I am using Podman in Fedora 40, which uses pasta by default for rootless container networking.
Fedora 40's base version of passt is `passt-0^20240326.g4988e2b-1.fc40`, but recently two newer versions were released, `passt-0^20240726.g57a21d2-1.fc40` and `0^20240806.gee36266-1.fc40`.
After upgrading, one pod kept going offline after a few minutes. The containers remained running, but could not make outbound connections. Journalctl revealed that the pasta process for the pod had crashed with:
Aug 08 23:07:55 dev pasta[95859]: ASSERTION FAILED in flow_hash (flow.c:566): pif != PIF_NONE && !inany_is_unspecified(&side->eaddr) && side->eport != 0 && side->fport != 0
Aug 08 23:07:55 dev audit[95859]: SECCOMP auid=1000 uid=1000 gid=1000 ses=1 subj=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 pid=95859 comm="pasta.avx2" exe="/usr/bin/pasta.avx2" sig=31 arch=c000003e syscall=186 compat=0 ip=0x7f8f8c23b64f code=0x80000000
Aug 08 23:07:55 dev audit[95859]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=1 subj=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 pid=95859 comm="pasta.avx2" exe="/usr/bin/pasta.avx2" sig=31 res=1
After much debugging, I isolated the trigger to a particular container making a peer-to-peer TCP connection to a remote address with port 0.
Reverting passt to version 20240326 works as expected, and the container stays online. It's been a long time since I wrote any C, but the code seems clear and checks that the endpoint and forwarding ports do not equal 0. I assume that a port 0 connection is not realistic or useful, and that actual attempt to connect over this port indicate a bug in the client code. Is this correct?
I've reported the behavior to the container authors, but am
checking here too in case I'm off base.