`istio-cni` failing with Docker Desktop on Macbook M1

[harsh4870]

trafficstars

Is this the right place to submit this?

• [X] This is not a security vulnerability or a crashing bug
• [X] This is not a question about how to use Istio

Bug Description

Ambient Mode Ztunnel failing Docker Desktop Macbook M1

Provisioning with Istio-ctl 1.21.0-beta

Command

istioctl install --set profile=ambient --set "components.ingressGateways[0].enabled=true" --set "components.ingressGateways[0].name=istio-ingressgateway" --skip-confirmation

kubectl -n istio-system get pods                  
NAME                                    READY   STATUS              RESTARTS   AGE
istio-cni-node-8njst                    1/1     Running             0          116s
istio-ingressgateway-689f9d6fb4-4qssc   1/1     Running             0          20m
istiod-556d7d4cf5-ndg7m                 1/1     Running             0          20m
ztunnel-78ldc                           0/1     Terminating         0          20m
ztunnel-zx8m7                           0/1     ContainerCreating   0          54s

Events:
  Type     Reason                  Age                   From               Message
  ----     ------                  ----                  ----               -------
  Normal   Scheduled               6m28s                 default-scheduler  Successfully assigned istio-system/ztunnel-zx8m7 to docker-desktop
  Warning  FailedCreatePodSandBox  6m27s                 kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = [failed to set up sandbox container "c88ecf6787ad644d31272bff249c3a6320a86cb5734dc975fd08169f25fb6442" network for pod "ztunnel-zx8m7": networkPlugin cni failed to set up pod "ztunnel-zx8m7_istio-system" network: plugin type="loopback" failed (add): missing network name:, failed to clean up sandbox container "c88ecf6787ad644d31272bff249c3a6320a86cb5734dc975fd08169f25fb6442" network for pod "ztunnel-zx8m7": networkPlugin cni failed to teardown pod "ztunnel-zx8m7_istio-system" network: plugin type="loopback" failed (delete): missing network name]

Version

harsh@Harshs-MacBook-Air istio-1.21.0-beta.1 % istioctl version
client version: 1.21.0-beta.1
control plane version: 1.21.0-beta.1
data plane version: 1.21.0-beta.1 (1 proxies)

Additional Information

Target cluster context: docker-desktop

Running with the following config:

istio-namespace: istio-system full-secrets: false timeout (mins): 30 include: { } exclude: { Namespaces: kube-node-lease,kube-public,kube-system,local-path-storage } end-time: 2024-02-05 21:20:15.426043 +0530 IST

Cluster endpoint: https://kubernetes.docker.internal:6443 CLI version: version.BuildInfo{Version:"1.21.0-beta.1", GitRevision:"1aff7e1afea87c635e00ccdf661b146d357a3a6e", GolangVersion:"go1.21.6", BuildStatus:"Clean", GitTag:"1.21.0-beta.1"}

The following Istio control plane revisions/versions were found in the cluster: Revision default: &version.MeshInfo{ { Component: "pilot", Revision: "default", Info: version.BuildInfo{Version:"1.21.0-beta.1", GitRevision:"1aff7e1afea87c635e00ccdf661b146d357a3a6e", GolangVersion:"", BuildStatus:"Clean", GitTag:"1.21.0-beta.1"}, }, }

The following proxy revisions/versions were found in the cluster: Revision default: Versions {1.21.0-beta.1}

Fetching logs for the following containers:

istio-system/istio-cni-node/istio-cni-node-8njst/install-cni istio-system/istio-ingressgateway/istio-ingressgateway-689f9d6fb4-4qssc/istio-proxy istio-system/istiod/istiod-556d7d4cf5-ndg7m/discovery istio-system/ztunnel/ztunnel-78ldc/istio-proxy istio-system/ztunnel/ztunnel-zx8m7/istio-proxy

Fetching Istio control plane information from cluster.

Fetching CNI logs from cluster.

Running Istio analyze on all namespaces and report as below: Analysis Report: Info [IST0102] (Namespace default) The namespace is not enabled for Istio injection. Run 'kubectl label namespace default istio-injection=enabled' to enable it, or 'kubectl label namespace default istio-injection=disabled' to explicitly mark it as not needing injection. Creating an archive at /Users/harsh/Downloads/istio-opa-cloud-custodian/istio-1.21.0-beta.1/bug-report.tar.gz. Time used for creating the tar file is 86.404208ms. Cleaning up temporary files in /var/folders/lj/371df1hn6j76fmnw44s2bkk80000gn/T/bug-report. Done.

[dhawton]

Version of Docker Desktop and OSX? I feel like I've read recently the latest update broke a few things. I don't personally use Mac, but that would be helpful to research with.

[harsh4870]

Sure, Many Thanks

Kubernetes version : v1.27.2 Mac Version : 13.4 Docker Engine : v24.0.6 Docker Desktop : 4.24.0

Will try to debug & share more details.

Please do let me know if you need any other information.

[harsh4870]

@bleggett it's working like charm with K8s v1.29.1, Docker Desktop 4.27.1

i just updated my Docker Destop to check

[harsh4870]

Closing the issue i guess there might be issue with specific Docker Desktop version, updating to latest will solve the issue.

[harsh4870]

@bleggett Apologies ztunnel & istio got installed properly however application PODs are still failing with error

Warning FailedCreatePodSandBox 85s kubelet Failed to create pod sandbox: rpc error: code = Unknown desc = [failed to set up sandbox container "f34766e124134ed9261e5bb78dd1bc6793027f4e452df90b1eee22488d0d5603" network for pod "details-v1-698d88b-79m8s": networkPlugin cni failed to set up pod "details-v1-698d88b-79m8s_default" network: plugin type="loopback" failed (add): missing network name:, failed to clean up sandbox container "f34766e124134ed9261e5bb78dd1bc6793027f4e452df90b1eee22488d0d5603" network for pod "details-v1-698d88b-79m8s": networkPlugin cni failed to teardown pod "details-v1-698d88b-79m8s_default" network: plugin type="loopback" failed (delete): missing network name]

[bleggett]

Yes, this is the same problem as: https://github.com/istio/istio/issues/47436#issuecomment-1769526105

plugin type="loopback" failed (delete): missing network name

this seems to be a problem with docker desktop's cluster setup specifically, they are shipping an outdated CNI stack/plugin (loopback) that doesn't correctly declare CNI version support, I suspect.

I'll look at what we can do in terms of working around that, but using kind or minikube is strongly recommended over docker desktop generally, because of things like this.

[MorrisLaw]

Yes, this is the same problem as: #47436 (comment)

plugin type="loopback" failed (delete): missing network name

this seems to be a problem with docker desktop's cluster setup specifically, they are shipping an outdated CNI stack/plugin (loopback) that doesn't correctly declare CNI version support, I suspect.

I'll look at what we can do in terms of working around that, but using kind or minikube is strongly recommended over docker desktop generally, because of things like this.

@bleggett is this something that should be added to the docs (kind or minikube is strongly recommended over docker desktop generally, because of things like...)?

[bleggett]

@MorrisLaw probably yes. I can't test this as there's no Docker Desktop build for my arch/platform.

It's not ambient-specific however, as plugin type="loopback" failed (delete): missing network name would manifest when using istio-cni for sidecars too (e.g. for repair).

(and to be clear, the loopback plugin is not one of the plugins we ship, it is one of docker desktop's)

[istio-policy-bot]

🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2024-05-06. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.