Upgrade fedora version to 41

[l0rd]

Update the tag of the image docker.io/library/fedora that is used as the base for the WSL image.

I am opening this as a draft to get some initial feedback on the update from Fedora 40 to 41, but I will have to locally build and test it before considering merging it. Fedora 40 EOL is 2025-05-28.

[Luap99]

I think we should update this right away. There is no point in keeping this behind, the coreos stream is already on f41 for a while.

[l0rd]

I think we should update this right away. There is no point in keeping this behind, the coreos stream is already on f41 for a while.

Right. I am going to do a minimum of tests to ensure that nothing breaks so that we can update it.

[Luap99]

We switched to nftables default in f41, given WSL uses its own custom kernel with (partly) broken networking you may want to test that. Running a rootful container should be enough to verify netavark is working.

Also once that is done there is containers/podman#25153
I am not sure how this works on WSL kernel, I guess the modules there should already be loaded and we don't have to do it?

[l0rd]

Rootful mode has indeed a problem:

> podman machine init --image docker://quay.io/mloriedo/machine-os-wsl:5.5-next
> podman machine set --rootful
> podman machine start
> podman run hello
Resolved "hello" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull quay.io/podman/hello:latest...
Getting image source signatures
Copying blob sha256:81df7ff16254ed9756e27c8de9ceb02a9568228fccadbf080f41cc5eb5118a44
Copying config sha256:5dd467fce50b56951185da365b5feee75409968cbab5767b9b59e325fb2ecbc0
Writing manifest to image destination
Error: preparing container 4e3cc973903529635f782f57521e928fbcd0c48e16cea9d1b1a3171ddab39652 for attach: netavark (exit code 1): nftables error: nft did not return successfully while applying ruleset

[Luap99]

can you run the command from within the machine? I think nft prints some error to stderr which would not get forwarded to the remote side.

Also can you check that the nftables module is loaded in the kernel (lsmod | grep nf_tables)?

If nftables doesn't work we must ship a containers.conf file to set it back to iptables.

[Luap99]

Looks like WSL has issues microsoft/WSL#6044
That said we do not use sets in our rules currently so if that is only about nftables sets that should not cause us issues.

[l0rd]

> podman run hello
WARN[0000] Using cgroups-v1 which is deprecated in favor of cgroups-v2 with Podman v5 and will be removed in a future version. Set environment variable `PODMAN_IGNORE_CGROUPSV1_WARNING` to hide this warning.
internal:0:0-0: Error: Could not process rule: No such file or directory

internal:0:0-0: Error: Could not process rule: No such file or directory

Error: netavark: nftables error: nft did not return successfully while applying ruleset
>  lsmod | grep nf_tables
>

The nf_tables module doesn't seem loaded.

[l0rd]

Tested that the fedora 41 based image doesn't break c/podman e2e tests.
Also tested that containers/podman#25153 works (but that was expected as WSL still uses iptables)
Switching the PR to ready.

[Luap99]

LGTM