568e4d86e
$  sudo podman exec webserver ip address show eth0
3: eth0@sit0: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    link/ether 5e:b3:d8:4f:74:48 brd ff:ff:ff:ff:ff:ff
    inet 192.168.8.114/24 brd 192.168.8.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5cb3:d8ff:fe4f:7448/64 scope link 
       valid_lft forever preferred_lft forever

$  curl 192.168.8.114
curl: (7) Failed to connect to 192.168.8.114 port 80 after 3068 ms: No route to host

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

podman version 4.0.3

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.24.3
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: app-containers/conmon-2.0.30
    path: /usr/libexec/podman/conmon
    version: 'conmon version 2.0.30, commit: v2.0.30'
  cpus: 12
  distribution:
    distribution: gentoo
    version: unknown
  eventLogger: journald
  hostname: n7
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 100
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.15.41-gentoo
  linkmode: dynamic
  logDriver: journald
  memFree: 22269218816
  memTotal: 33540599808
  networkBackend: cni
  ociRuntime:
    name: crun
    package: app-containers/crun-1.4.4
    path: /usr/bin/crun
    version: |-
      crun version 1.4.4
      commit: 6521fcc5806f20f6187eb933f9f45130c86da230
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: app-containers/slirp4netns-1.2.0
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.3
  swapFree: 66035118080
  swapTotal: 66035118080
  uptime: 3h 22m 25.86s (Approximately 0.12 days)
plugins:
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  localhost:5000:
    Blocked: false
    Insecure: true
    Location: localhost:5000
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: localhost:5000
  search:
  - docker.io
  - quay.io
  - registry.fedoraproject.org
store:
  configFile: /home/peter/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/peter/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: f2fs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/user/1000/containers
  volumePath: /home/peter/.local/share/containers/storage/volumes
version:
  APIVersion: 4.0.3
  Built: 1653175366
  BuiltTime: Sat May 21 16:22:46 2022
  GitCommit: 62534053086fdeba7b93117e7c4dc6e797835a3e
  GoVersion: go1.18.2
  OsArch: linux/amd64
  Version: 4.0.3

Package info (e.g. output of rpm -q podman or apt list podman):


These are the packages that would be merged, in order:

Calculating dependencies  ... done!
[ebuild   R    ] app-containers/podman-4.0.3::gentoo  USE="btrfs fuse init rootless -apparmor -cgroup-hybrid (-selinux)" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

No
@peterlobster
Copy link
Author

Also, FWIW I have no firewall active.

@Luap99
Copy link
Member

Luap99 commented May 25, 2022

Please provide the output of ip addr and ip route on the host.

@peterlobster
Copy link
Author

@Luap99 Sure. Here it is...

$  ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 94:c6:91:30:b3:92 brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6
    inet 192.168.8.8/24 brd 192.168.8.255 scope global dynamic noprefixroute eno1
       valid_lft 604499sec preferred_lft 604499sec
    inet6 fe80::ea0e:edd6:cd3a:250a/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
5: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether ac:bc:32:be:c4:2d brd ff:ff:ff:ff:ff:ff
$  ip route
default via 192.168.8.1 dev eno1 proto dhcp metric 100 
192.168.8.0/24 dev eno1 proto kernel scope link src 192.168.8.8 metric 100

@Luap99
Copy link
Member

Luap99 commented May 25, 2022

weird, have you tried a different image or if you can connect from the container to the outside?

@mheon
Copy link
Member

mheon commented May 25, 2022

Did you start the CNI DHCP forwarder daemon? sudo /usr/libexec/cni/dhcp daemon?

@peterlobster
Copy link
Author

peterlobster commented May 25, 2022
edited
Loading

@Luap99 I have, and I cannot.

