Container networks netavark miss some kernel iptables modules
To reproduce:
run add container image busybox:stable set container network net-4-6 prefix 192.0.2.0/24 set container network net-4-6 prefix 2001:db8::/64 set container name dual-stack-1 image docker.io/library/busybox:stable set container name dual-stack-1 network net-4-6 address 192.0.2.2 set container name dual-stack-1 network net-4-6 address 2001:db8::2 commit
commit:
vyos@r14# commit
[ container ]
Traceback (most recent call last):
File "/usr/libexec/vyos/services/vyos-configd", line 136, in run_script
script.apply(c)
File "/usr/libexec/vyos//conf_mode/container.py", line 494, in apply
cmd(f'systemctl restart vyos-container-{name}.service')
File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 155, in cmd
raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: systemctl restart vyos-container-dual-stack-1.service
returned:
exit code: 1
[[container]] failed
Commit failed
[edit]Logs:
Oct 25 12:16:23 r14 podman[3874]: Error: netavark: unable to append rule '-j MARK --set-xmark 0x2000/0x2000' to table 'nat': code: 2, msg: Warning: Extension MARK revision 0 not supported, missing kernel module? Oct 25 12:16:23 r14 podman[3874]: ip6tables v1.8.9 (nf_tables): unknown option "--set-xmark" Oct 25 12:16:23 r14 podman[3874]: Try `ip6tables -h' or 'ip6tables --help' for more information. Oct 25 12:16:23 r14 systemd[1]: vyos-container-dual-stack-1.service: Control process exited, code=exited, status=126/n/a Oct 25 12:16:24 r14 podman[3929]: 9ab5ebe5d93876e999ecc142ea98be2f9256b677c668eaf9992300f69694c285 Oct 25 12:16:24 r14 systemd[1]: vyos-container-dual-stack-1.service: Failed with result 'exit-code'. Oct 25 12:16:24 r14 systemd[1]: Failed to start vyos-container-dual-stack-1.service - VyOS Container dual-stack-1.