Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"rootless containers and pods cannot be assigned static IP addresses" (podman-run, rootless, CNI) #7842

Closed
eriksjolund opened this issue Sep 30, 2020 · 9 comments · Fixed by #8585
Closed

"rootless containers and pods cannot be assigned static IP addresses" (podman-run, rootless, CNI) #7842

eriksjolund opened this issue Sep 30, 2020 · 9 comments · Fixed by #8585
Assignees
@mheon
Labels
CNI Bug with CNI networking for root containers kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. rootless

Comments

@eriksjolund
Copy link
Contributor

eriksjolund commented Sep 30, 2020
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Assignment of a static IP address to rootless CNI when running podman run fails.
If the failure is expected it should be documented in the documentation for the
--ip command-line option in the manual page for podman run
https://github.com/containers/podman/blob/master/docs/source/markdown/podman-run.1.md

Steps to reproduce the issue:

[erik@laptop ~]$ podman network create test
/home/erik/.config/cni/net.d/test.conflist
[erik@laptop ~]$ podman network inspect test
[
  {
    "cniVersion": "0.4.0",
    "name": "test",
    "plugins": [
      {
        "bridge": "cni-podman5",
        "hairpinMode": true,
        "ipMasq": true,
        "ipam": {
          "ranges": [
            [
              {
                "gateway": "10.88.7.1",
                "subnet": "10.88.7.0/24"
              }
            ]
          ],
          "routes": [
            {
              "dst": "0.0.0.0/0"
            }
          ],
          "type": "host-local"
        },
        "isGateway": true,
        "type": "bridge"
      },
      {
        "capabilities": {
          "portMappings": true
        },
        "type": "portmap"
      },
      {
        "backend": "",
        "type": "firewall"
      },
      {
        "domainName": "dns.podman",
        "type": "dnsname"
      }
    ]
  }
]
[erik@laptop ~]$ podman run --rm -ti --network test --ip=10.88.7.5 docker.io/library/alpine 
Error: invalid config provided: rootless containers and pods cannot be assigned static IP addresses
[erik@laptop ~]$

Describe the results you received:

Describe the results you expected:

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

podman version 2.1.1

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.16.1
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.21-1.el8.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.21, commit: 3460cd1ad859a79bd27df1714f39c76926ac1b39-dirty'
  cpus: 16
  distribution:
    distribution: '"centos"'
    version: "8"
  eventLogger: journald
  hostname: laptop.example.com (manualleditted to mask information)
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1008
      size: 1
    - container_id: 1
      host_id: 427680
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1008
      size: 1
    - container_id: 1
      host_id: 427680
      size: 65536
  kernel: 4.18.0-193.19.1.el8_2.x86_64
  linkmode: dynamic
  memFree: 63281815552
  memTotal: 67206131712
  ociRuntime:
    name: runc
    package: runc-1.0.0-145.rc91.git24a3cf8.el8.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.2-dev'
  os: linux
  remoteSocket:
    path: /run/user/1008/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.4-2.el8.x86_64
    version: |-
      slirp4netns version 1.1.4
      commit: b66ffa8e262507e37fca689822d23430f3357fe8
      libslirp: 4.3.1
      SLIRP_CONFIG_VERSION_MAX: 3
  swapFree: 33810280448
  swapTotal: 33810280448
  uptime: 41h 17m 7.7s (Approximately 1.71 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /home/erik/.config/containers/storage.conf
  containerStore:
    number: 44
    paused: 0
    running: 5
    stopped: 39
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.1.2-1.el8.x86_64
      Version: |-
        fusermount3 version: 3.2.1
        fuse-overlayfs: version 1.1.0
        FUSE library version 3.2.1
        using FUSE kernel interface version 7.26
  graphRoot: /home/erik/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 143
  runRoot: /run/user/1008/containers
  volumePath: /home/erik/.local/share/containers/storage/volumes
version:
  APIVersion: 2.0.0
  Built: 1601258926
  BuiltTime: Mon Sep 28 04:08:46 2020
  GitCommit: ""
  GoVersion: go1.13.15
  OsArch: linux/amd64
  Version: 2.1.1

Package info (e.g. output of rpm -q podman or apt list podman):

podman-2.1.1-4.el8.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):
@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Sep 30, 2020
@AkihiroSuda AkihiroSuda added rootless enhancement CNI Bug with CNI networking for root containers labels Sep 30, 2020
@rhatdan rhatdan added kind/feature Categorizes issue or PR as related to a new feature. and removed enhancement labels Oct 1, 2020
@usury
Copy link

usury commented Oct 30, 2020
edited
Loading

These are the exact steps to confirm the OP's observation that rootless containers cannot be assigned a static IP on a user-defined rootless cni network

