Kind: No DNS resolution with Kind running in rootful Podman

/assign @aojea

I can' t reproduce it in my Fedora 32 and podman podman 2.1.1.

kind]$ sudo kubectl get pods -o wide
NAME    READY   STATUS    RESTARTS   AGE   IP           NODE                 NOMINATED NODE   READINESS GATES
nginx   1/1     Running   0          40s   10.244.0.5   kind-control-plane   <none>           <none>

usual suspects are firewalld ot iptables mode
https://kind.sigs.k8s.io/docs/user/known-issues/#fedora32-firewalld

@aojea thank you for following up!

I installed a fresh copy of Fedora Silverblue 33 in Boxes.
Downloaded _kind_ (applied a setuid for root on it) and _kubectl_.
Brought up the cluster and went through the original steps in this ticket but was unable to replicate my issue.
I haven't tweaked any system settings.

It appears to be using _nftables_ also:

$ sudo cat /etc/firewalld/firewalld.conf | grep Firewall
# FirewallBackend
FirewallBackend=nftables

OK I found the issue @aojea.

There's an interference with my _firewalld_ config.
After systemctl disable --now firewalld, things appear to be working now:

kubectl get pods -A -w
NAMESPACE            NAME                                         READY   STATUS              RESTARTS   AGE
default              nginx                                        0/1     ContainerCreating   0          1s
kube-system          coredns-f9fd979d6-54xxz                      1/1     Running             0          75s
kube-system          coredns-f9fd979d6-pw88w                      1/1     Running             0          75s
kube-system          etcd-kind-control-plane                      1/1     Running             0          79s
kube-system          kindnet-7k7kd                                1/1     Running             0          75s
kube-system          kube-apiserver-kind-control-plane            1/1     Running             0          79s
kube-system          kube-controller-manager-kind-control-plane   1/1     Running             0          78s
kube-system          kube-proxy-ltfnn                             1/1     Running             0          75s
kube-system          kube-scheduler-kind-control-plane            1/1     Running             0          78s
local-path-storage   local-path-provisioner-78776bfc44-pfwnj      1/1     Running             0          75s
default              nginx                                        1/1     Running             0          12s

I'll review my _firewalld_ configuration.

Sounds like https://kind.sigs.k8s.io/docs/user/known-issues/#fedora32-firewalld but with podman as well

/close
Thank for verifying ... _iptables and DNS... it's always iptables and DNS ..._ :rofl:

@aojea: Closing this issue.

Sounds like https://kind.sigs.k8s.io/docs/user/known-issues/#fedora32-firewalld but with podman as well

@BenTheElder

Thank for verifying ... _iptables and DNS... it's always iptables and DNS ..._

@aojea

Thank you for following up, I wasn't sure that this was a duplicate issue - sorry about that.

I switched to _iptables_ as per the _known-issues_ page. Working fine now!

We might need to update the known issues page.

I'm pretty certain I have iptables-nft working on my corp workstation, but I'm not sure if firewalld etc. are involved actually. (it's dockerd on ~debian).

hi @BobyMCbobs , I just found your blog https://blog.calebwoodbine.com/kind-on-fedora-33/ and KIND should be independent of the iptables backend, it should work for iptables-nft (nftables) and iptables-legacy,.
Previous issues were with docker, because it is incompatible with firewalld as you can see in the known issues

https://kind.sigs.k8s.io/docs/user/known-issues/#fedora32-firewalld

On Fedora 32 firewalld moved to nftables backend by default. This seems to be incompatible with Docker, leading to KIND cluster nodes not being able to reach each other.

But if you say that you are running with podman I need to go deeper to understand better the problem
/reopen
/assign

@BobyMCbobs do you still have an environment to reproduce this?
if affirmative, can you paste the iptables-legacy-save and iptables-nft-save output in an environment without DNS working?

@aojea: Reopened this issue.

@BobyMCbobs do you still have an environment to reproduce this?
if affirmative, can you paste the iptables-legacy-save and iptables-nft-save output in an environment without DNS working?

@aojea,
Thank you for following up.

