Image quay.io/podman/upstream fails on "podman build" when run as root (inside the container) on a RHEL 8.5: msg: modprobe: FATAL: Module ip_tables not found

[Romain-Geissler-1A]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

We are in a company environment, so unfortunately we are stuck with RHEL 8, and don't have access to Fedora. In order to report upstream podman bugs, we want to try with podman upstream first to check if the bug is still present. It used to work, however now with podman 4.0.0 it seems to be broken when podman is run as root inside the container

Steps to reproduce the issue:

1. From a RHEL 8.5 machine, where podman (the official one from RHEL) is installed, run this. It fails with a modprobe error:

rgeissler@NCEOBERHEL80009.rnd.amadeus.net[dev]:~$ podman run --privileged -i --rm quay.io/podman/upstream podman build -f - . <<END_OF_FILE
FROM fedora
RUN true
END_OF_FILE
STEP 1/2: FROM fedora
Resolved "fedora" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.fedoraproject.org/fedora:latest...
Getting image source signatures
Copying blob sha256:c6183d119aa8953fe2cb6351e8fb4aeeb770f86c1aef3d534f7e02f5e2861321
Copying blob sha256:c6183d119aa8953fe2cb6351e8fb4aeeb770f86c1aef3d534f7e02f5e2861321
Copying config sha256:e417cd49a84e1749071c516c4f0013ea62113cb5adc98a8504a63a04bfd43479
Writing manifest to image destination
Storing signatures
STEP 2/2: RUN true
error running container: did not get container start message from parent: EOF
Error: error building at STEP "RUN true": netavark: code: 3, msg: modprobe: FATAL: Module ip_tables not found in directory /lib/modules/4.18.0-348.12.2.el8_5.x86_64
iptables v1.8.7 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Describe the results you received:

Any "podman build" run as root inside the quay.io/podman/upstream image involving a RUN Dockerfile directive will fail when run on a RHEL 8 host.

Describe the results you expected:

I would expect the image quay.io/podman/upstream to work out of the box on a RHEL 8 host. Most likely some new config wrt the network backend shall be added in https://github.com/containers/podman/blob/main/contrib/podmanimage/stable/containers.conf so that this works by default.

Note: it would be really cool if Red Hat provided some "upstream" stream for the "container-tools" module to always be able to install on RHEL machines some unstable but latest podman versions ;)

[Luap99]

You have to load the kernel modules as root on the host. podman build now uses a private netns by default like podman run, so you either load the modules on the host or run with --network=host.

Looking at the containers.conf file in container the default netns value should already be set to host.
@rhatdan I thought you fixed this in buildah but it doesn't look like it uses the value from containers.conf.

[Romain-Geissler-1A]

In our case our development machines are shared among all the developers of the company, who don't have any root rights. These machines are being administrated by a small group of "sysadmins", so technically I could ask them to change the global config, but somehow I would expect this scenario to work without changing the host config (as the non root scenario works).

[github-actions]

A friendly reminder that this issue had no activity for 30 days.