@mheon I have. (I have the .socket activated that calls the .service)

$  sudo systemctl status cni-dhcp.service 
● cni-dhcp.service - CNI DHCP service
     Loaded: loaded (/lib/systemd/system/cni-dhcp.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2022-05-24 17:19:16 PDT; 13h ago
TriggeredBy: ● cni-dhcp.socket
       Docs: https://github.com/containernetworking/plugins/tree/master/plugins/ipam/dhcp
   Main PID: 38658 (dhcp)
      Tasks: 8 (limit: 38356)
     Memory: 2.8M
        CPU: 22ms
     CGroup: /system.slice/cni-dhcp.service
             └─38658 /opt/cni/bin/dhcp daemon

May 24 18:04:44 n7 dhcp[38658]: 2022/05/24 18:04:44 Link "eth0" down. Attempting to set up
May 24 18:04:44 n7 dhcp[38658]: 2022/05/24 18:04:44 network is down
May 24 18:04:44 n7 dhcp[38658]: 2022/05/24 18:04:44 retrying in 1.313039 seconds
May 24 18:04:49 n7 dhcp[38658]: 2022/05/24 18:04:49 c2c35edcf7f9d91f09475d930d7af5f8aab828cffb164fb39c71539c9cdec762/home/eth>
May 24 18:11:08 n7 dhcp[38658]: 2022/05/24 18:11:08 c2c35edcf7f9d91f09475d930d7af5f8aab828cffb164fb39c71539c9cdec762/home/eth>
May 24 18:33:12 n7 dhcp[38658]: 2022/05/24 18:33:12 5b488c0d3cf0593ec2181f3c924aa8a88f5f7508afd225a1b4cecf2568e4d86e/home/eth>
May 24 18:33:12 n7 dhcp[38658]: 2022/05/24 18:33:12 Link "eth0" down. Attempting to set up
May 24 18:33:12 n7 dhcp[38658]: 2022/05/24 18:33:12 network is down
May 24 18:33:12 n7 dhcp[38658]: 2022/05/24 18:33:12 retrying in 1.193939 seconds
May 24 18:33:16 n7 dhcp[38658]: 2022/05/24 18:33:16 5b488c0d3cf0593ec2181f3c924aa8a88f5f7508afd225a1b4cecf2568e4d86e/home/eth>

FWIW I noticed that the Gentoo packages didn't deploy the systemd files (for the cni-plugins). It also doesn't deploy the default 87-podman-bridge.conflist in /etc/cni/net.d/; however the default podman network (via bridge) does still gets created; but there's not much you can do about modifying it or anything the way it's described in the documentation. I don't know if all of this is related.

That said, not a lot of people (that I know of) use containers on Gentoo, so perhaps the Gentoo ebuild is borked? I dunno. I was working with @ran-dall whom seems to do be doing a lot of the work on the app-container packages. He's the one that updated the Gentoo packages with the systemd files, and also updated the cni-plugins that were still at 0.9.1 to 1.1.1.

@Luap99
Copy link
Member

Luap99 commented May 25, 2022

One thing which looks odd is the sit0 interface. What is that?
It looks like the container interface is connected to that eth0@sit0 but your network config says correctly eno1.

@peterlobster
Copy link
Author

peterlobster commented May 25, 2022
edited
Loading

@Luap99 Good question. I needed clarification as well.

sit stands for simple internet transition. sit0 is the Linux name for 6to4. 6to4 is a tunneling protocol for using IPv6 over an existing IPv4 connection.

FMU, from the Gentoo folks, it automatically gets created and added when you enable IPv6 in the kernel. I'm told I shouldn't worry about it; as it really shouldn't affect anything.

@peterlobster
Copy link
Author

@Luap99 Maybe should I try $ sudo podman network create -d macvlan -o parent=sit0 webnetwork instead of $ sudo podman network create -d macvlan -o parent=eno1 webnetwork?

@Luap99
Copy link
Member

Luap99 commented May 25, 2022

I have no idea, sit is definitely new to me. As far as I can tell ipv6 works just fine without that, not sure why someone would want to tunnel ipv6 traffic via ipv4. I think eno1 is correct since you would want the external interface.

Could you try to delete the sit interface. ip link del sit and restart the podman container?

@peterlobster
Copy link
Author

peterlobster commented May 25, 2022
edited
Loading

@Luap99 It doesn't want to delete... (I can't delete it cause it's a built-in module. Also, I've been told, I could disable it in the kernel or make it a module, but removing it will require disabling IPv6 entirely, not just the sit interface.)

