Podman fails to add container to a pod [firewalld, nftables]

containers firewalld nftables podman

Can't start a podman container nor can I add container to a pod on CentOS8.

I've tried the usual actions, e.g.:

Made sure I am starting with clean state:

  • sudo podman system reset which has deleted all images, containers, etc.
  • sudo podman run -dt --rm nginx -- the image gets pulled successfully, but podman throws then the following error:
 Error while adding pod to CNI network "podman": failed to add the address 10.88.0.122/32 to trusted zone: COMMAND_FAILED: 'python-nftables' failed:
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING_ZONES_SOURCE", "expr": [{"match": {"left": {"payload": {"protocol": "ip", "field": "saddr"}}, "op": "==", "right": {"prefix": {"addr": "10.88.0.122", "len": 32}}}}, {"goto": {"target": "raw_PRE_trusted"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES_SOURCE", "expr": [{"match": {"left": {"payload": {"protocol": "ip", "field": "saddr"}}, "op": "==", "right": {"prefix": {"addr": "10.88.0.122", "len": 32}}}}, {"goto": {"target": "mangle_PRE_trusted"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES_SOURCE", "expr": [{"match": {"left": {"payload": {"protocol": "ip", "field": "saddr"}}, "op": "==", "right": {"prefix": {"addr": "10.88.0.122", "len": 32}}}}, {"goto": {"target": "nat_PRE_trusted"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES_SOURCE", "expr": [{"match": {"left": {"payload": {"protocol": "ip", "field": "daddr"}}, "op": "==", "right": {"prefix": {"addr": "10.88.0.122", "len": 32}}}}, {"goto": {"target": "nat_POST_trusted"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES_SOURCE", "expr": [{"match": {"left": {"payload": {"protocol": "ip", "field": "saddr"}}, "op": "==", "right": {"prefix": {"addr": "10.88.0.122", "len": 32}}}}, {"goto": {"target": "filter_IN_trusted"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES_SOURCE", "expr": [{"match": {"left": {"payload": {"protocol": "ip", "field": "saddr"}}, "op": "==", "right": {"prefix": {"addr": "10.88.0.122", "len": 32}}}}, {"goto": {"target": "filter_FWDI_trusted"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES_SOURCE", "expr": [{"match": {"left": {"payload": {"protocol": "ip", "field": "daddr"}}, "op": "==", "right": {"prefix": {"addr": "10.88.0.122", "len": 32}}}}, {"goto": {"target": "filter_FWDO_trusted"}}]}}}]}

What prevents podman from adding pod to podman network?


Solution 1:

Are you using nftables network plugin? Read here: https://github.com/greenpau/cni-plugins

Related

Access denied error when running site with SSL
I can't mount with mount -a for error wrong fs type, bad option, bad superblock but I can mount manually
Hardening Wordpress on IIS6
How did they hack my Wordpress sites
Do all servers have one base OS, like in RED HAT openstack architecture?
How can I make my public directory writable by nginx and user? [closed]
Windows Server 2019 - Disk size not maching the diskpart info
Arch Linux - QEMU override System Manufacturer on Windows 10
Using multiple pools in PHP-FPM
DNS proxy on centos 8
Granular Windows Event Log Control - Log but don't retain certain event IDs
Opensuse full-screen inside Hyper-v [closed]