I switched back to nftables for this output and made sure the same errors occurred (including the same image pull cause of DNS).

iptables-legacy-save output:

# Generated by iptables-save v1.8.5 on Wed Dec  2 21:39:32 2020
*nat
:PREROUTING ACCEPT [174:24468]
:INPUT ACCEPT [6:1262]
:OUTPUT ACCEPT [254:16284]
:POSTROUTING ACCEPT [254:16284]
:CNI-DN-dc6a4d127af830bf71995 - [0:0]
:CNI-HOSTPORT-DNAT - [0:0]
:CNI-HOSTPORT-MASQ - [0:0]
:CNI-HOSTPORT-SETMARK - [0:0]
:CNI-dc6a4d127af830bf71995c2e - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j CNI-HOSTPORT-DNAT
-A OUTPUT -m addrtype --dst-type LOCAL -j CNI-HOSTPORT-DNAT
-A POSTROUTING -m comment --comment "CNI portfwd requiring masquerade" -j CNI-HOSTPORT-MASQ
-A POSTROUTING -s 10.88.0.21/32 -m comment --comment "name: \"podman\" id: \"8e2af17f9660b35f50e4c07ca1ab897b1e2844b7d1007578be466c73dc2c217d\"" -j CNI-dc6a4d127af830bf71995c2e
-A CNI-DN-dc6a4d127af830bf71995 -s 10.88.0.0/16 -d 127.0.0.1/32 -p tcp -m tcp --dport 40603 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-dc6a4d127af830bf71995 -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --dport 40603 -j CNI-HOSTPORT-SETMARK
-A CNI-DN-dc6a4d127af830bf71995 -d 127.0.0.1/32 -p tcp -m tcp --dport 40603 -j DNAT --to-destination 10.88.0.21:6443
-A CNI-HOSTPORT-DNAT -p tcp -m comment --comment "dnat name: \"podman\" id: \"8e2af17f9660b35f50e4c07ca1ab897b1e2844b7d1007578be466c73dc2c217d\"" -m multiport --dports 40603 -j CNI-DN-dc6a4d127af830bf71995
-A CNI-HOSTPORT-MASQ -m mark --mark 0x2000/0x2000 -j MASQUERADE
-A CNI-HOSTPORT-SETMARK -m comment --comment "CNI portfwd masquerade mark" -j MARK --set-xmark 0x2000/0x2000
-A CNI-dc6a4d127af830bf71995c2e -d 10.88.0.0/16 -m comment --comment "name: \"podman\" id: \"8e2af17f9660b35f50e4c07ca1ab897b1e2844b7d1007578be466c73dc2c217d\"" -j ACCEPT
-A CNI-dc6a4d127af830bf71995c2e ! -d 224.0.0.0/4 -m comment --comment "name: \"podman\" id: \"8e2af17f9660b35f50e4c07ca1ab897b1e2844b7d1007578be466c73dc2c217d\"" -j MASQUERADE
COMMIT
# Completed on Wed Dec  2 21:39:32 2020
# Generated by iptables-save v1.8.5 on Wed Dec  2 21:39:32 2020
*mangle
:PREROUTING ACCEPT [1026:291610]
:INPUT ACCEPT [858:268404]
:FORWARD ACCEPT [131:7001]
:OUTPUT ACCEPT [1014:125876]
:POSTROUTING ACCEPT [1086:132101]
COMMIT
# Completed on Wed Dec  2 21:39:32 2020
# Generated by iptables-save v1.8.5 on Wed Dec  2 21:39:32 2020
*raw
:PREROUTING ACCEPT [1026:291610]
:OUTPUT ACCEPT [1014:125876]
COMMIT
# Completed on Wed Dec  2 21:39:32 2020
# Generated by iptables-save v1.8.5 on Wed Dec  2 21:39:32 2020
*security
:INPUT ACCEPT [838:267436]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1014:125876]
COMMIT
# Completed on Wed Dec  2 21:39:32 2020
# Generated by iptables-save v1.8.5 on Wed Dec  2 21:39:32 2020
*filter
:INPUT ACCEPT [794:259911]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [944:118347]
:CNI-ADMIN - [0:0]
:CNI-FORWARD - [0:0]
-A FORWARD -m comment --comment "CNI firewall plugin rules" -j CNI-FORWARD
-A CNI-FORWARD -m comment --comment "CNI firewall plugin admin overrides" -j CNI-ADMIN
-A CNI-FORWARD -d 10.88.0.21/32 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A CNI-FORWARD -s 10.88.0.21/32 -j ACCEPT
COMMIT
# Completed on Wed Dec  2 21:39:32 2020

Finally iptables-nft-save output outputs:

Unknown arguments found on commandline

A fresh Fedora Silverblue 33 ISO will render the same results to my testing. Set up is same instructions as my post and the steps in this issue.

@dcbw @squeed it seems that the cni plugins are using the legacy iptables instead of the nft version, that is the same one used by firewalld, causing the environment to fail ^^^
Do the CNI plugins check the iptables version to use? how can we sync it with firewalld?

Hmm. CNI binaries just use whatever /bin/iptables they find - how are you packaging them?

does firewalld use iptables-nft? or just nft directly?

kind is doing ~the same update-alternatives trick from kube-proxy, counting
the rules in iptables and iptables-nft and selecting the one with the most
rules.

docker injects rules inside the container using the host iptables.
podman I have no idea, but I'm guessing it doesn't do that, so we don't
have anything to go on and default to legacy.

On Wed, Dec 2, 2020 at 1:51 AM Casey Callendrello notifications@github.com
wrote:

Hmm. CNI binaries just use whatever /bin/iptables they find - how are you
packaging them?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/kubernetes-sigs/kind/issues/1939#issuecomment-737119459,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAHADK3PEUJQWPHXPY5B2HLSSYE3HANCNFSM4T5OXRJA
.

Hmm. CNI binaries just use whatever /bin/iptables they find - how are you packaging them?

They CNI plugin package come from fedora repos, podman just use them for the network iirc

does firewalld use iptables-nft? or just nft directly?

@BenTheElder, here's the _FirewallBackend_ section from my _/etc/firewalld/firewalld.conf_ file

# FirewallBackend
# Selects the firewall backend implementation.
# Choices are:
#   - nftables (default)
#   - iptables (iptables, ip6tables, ebtables and ipset)
# FirewallBackend=nftables
FirewallBackend=iptables

However, there isn't an _nftables_ program installed - so I believe it's using _iptables-nft_ since it's installed

Discussed more with Antonio -- There's two potential issues here:

• We need everything on the host to line up and use iptables-legacy or iptables-nft (this is hopefully "just" a configuration issue on your machine)
• Once the host is lined up, the node tries to detect which to use, but podman isn't writing any rules (reasonably) so we don't currently detect what the host is using and default to legacy. It's not obvious how we'd best solve that one even once the first one is correct

I'd been referring to the latter mostly, but I think you all are discussing the former 😅

This is, sadly, a common battle in this world, since there is no kernel-level flag that indicates which mode of iptables is in use. The "official" API is: where does /sbin/iptables symlink.

When we need to run iptables in a container, we generally bind-mount / to /host and then chroot. We then patch things up in the dockerfile with a simple script.

For example, see https://github.com/openshift/sdn/blob/master/images/iptables-scripts/iptables

Interesting approach, thanks. I'm not sure how comfortable I'd be having kind always bind mount / into the container ... 🤔 (versus kube-proxy which is actually supposed to manage host network anyhow).

The kubernetes approach (which we currently use) is pretty nice, but requires some existing rules of some sort in the namespace unfortunately 😞

I just realized this is all moot - we're talking about CNI plugins executed by podman on the real node to bring up the kind "node" containers. Not the CNI executed by containerd / cri-o inside the kind nodes.

Scanning the issue, I suspect it's because we have some bits inside the CNI plugins that tweak iptables, and the node in question has firewalld with raw nftables. We support iptables-nft, but not nft itself.

Scanning the issue, I suspect it's because we have some bits inside the CNI plugins that tweak iptables, and the node in question has firewalld with raw nftables. We support iptables-nft, but not nft itself.

Fedora seems to be pushing for firewalld / nft to be the default going forward, is there any hope for fixing this?

As is we point users to:
https://kind.sigs.k8s.io/docs/user/known-issues/#fedora32-firewalld
(should probably be renamed "firewalld nft" ...)

Fedora seems to be pushing for firewalld / nft to be the default going forward, is there any hope for fixing this?

Definitely! We probably just need to teak the "default" CNI configuration used by podman.