-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
rhel-10.0.beta
-
None
-
sst_container_tools
-
3
-
False
-
-
RUN 252, RUN 253
-
Requested
What were you trying to do that didn't work?
Running a container on RHEL-10.0-20240318.5 fails, as apparently it's not possible to create a necessary firewall rule:
# podman run -it registry.access.redhat.com/ubi9/ubi:latest
Error: netavark: unable to append rule '! -d 224.0.0.0/4 -j MASQUERADE' to table 'nat': code: 4, msg: Warning: Extension MASQUERADE revision 0 not supported, missing kernel module?
iptables v1.8.10 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain NETAVARK-1D8721804F16F
Please provide the package NVR for which bug is seen:
podman-5.0.0~rc1-3.el10.x86_64
netavark-1.10.3-1.el10.x86_64
How reproducible:
Always.
Steps to reproduce
- Install podman and pull some container image.
- Run a container using the image, e. g. podman run -it registry.access.redhat.com/ubi9/ubi:latest
Expected results
Podman runs the container, firewall configuration is successful.
Actual results
Container can't be run due to issue with firewall rule insertion.
Additional notes
I was able to solve the issue in two ways:
1. install kernel-modules-extra package and modprobe nft_compat module;
2. define a nftables firewall driver in /etc/containers/containers.conf:
[network]
firewall_driver="nftables"
I can't judge what should be the proper default solution, but I think there could be either some autodetection mechanism (to account for situations where the system is configured with firewalld, or with just nftables), or some sane default with appropriate documentation covering non-standard firewall configurations.
- mentioned on