From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202408 header.b=K0s9RQMO; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 240775A004C for ; Wed, 18 Sep 2024 03:52:37 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202408; t=1726624353; bh=SYUDlShwo87+NAPvx/sa54EGEv63nrLopbzRCFIVHOw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=K0s9RQMOINBQ0StLdaFpl1QgXwp+NqcgwMgCQu7tNBho9a/HLOz4DzvfkCpdbYaYU JHnKeCFlIM4bq1oej6BzHdP8SUNTWiTdrRrRCBOzfaL93D5tTDaUUHLz0kjgNMpk7K cEJJzYnxsXp01R63Gp1SZwyNP/P8Z2N3A4+9vBjbx3KKqWB175Zmwyk5aBp/ncIgAI Zv7KvbpqCQg7J2ciUXmQyiugtTJVrrLWW0PMZE1Qxn1rAO9rpRz1mej7IUD3vIdug4 3GwVhv7SAxkiGZRmIAYjPEsCU96Lj+Hlx/sD7NVygCYNTdOxeymqfeQq/ckI4k70Ry HE/gz0gB9n78A== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4X7hVT04JZz4xSZ; Wed, 18 Sep 2024 11:52:33 +1000 (AEST) Date: Wed, 18 Sep 2024 10:58:44 +1000 From: David Gibson To: "Castelli, Anton" Subject: Re: Rootless Podman with VRRP Message-ID: References: <172649928722.151934.9874324737582181440@maja> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="M7ugmJYJdDr8IeCZ" Content-Disposition: inline In-Reply-To: Message-ID-Hash: YF5LLNIZ2T4IT74Y3PBDSBTKUEQPDW3T X-Message-ID-Hash: YF5LLNIZ2T4IT74Y3PBDSBTKUEQPDW3T X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: "passt-user@passt.top" X-Mailman-Version: 3.3.8 Precedence: list List-Id: "For passt users: support, questions and answers" Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --M7ugmJYJdDr8IeCZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 17, 2024 at 03:22:04PM +0000, Castelli, Anton wrote: > David, >=20 > Thank you very much for the quick reply! >=20 > I tried querying the DNS with TCP and it worked correctly, using the > VRRP address in the reply packet. Unfortunately, UDP is the default > for DNS queries. Right. > Thanks for the advice about the options and the workaround. I had > just copied them from the Podman docs and modified them slightly. I > tried the '--publish 10.1.1.1:53:53/udp --publish > 10.1.1.2:53:53/udp' options, and it worked great on the primary > server that had the active VRRP address. I was able to query both > the regular and VRRP addresses and get a response. Unfortunately, > when I tried the same on the secondary server that doesn't have the > VRRP address, it refused to bind to the non-existent '10.1.1.2' > address. Ah, right, of course. I was just thinking about the primary, and didn't consider how the secondaries would also need to listen on that address at some future time. > I tried with both the publish options and got an error (10.1.1.3 is > the regular IP of the secondary server). >=20 > --publish 10.1.1.3:53:53/udp --publish 10.1.1.2:53:53/udp >=20 > Error: unable to start container "XXXX": pasta failed with exit code 1: > Altering mapping of already mapped port number: 10.1.1.2/53-53:53-53 This looks like a different bug - although one that I think will be fixed by some work that's pretty close to the top of my queue. It's not all that relevant for your case right now, because.. > Failed to bind port 53 (Cannot assign requested address) for option > '-u 10.1.1.2/53-53:53-53', exiting =2E.this one is more fundamental. Usually, you can't bind an address you don't currently own. > I also tried to publish just the VRRP address that isn't currently > assigned to the secondary server and got a different error. >=20 > --publish 10.1.1.2:53:53/udp >=20 > Error: unable to start container "XXXX": pasta failed with exit code 1: > Failed to bind port 53 (Cannot assign requested address) for option '-u 1= 31.230.254.138/53-53:53-53', exiting This one looks like the same error... except the IP is very strange. Or was just this a mistake in anonymizing the addresses? > Since the goal of this VRRP setup is to have an active/standby > failover pair, I have to have the service started and running on the > secondary server. If the primary server fails, the VRRP address will > move to the secondary server and DNS should then respond to > requests. >=20 > Unless you can think of another work-around for the secondary > server, I might just have to use a rootful container and host > networking for now. I think I do have another workaround, although it will require changing a setting as root. If you set: sysctl net.ipv4.ip_nonlocal_bind=3D1 on the host (and the ipv6 version as well, if you need it), then pasta should be able to bind the VRRP address even if it isn't (yet) configured on the machine. There's also a per-socket version of this (IP_FREEBIND) which wouldn't require the root setup. We've talked about supporting this in pasta somehow, but we don't have any specific plans for it (it's not very clear how you'd configure it, for example). Note that with the ip_nonlocal_bind setting you might still run into trouble binding both the VRRP and regular addresses due to the other bug I mentioned in passing above. As I said that one should be addressed by some stuff that's pretty near the front of the queue. Let me know if that's still an issue for you and I'll consider it a priority bump to that work. > I will be happy to submit a bug report. Unfortunately, I'm having > trouble getting signed up. I've tried to send the new account email > to both my work email address and a personal Gmail address. I have > not received the email in either case (I've checked the spam folders > too). I see you and Stefano sorted that out. Thanks for filing the bug. Looks like in the confusion over signup, 4 almost duplicates were filed, I've consolidated those now. That will keep this on the radar, but I can't promise we'll be able to fix this particularly soon. There's a heap of other work that will probably take priority. I hope the workarounds above can tide you over for now. > I very much appreciate your work and the Pasta project. Thank you > for taking the time to respond and helping me out! --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --M7ugmJYJdDr8IeCZ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmbqJcMACgkQzQJF27ox 2GdBnw//S6AxzrDiBl/lG7WcJ2anW1dFkpKQBcQk9Du12Oz2Rb2rAiLgC3Y22uK+ Wz+n9WNgi8kd4WByle8xOwSk7y/rs8FDIRNKUKULs7ay0ZVtFEEe/Bi71h6xAGi1 IzBODShjOTgJmcOSY7soAhVj/piGivmyJA3pOVW5qern8Ri+ZGJYt6K9YlqQE22Y uSsz0RfnIIpcsO9kQHDySPuU7C9e6Jxz66ly0B0OaiWp94SbPE+KaILnIM8zpthe R/vKJVgHq8UnGKu97VFNS89phMzMEDNw5y3YGTBSEKQkX7/DnrPv12zMeUt7xkej ag70kkY6D73hywGYoK2D8hUUkN9P+CHp9I4ldRFepJjxfEGb3X8U81qZj8GRwdlH QSAV2fyZzbId6q6Mv58cGEF7NDwU9onTaUin4jv4UZLBBtPcdPlEGPdI0SC7OuOa UMYrAMYzglf5c7tZDGN795KX2DdLnCqAktrLv/JWRaQ8ebRaKBxxogAr5t7URHF+ L73FhDRGxE8pxNBKMjB7k6Pht6WbozwPzXZfMMf9+uqsONg8Wkaocw4yv9JHI61Y AXWyBNFhvc6I/di56FJUG0NP1zvLmLp5J1MAImnpnVZ7QJtdY1wh1Hd/GayC9oTU 91DJT0ThR1cZb03MnN1nTIJN2LXIjegsiGiGhkcX728+XBqfGlw= =mM6J -----END PGP SIGNATURE----- --M7ugmJYJdDr8IeCZ--