$  sudo ip link del sit0
 
$  ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 94:c6:91:30:b3:92 brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6
    inet 192.168.8.8/24 brd 192.168.8.255 scope global dynamic noprefixroute eno1
       valid_lft 602478sec preferred_lft 602478sec
    inet6 fe80::ea0e:edd6:cd3a:250a/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
6: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether ac:bc:32:be:c4:2d brd ff:ff:ff:ff:ff:ff

Also, FWIW, $ sudo podman network create -d macvlan -o parent=sit0 webnetwork doesn't work...

$  sudo podman network create -d macvlan -o parent=sit0 webnetwork
webnetwork
 
 $  sudo podman run -dt --name webserver --network webnetwork quay.io/libpod/banner
Trying to pull quay.io/libpod/banner:latest...
Getting image source signatures
Copying blob c6f282ad3b41 done  
Copying blob a0d0a0d46f8b done  
Copying blob db9deeff4a88 done  
Copying blob e3ecd43a8bc5 done  
Copying config 4d50a7b41a done  
Writing manifest to image destination
Storing signatures
WARN[0002] Failed to load cached network config: network webnetwork not found in CNI cache, falling back to loading network webnetwork from disk 
Error: plugin type="macvlan" failed (add): cni plugin macvlan failed: failed to create macvlan: invalid argument

@Luap99
Copy link
Member

Luap99 commented May 25, 2022

Looks like the kernel cannot create macvlan devices with sit0, since this is not an actual device I think this is expected.

Could try to set promisc mode on you eno1 interface.
ip link set eno1 promisc on

@peterlobster
Copy link
Author

@Luap99 Yup.

$  sudo ip link set eno1 promisc on

$  ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 94:c6:91:30:b3:92 brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6
    inet 192.168.8.8/24 brd 192.168.8.255 scope global dynamic noprefixroute eno1
       valid_lft 600772sec preferred_lft 600772sec
    inet6 fe80::ea0e:edd6:cd3a:250a/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
6: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether ac:bc:32:be:c4:2d brd ff:ff:ff:ff:ff:ff

$  sudo podman container restart webserver 
b094bb9c101a5926c4e81bc6100245b40478b4b88f12c644f20f07bfb41376c1

$  sudo podman exec webserver ip address show eth0
3: eth0@sit0: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    link/ether 66:9e:ae:f2:10:3e brd ff:ff:ff:ff:ff:ff
    inet 192.168.8.114/24 brd 192.168.8.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::649e:aeff:fef2:103e/64 scope link 
       valid_lft forever preferred_lft forever
 
$  curl http://192.168.8.114
curl: (7) Failed to connect to 192.168.8.114 port 80 after 3100 ms: No route to host

@ran-dall
Copy link

@peterlobster You can safely turn sit into a module on this system. It should get rid of it for you guys if it's truly not needed (which I think it isn't). IPV6_SIT=m

@peterlobster
Copy link
Author

peterlobster commented May 25, 2022
edited
Loading

@ran-dall Yup.

$  ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 94:c6:91:30:b3:92 brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6
    inet 192.168.8.8/24 brd 192.168.8.255 scope global dynamic noprefixroute eno1
       valid_lft 603689sec preferred_lft 603689sec
    inet6 fe80::ea0e:edd6:cd3a:250a/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether ac:bc:32:be:c4:2d brd ff:ff:ff:ff:ff:ff

@Luap99 Trying again, from the top. (Still using, promisc on)

$  sudo podman network create -d macvlan -o parent=eno1 webnetwork
webnetwork

$  sudo podman run -dt --name webserver --network webnetwork quay.io/libpod/banner
Trying to pull quay.io/libpod/banner:latest...
Getting image source signatures
Copying blob a0d0a0d46f8b done  
Copying blob e3ecd43a8bc5 done  
Copying blob db9deeff4a88 done  
Copying blob c6f282ad3b41 done  
Copying config 4d50a7b41a done  
Writing manifest to image destination
Storing signatures
d93d29cf1dc249a969cedac27d6208a031ed4460dc5aaf05322d20bf4f283a52

$  sudo podman exec webserver ip address show eth0
2: eth0@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
    link/ether 86:40:24:72:e2:50 brd ff:ff:ff:ff:ff:ff
    inet 192.168.8.115/24 brd 192.168.8.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::8440:24ff:fe72:e250/64 scope link 
       valid_lft forever preferred_lft forever

$  curl http://192.168.8.115
curl: (7) Failed to connect to 192.168.8.115 port 80 after 3109 ms: No route to host
$ ip route 
default via 192.168.8.1 dev eno1 proto dhcp metric 100 
192.168.8.0/24 dev eno1 proto kernel scope link src 192.168.8.8 metric 100

Also, I don't know if this matter, but I am using NetworkManager and dnsmasq.

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented Jun 27, 2022

@Luap99 @ran-dall @peterlobster What is happening with this one?

@ran-dall
Copy link

@rhatdan I dunno, it still doesn't work on my side.

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented Jul 29, 2022

@baude @Luap99 @flouthoc @mheon Is the plan to implement this in Netavark/Aardvark?

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented Aug 29, 2022

@baude @Luap99 @flouthoc @mheon Is the plan to implement this in Netavark/Aardvark?

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented Sep 30, 2022

I believe @baude is implementing this inf netavark-dhcp.

@daiaji
Copy link

daiaji commented Dec 13, 2022

The reproduction stage --ipam-driver=dhcp is really important.

@steven-ellis
Copy link

steven-ellis commented May 14, 2023
edited
Loading

I'm seeing similar issues on RHEL8 and RHEL9 based podman environments, if they're running as kvm virtual machines using macvtap driver.

The KVM hypervisor doesn't have a bridge device so i'm using macvtap-net virtio driver to connect the VM to the network.

Containers started in host network mode work correctly and I know some broadcast packets are working because i'm running minidlna in a container. This required me to run the following in the hypervisor

ip link set dev macvtap0 allmulticast on

or set the following in the virtual machine definition

    <interface type='network' trustGuestRxFilters='yes'>

Podman details for the RHEL9 environment

podman info
host:
  arch: amd64
  buildahVersion: 1.29.0
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.7-1.el9_2.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.7, commit: 606c693de21bcbab87e31002e46663c5f2dc8a9b'
  cpuUtilization:
    idlePercent: 92.09
    systemPercent: 3.54
    userPercent: 4.37
  cpus: 1
  distribution:
    distribution: '"rhel"'
    version: "9.2"
  eventLogger: journald
  hostname: rhel9svr.home.stevencherie.net
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.14.0-284.11.1.el9_2.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 83025920
  memTotal: 1864519680
  networkBackend: cni
  ociRuntime:
    name: crun
    package: crun-1.8.4-1.el9_2.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.8.4
      commit: 5a8fa99a5e41facba2eda4af12fa26313918805b
      rundir: /run/user/0/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-3.el9.x86_64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 2192039936
  swapTotal: 3206537216
  uptime: 0h 18m 14.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 4
    paused: 0
    running: 2
    stopped: 2
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 10362028032
  graphRootUsed: 4164415488
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 4
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.4.1
  Built: 1682527828
  BuiltTime: Thu Apr 27 04:50:28 2023
  GitCommit: ""
  GoVersion: go1.19.6
  Os: linux
  OsArch: linux/amd64
  Version: 4.4.1

@steven-ellis
Copy link

Container host network

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:36:a8:d9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.50/24 brd 192.168.0.255 scope global noprefixroute enp1s0
       valid_lft forever preferred_lft forever
3: cni-podman1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e2:50:23:6b:3a:96 brd ff:ff:ff:ff:ff:ff
    inet 10.89.0.1/24 brd 10.89.0.255 scope global cni-podman1
       valid_lft forever preferred_lft forever
    inet6 fe80::e050:23ff:fe6b:3a96/64 scope link 
       valid_lft forever preferred_lft forever
4: veth47206d8d@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-podman1 state UP group default 
    link/ether 12:46:0d:b9:ee:f9 brd ff:ff:ff:ff:ff:ff link-netns netns-94ebc032-49a3-0f2d-3a93-6aecc771addd
    inet6 fe80::1046:dff:feb9:eef9/64 scope link 
       valid_lft forever preferred_lft forever

