nerdctl icon indicating copy to clipboard operation
nerdctl copied to clipboard
verified publisher icon containerd

Fails to start rootless container with bypass4netns after reboot: `failed to allocate for range 0: 10.4.1.3 has been allocated to default-XXXXXXX, duplicate allocation is not allowed`

Open merrkry opened this issue 1 year ago • 1 comments

Description

I have rootless container installed with bypass4netns.

When I reboot the machine, the container fails to restart.

The only way to get it working is, nerdctl compose down && nerdctl compose up -d.

Steps to reproduce the issue

  1. paru -S nerdctl buildkit cni-plugins rootlesskit slirp4netns bypass4netns
  2. containerd-rootless-setuptool.sh install
  3. containerd-rootless-setuptool.sh install-bypass4netnsd
  4. nerctl compose up -d
  5. restart containerd user service / reboot

The container isn't started as expected.

runc create failed: unable to start container process: error during container init: error running hook #0: error running hook: exit status 1, stdout: , stderr: time="" level=fatal msg="failed to call cni.Setup: plugin type=\"bridge\" failed (add): failed to allocate for range 0: 10.4.1.3 has been allocated to default-XXXXXXX, duplicate allocation is not allowed"
Failed to write to log, write /home/merrkry/.local/share/nerdctl/1935db59/containers/default/XXXXXXX/oci-hook.createRuntime.log: file already closed

In the output of nerdctl ps -a, the status is Created. All restart policies make no difference here, simply fails or repeating the same error.

here's the compose file:

services:
    ddns-go:
        container_name: ddns-go
        restart: unless-stopped
        ports: [ "9876:9876" ]
        volumes:
            - ./data:/root
        image: jeessy/ddns-go
        # annotations: [ "nerdctl/bypass4netns=true" ]
        labels: [ "nerdctl/bypass4netns=true" ]

Describe the results you received and expected

The container should start normally, just like without bypass4netns.

What version of nerdctl are you using?

v1.7.5. v2.0.0.beta.4.r6.33f6ae2b (edit compose file accordingly)

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

Client:
 Namespace:     default
 Debug Mode:    false

Server:
 Server Version: v1.7.15
 Storage Driver: overlayfs
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Log: fluentd journald json-file syslog
  Storage: btrfs native overlayfs
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
  rootless
 Kernel Version: 6.6.25-2-cachyos-lts-lto
 Operating System: Arch Linux
 OSType: linux
 Architecture: x86_64
 CPUs: 
 Total Memory:
 Name: 
 ID: 
WARNING: No cpuset support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

merrkry avatar Apr 12 '24 08:04 merrkry

Workaround: rm -f ~/.local/share/cni/networks/NETWORK/IP

AkihiroSuda avatar Apr 13 '24 01:04 AkihiroSuda

@merrkry I believe this got fixed with:

https://github.com/containerd/nerdctl/pull/3356/files#diff-e0596cfbff08dfa3c5d049b51af0bf64607ac3fcd0fd48087b17be54c6632ef6

Obviously I stumbled upon the same issue as yours and opened a duplicate here: https://github.com/containerd/nerdctl/issues/3355

apostasie avatar Aug 25 '24 18:08 apostasie