Containers NOT in pod

    normaluser@containerhost $> podman rm -fa       # fresh set of examples
    normaluser@containerhost $> podman network create myCNI
    normaluser@containerhost $> podman network inspect myCNI | grep -i subnet
                "subnet": "10.89.0.0/24"
    normaluser@containerhost $> podman run --name myNginx2 --network myCNI --ip 10.89.0.2 -d nginx:alpine
Error: invalid config provided: rootless containers and pods cannot be assigned static IP addresses

Container WITHIN a pod

    normaluser@containerhost $> podman rm -fa       # fresh set of examples
    normaluser@containerhost $> podman network create myCNI
    normaluser@containerhost $> podman network inspect myCNI | grep -i subnet
                "subnet": "10.89.0.0/24"
    normaluser@containerhost $> podman pod create --name myPod
    normaluser@containerhost $> podman run --name myNginx2 --network myCNI --ip 10.89.0.2 --pod myPod -d nginx:alpine
Error: invalid config provided: rootless containers and pods cannot be assigned static IP addresses

However, containers created in the same way do have proper IP addresses assigned to them automatically when they join "myCNI" which suggests manual assignment of ip address for such containers ought to be possible (from a user perspective at least).

    normaluser@containerhost $> podman rm -fa       # fresh set of examples
    normaluser@containerhost $> podman network create myCNI
    normaluser@containerhost $> podman run --name myNginx2 --network myCNI -d nginx:alpine
    normaluser@containerhost $> podman run --name myNginx3 --network myCNI -d nginx:alpine

    normaluser@containerhost $>  podman inspect myNginx2 | grep -i ipaddress
                    "IPAddress": "10.89.0.2",
    normaluser@containerhost $>  podman inspect myNginx3 | grep -i ipaddress
                    "IPAddress": "10.89.0.3",

    normaluser@containerhost $> podman exec myNginx2 ping -c1 myNginx3
        PING myNginx3 (10.89.0.3): 56 data bytes
        64 bytes from 10.89.0.3: seq=0 ttl=64 time=0.156 ms

    normaluser@containerhost $>  podman exec myNginx3 ping -c1 myNginx2
        PING myNginx2 (10.89.0.2): 56 data bytes
        64 bytes from 10.89.0.2: seq=0 ttl=64 time=0.267 ms

For similar containers added to a pod (and assigned IP addresses automatically), DNS based on container names fails.
I will post a separate bug report and edit this post to point at it. Issue #8194

@mheon mheon removed the kind/feature Categorizes issue or PR as related to a new feature. label Oct 30, 2020
@mheon
Copy link
Member

mheon commented Oct 30, 2020

OK, this completely slipped through the cracks until now; sorry. @AkihiroSuda This ought to work fine on the CNI side, right? I suspect this is a check Podman is doing before we even call out to CNI, so I expect it should be an easy fix.

@mheon mheon self-assigned this Oct 30, 2020
@AkihiroSuda
Copy link
Collaborator

Yes, this should be really easy to fix

mheon added a commit to mheon/libpod that referenced this issue Oct 30, 2020
@mheon
Static IP and MAC addresses are allowed in rootless CNI
c265403 
Loosen some restrictions within specgen around rootless
containers - they can now set static IP and MAC addresses as long
as they are in a CNI network.

Fixes containers#7842

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
@mheon mheon mentioned this issue Oct 30, 2020
Closed
@mheon
Copy link
Member

mheon commented Oct 30, 2020

#8198 to fix

rhatdan pushed a commit to rhatdan/podman that referenced this issue Nov 24, 2020
@mheon @rhatdan
Static IP and MAC addresses are allowed in rootless CNI
3bbb42a 
Loosen some restrictions within specgen around rootless
containers - they can now set static IP and MAC addresses as long
as they are in a CNI network.

Fixes containers#7842

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@zhangguanzhang zhangguanzhang mentioned this issue Nov 30, 2020
Closed
@rhatdan
Copy link
Member

rhatdan commented Nov 30, 2020

Good to see progress on this one.

@github-actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

@rhatdan
Copy link
Member

rhatdan commented Jan 4, 2021

This is hung up on #8469 now.
@Luap99 any update?

@Luap99 Luap99 mentioned this issue Jan 9, 2021
Closed
@Luap99
Copy link
Member

Luap99 commented Jan 9, 2021

A fix for this is also in the new imageless rootless-cni-infra PR #8910

@Luap99 Luap99 mentioned this issue Jan 27, 2021
Merged
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mheon mheon

Labels
CNI Bug with CNI networking for root containers kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. rootless
Projects
None yet
Milestone
No milestone
7 participants
@eriksjolund @rhatdan @mheon @AkihiroSuda @usury @openshift-ci-robot @Luap99