@steven-ellis
Copy link

Podman network was created via

podman network create -d macvlan -o parent=enp1s0 website

Details

podman network inspect website
[
     {
          "name": "website",
          "id": "747a8f398395dde8e524d9f983784bd8441c5cfe4307b5a079be5412ee65c314",
          "driver": "macvlan",
          "network_interface": "enp1s0",
          "created": "2023-05-14T20:32:56.133639008+12:00",
          "ipv6_enabled": false,
          "internal": false,
          "dns_enabled": false,
          "ipam_options": {
               "driver": "dhcp"
          }
     }
]

@steven-ellis
Copy link

steven-ellis commented May 14, 2023
edited
Loading

Trying a similar test with

podman run -dt --name website --network website quay.io/libpod/banner

WARN[0198] Failed to load cached network config: network website not found in CNI cache, falling back to loading network website from disk 
Error: plugin type="macvlan" failed (add): cni plugin macvlan failed: error calling DHCP.Allocate: no more tries

Output of /usr/libexec/cni/dhcp daemon

2023/05/15 10:14:18 0faea7e4f03a865fea3087d7995cfbbe4ebe53af9e634257ded31809a04a769b/website/eth0: acquiring lease
2023/05/15 10:14:18 Link "eth0" down. Attempting to set up
2023/05/15 10:14:18 network is down
2023/05/15 10:14:18 retrying in 2.881018 seconds
2023/05/15 10:14:31 no DHCP packet received within 10s
2023/05/15 10:14:31 retrying in 2.329120 seconds
2023/05/15 10:14:43 no DHCP packet received within 10s
2023/05/15 10:14:43 retrying in 1.875428 seconds
2023/05/15 10:14:55 no DHCP packet received within 10s
2023/05/15 10:14:55 retrying in 1.849275 seconds
2023/05/15 10:15:07 no DHCP packet received within 10s
2023/05/15 10:15:07 retrying in 8.373646 seconds
2023/05/15 10:15:26 no DHCP packet received within 10s
2023/05/15 10:15:26 retrying in 15.131274 seconds
2023/05/15 10:15:51 no DHCP packet received within 10s
2023/05/15 10:15:51 retrying in 31.313039 seconds
2023/05/15 10:16:32 no DHCP packet received within 10s
2023/05/15 10:16:32 retrying in 63.601824 seconds

@steven-ellis steven-ellis mentioned this issue May 14, 2023
Closed
@steven-ellis
Copy link

Re-test on a physical environment with no macvtap in the way and the dhcp lease works.

@steven-ellis
Copy link

Retested on a vanilla RHEL 8.7 virtual host running on a bridge hypervisor network - no issues

podman network create -d macvlan -o parent=ens3 website

/usr/libexec/cni/dhcp daemon


podman run -dt --name website --network website quay.io/libpod/banner

@steven-ellis
Copy link

Confirmed switching the RHEL8.7 vm to macvtap now breaks DHCP requests, even if I run the following on the hypervisor hosts

ip link set dev macvtap0 allmulticast on

@Luap99
Copy link
Member

Luap99 commented May 15, 2023

@steven-ellis This look of topic here. Macvlan or macvtap will always match packets on the parent based on the mac address, so when you VM already uses a macvtap device it cannot forward packets for other mac addresses. Therefore the DHCP lease fails.

Reading back the original issue I think the problem is that the connection is only tested from the container host but it will only work from another host on the network. Macvlan does not allow communication between the parent and child interface. This is a kernel limitation. I found some workaround mentioned here with docker, I assume the same works with CNI or netavark.
Properly something we need to make clear in the man page.

@Luap99 Luap99 closed this as completed May 15, 2023
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Aug 24, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@baude baude

Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@rhatdan @mheon @steven-ellis @baude @ran-dall @daiaji @peterlobster @Luap99