netavark
netavark copied to clipboard
containers
macvlan: dhcp proxy not reaching server running on host
I get the following error when starting a container on a macvlan network with the dhcp ipam driver:
netavark: unable to obtain lease: dhcp proxy error: status: Aborted, message: "Timeout: Timeout"
The server is running on the host and is reachable from a container using a macvlan network with the host-local driver.
Steps to reproduce
$ ip a
...
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0e:2e:2c:c6:77 brd ff:ff:ff:ff:ff:ff
...
7: mvlan@enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 56:a1:e4:16:c2:b9 brd ff:ff:ff:ff:ff:ff
inet 192.168.4.1/24 brd 192.168.4.255 scope global mvlan
valid_lft forever preferred_lft forever
$ podman network create dhcp -d macvlan -o parent=enp4s0 --ipam-driver=dhcp
dhcp
$ podman network create host-local -d macvlan -o parent=enp4s0 --ipam-driver=host-local --ip-range 192.168.4.10-192.168.4.20 --subnet 192.168.4.0/24
host-local
$ podman run --network dhcp --privileged alpine:latest udhcpc
Error: netavark: unable to obtain lease: dhcp proxy error: status: Aborted, message: "Timeout: Timeout", details: [], metadata: MetadataMap { headers: {"content-type": "application/grpc", "date": "Tue, 18 Jun 2024 11:43:09 GMT", "content-length": "0"} }
$ podman run --network host-local --privileged alpine:latest udhcpc
udhcpc: started, v1.36.1
udhcpc: broadcasting discover
udhcpc: broadcasting select for 192.168.4.109, server 192.168.4.1
udhcpc: lease of 192.168.4.109 obtained from 192.168.4.1, lease time 3600
Here are package dumps of the above run for both the macvlan and the underlying device. The request of the dhcp proxy only shows up on the underlying device.
Configuration
$ podman info
host:
arch: amd64
buildahVersion: 1.36.0
cgroupControllers:
- cpuset
- cpu
- io
- memory
- hugetlb
- pids
- rdma
- misc
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: /usr/bin/conmon is owned by conmon 1:2.1.12-1
path: /usr/bin/conmon
version: 'conmon version 2.1.12, commit: e8896631295ccb0bfdda4284f1751be19b483264'
cpuUtilization:
idlePercent: 98.73
systemPercent: 0.39
userPercent: 0.88
cpus: 4
databaseBackend: sqlite
distribution:
distribution: arch
version: unknown
eventLogger: journald
freeLocks: 2020
hostname: chef
idMappings:
gidmap: null
uidmap: null
kernel: 6.9.2-arch1-1
linkmode: dynamic
logDriver: journald
memFree: 542154752
memTotal: 8190984192
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: /usr/lib/podman/aardvark-dns is owned by aardvark-dns 1.11.0-1
path: /usr/lib/podman/aardvark-dns
version: aardvark-dns 1.11.0
package: /usr/lib/podman/netavark is owned by netavark 1.11.0-2
path: /usr/lib/podman/netavark
version: netavark 1.11.0
ociRuntime:
name: crun
package: /usr/bin/crun is owned by crun 1.15-1
path: /usr/bin/crun
version: |-
crun version 1.15
commit: e6eacaf4034e84185fd8780ac9262bbf57082278
rundir: /run/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: /usr/bin/pasta is owned by passt 2024_06_07.8a83b53-1
version: |
pasta 2024_06_07.8a83b53
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: /run/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: false
seccompEnabled: true
seccompProfilePath: /etc/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: ""
package: ""
version: ""
swapFree: 8589144064
swapTotal: 8589930496
uptime: 23h 48m 41.00s (Approximately 0.96 days)
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries: {}
store:
configFile: /etc/containers/storage.conf
containerStore:
number: 3
paused: 0
running: 0
stopped: 3
graphDriverName: overlay
graphOptions:
overlay.mountopt: nodev
graphRoot: /var/lib/containers/storage
graphRootAllocated: 493409042432
graphRootUsed: 183902281728
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "false"
Supports d_type: "true"
Supports shifting: "true"
Supports volatile: "true"
Using metacopy: "true"
imageCopyTmpDir: /var/tmp
imageStore:
number: 13
runRoot: /run/containers/storage
transientStore: false
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: 5.1.1
Built: 1717539130
BuiltTime: Wed Jun 5 00:12:10 2024
GitCommit: bda6eb03dcbcf12a5b7ae004c1240e38dd056d24-dirty
GoVersion: go1.22.3
Os: linux
OsArch: linux/amd64
Version: 5.1.1
systemd-networkd configuration:
mvlan.netdev
[NetDev]
Name=mvlan
Kind=macvlan
[MACVLAN]
Mode=bridge
mvlan.network
[Match]
Name=mvlan
[Network]
Address=192.168.4.1/24
DHCPServer=true
[DHCPServer]
PoolOffset=100
PoolSize=20
EmitDNS=yes
DNS=9.9.9.9
enp4s0.network
[Match]
Name=enp4s0
[Network]
MACVLAN=mvlan
DHCP=no
IPv6AcceptRA=false
LinkLocalAddressing=no
MulticastDNS=false
LLMNR=false
Ok I think I understand setup now. I am not sure if this can work correctly though, I guess in such case we want the enp4s0 as parent device for macvlan the the dhcp proxy should use the mvlan device on the host. But I have no time to test if this would work like that.
