Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] podman, podman-compose and iptables
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Dr.Willy
Guru
Guru


Joined: 15 Jul 2007
Posts: 547
Location: NRW, Germany

PostPosted: Mon Apr 25, 2022 4:59 pm    Post subject: [solved] podman, podman-compose and iptables Reply with quote

Hey guys, im trying to get podman to work on gentoo, but I'm stuck on an issue.

I'm using podman-compose, which is just a python-script that runs the appropriate podman commands. Since it helpfully prints out the commands it runs I can confirm that running those commands manually produces the same results.

Code:
~ # podman-compose up
['podman', '--version', '']
using podman version: 4.0.3
** excluding:  set()
podman volume inspect myproj_pgdata || podman volume create myproj_pgdata
['podman', 'volume', 'inspect', 'myproj_pgdata']
['podman', 'network', 'exists', 'myproj_default']
podman create --name=myproj_db_1 --label io.podman.compose.config-hash=123 --label io.podman.compose.project=myproj --label io.podman.compose.version=0.0.1 --label com.docker.compose.project=myproj --label com.docker.compose.project.working_dir=/home/w/myproj --label com.docker.compose.project.config_files=docker-compose.yml --label com.docker.compose.container-number=1 --label com.docker.compose.service=db -e POSTGRES_PASSWORD=_DUMMY_PW_ -v myproj_pgdata:/var/lib/postgresql/data:rw --net myproj_default --network-alias db -p 5432 --restart unless-stopped postgres:13
podman start -a myproj_db_1
WARN[0000] Failed to load cached network config: network myproj_default not found in CNI cache, falling back to loading network myproj_default from disk
WARN[0000] 1 error occurred:
   * plugin type="firewall" failed (delete): cni plugin firewall failed: could not initialize iptables protocol 0: exec: "iptables": executable file not found in $PATH

Error: unable to start container 38f565465c9797f93004630f61d56286c8c0f8ad8fd0817f9d10903886d8f54a: plugin type="bridge" failed (add): cni plugin bridge failed: failed to locate iptables: exec: "iptables": executable file not found in $PATH


So some package seems to be missing an iptables dependency somewhere.
After emerging it manually I end up with:

Code:
~ # podman-compose up
['podman', '--version', '']
using podman version: 4.0.3
** excluding:  set()
podman volume inspect myproj_pgdata || podman volume create myproj_pgdata
['podman', 'volume', 'inspect', 'myproj_pgdata']
['podman', 'network', 'exists', 'myproj_default']
podman create --name=myproj_db_1 --label io.podman.compose.config-hash=123 --label io.podman.compose.project=myproj --label io.podman.compose.version=0.0.1 --label com.docker.compose.project=myproj --label com.docker.compose.project.working_dir=/home/w/myproj --label com.docker.compose.project.config_files=docker-compose.yml --label com.docker.compose.container-number=1 --label com.docker.compose.service=db -e POSTGRES_PASSWORD=_DUMMY_PW_ -v myproj_pgdata:/var/lib/postgresql/data:rw --net myproj_default --network-alias db -p 5432 --restart unless-stopped postgres:13
podman start -a myproj_db_1
WARN[0000] Failed to load cached network config: network myproj_default not found in CNI cache, falling back to loading network myproj_default from disk
WARN[0000] 1 error occurred:
   * plugin type="bridge" failed (delete): cni plugin bridge failed: running [/sbin/iptables -t nat -D POSTROUTING -s 10.89.0.8 -j CNI-09e02578e23c8563453d468a -m comment --comment name: "myproj_default" id: "38f565465c9797f93004630f61d56286c8c0f8ad8fd0817f9d10903886d8f54a" --wait]: exit status 2: iptables v1.8.7 (legacy): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.


Error: unable to start container 38f565465c9797f93004630f61d56286c8c0f8ad8fd0817f9d10903886d8f54a: plugin type="bridge" failed (add): cni plugin bridge failed: running [/sbin/iptables -t nat -C CNI-09e02578e23c8563453d468a -d 10.89.0.8/24 -j ACCEPT -m comment --comment name: "myproj_default" id: "38f565465c9797f93004630f61d56286c8c0f8ad8fd0817f9d10903886d8f54a" --wait]: exit status 2: iptables v1.8.7 (legacy): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

exit code: 125


Now I've never worked with iptables so I'm at a loss what is going on here (hence: Networking & Security).
Since my google-fu has failed me, can someone explain to me why this iptables command fails?
_________________
gentoo repos: kakoune | oil | hyper-v


Last edited by Dr.Willy on Mon Apr 25, 2022 6:59 pm; edited 1 time in total
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3878

PostPosted: Mon Apr 25, 2022 5:54 pm    Post subject: Reply with quote

What is the output of
Code:

ls -l /sbin/iptables-legacy
ls -l /sbin/iptables

Do they point to
xtables-legacy-multi
?
_________________
:)
Back to top
View user's profile Send private message
Dr.Willy
Guru
Guru


Joined: 15 Jul 2007
Posts: 547
Location: NRW, Germany

PostPosted: Mon Apr 25, 2022 6:06 pm    Post subject: Reply with quote

alamahant wrote:
What is the output of
Code:

ls -l /sbin/iptables-legacy
ls -l /sbin/iptables

Do they point to
xtables-legacy-multi
?
Yes, they do.

Also:
Code:
~ # eselect iptables list
Available iptables symlink targets:
  [1]   xtables-legacy-multi *

_________________
gentoo repos: kakoune | oil | hyper-v
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3878

PostPosted: Mon Apr 25, 2022 6:11 pm    Post subject: Reply with quote

Do you have
Code:

CONFIG_NETFILTER_XT_MATCH_COMMENT=m

in /usr/src/linux/.config
?
Code:

grep CONFIG_NETFILTER_XT_MATCH_COMMENT /usr/src/linux/.config

_________________
:)
Back to top
View user's profile Send private message
Dr.Willy
Guru
Guru


Joined: 15 Jul 2007
Posts: 547
Location: NRW, Germany

PostPosted: Mon Apr 25, 2022 6:58 pm    Post subject: Reply with quote

alamahant wrote:
Code:
grep CONFIG_NETFILTER_XT_MATCH_COMMENT /usr/src/linux/.config

Bingo, that was missing!
Added CONFIG_NETFILTER_XT_MATCH_COMMENT (…and CONFIG_NETFILTER_XT_MATCH_MULTIPORT) and we're up and running.

Thank you alamahant! :)
_________________
gentoo repos: kakoune | oil | hyper-v
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum