nerdctl run - failed to add the address (failed to add the address 10.4.0.17/32 to trusted zone: Not Authorized(uid): org.fedoraproject.FirewallD1.config)

[AkihiroSuda]

Discussed in #2090

^{Originally posted by nealef March 10, 2023}
When running nerdctl run in rootless mode I fail with:

FATA[0000] failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error running hook #0: error running hook: exit status 1, stdout: , stderr: time="2023-03-09T21:29:12-05:00" level=fatal msg="failed to call cni.Setup: plugin type=\"firewall\" failed (add): failed to add the address 10.4.0.17/32 to trusted zone: Not Authorized(uid): org.fedoraproject.FirewallD1.config"

Have I missed a configuration step?

This seems to happen when firewalld is running.
A workaround is to disable firewalld (sudo systemctl stop firewalld) and use another firewall.

Confirmed on Ubuntu 23.10, Rocky Linux 9.3, etc. with nerdctl v2.0.0-beta.0, CNI firewall plugin v1.4.0.
Rootful mode is not affected.

[AkihiroSuda]

This seems to fix the issue

--- /home/suda.linux/.config/cni/net.d/nerdctl-bridge.conflist.bak	2024-02-14 17:27:37.281279702 +0900
+++ /home/suda.linux/.config/cni/net.d/nerdctl-bridge.conflist	2024-02-14 17:30:16.410469639 +0900
@@ -37,7 +37,8 @@
     },
     {
       "type": "firewall",
-      "ingressPolicy": "same-bridge"
+      "ingressPolicy": "same-bridge",
+      "backend": "iptables"
     },
     {
       "type": "tuning"

[fahedouch]

iptables

@AkihiroSuda could you please explain why it works with iptables backend ?

[AkihiroSuda]

Because it doesn't talk to firewalld, and iptables still work inside the netns