I am using Podman in Fedora 40, which uses pasta by default for rootless
container networking.
Fedora 40's base version of passt is `passt-0^20240326.g4988e2b-1.fc40`,
but recently two newer versions were released,
`passt-0^20240726.g57a21d2-1.fc40` and `0^20240806.gee36266-1.fc40`.
After upgrading, one pod kept going offline after a few minutes. The
containers remained running, but could not make outbound connections.
Journalctl revealed that the pasta process for the pod had crashed with:
Aug 08 23:07:55 dev pasta[95859]: ASSERTION FAILED in flow_hash
(flow.c:566): pif != PIF_NONE && !inany_is_unspecified(&side->eaddr)
&& side->eport != 0 && side->fport != 0
Aug 08 23:07:55 dev audit[95859]: SECCOMP auid=1000 uid=1000
gid=1000 ses=1
subj=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023
pid=95859 comm="pasta.avx2" exe="/usr/bin/pasta.avx2" sig=31
arch=c000003e syscall=186 compat=0 ip=0x7f8f8c23b64f code=0x80000000
Aug 08 23:07:55 dev audit[95859]: ANOM_ABEND auid=1000 uid=1000
gid=1000 ses=1
subj=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023
pid=95859 comm="pasta.avx2" exe="/usr/bin/pasta.avx2" sig=31 res=1
After much debugging, I isolated the trigger to a particular container
making a peer-to-peer TCP connection to a remote address with port 0.
Reverting passt to version 20240326 works as expected, and the container
stays online. It's been a long time since I wrote any C, but the code
seems clear and checks that the endpoint and forwarding ports do not
equal 0. I assume that a port 0 connection is not realistic or useful,
and that actual attempt to connect over this port indicate a bug in the
client code. Is this correct?
I've reported the behavior to the container authors, but am checking
here too in case I'm off base.