Istio CNI image fails due to glibc mismatch
Summary
The Ironbank Istio CNI FIPS image fails to start because the bundled iptables binary is linked against GLIBC_2.38, but the container base image only provides an older version of glibc. This causes the container to crash when configuring iptables. The upstream distroless image works correctly.
Steps to reproduce
CNI Config values:
cni:
image: docker.io/istio/install-cni:1.27.1-distroless
cniBinDir: /var/lib/rancher/k3s/data/cni
cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
profile: ambient
seLinuxOptions:
type: spc_t What is the current bug behavior?
The container fails to configure iptables due to a glibc mismatch:
Error: failed to create ambient nodeagent service: error initializing mesh dataplane:
error configuring iptables: failed to execute iptables-save: exit status 1
iptables-save: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.38' not found
(required by /lib/libxtables.so.12)What is the expected correct behavior?
The Ironbank Istio CNI image should contain a consistent set of binaries and libraries:
- iptables-save should execute successfully.
- No glibc dependency mismatch should occur.
- Behavior should match the upstream distroless image.
Relevant logs and/or screenshots
Error: failed to create ambient nodeagent service: error initializing mesh dataplane:
error configuring iptables: failed to execute iptables-save: exit status 1
iptables-save: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.38' not found
(required by /lib/libxtables.so.12)Possible fixes
- ship a statically linked iptables binary to avoid runtime glibc mismatches.
Tasks
-
Bug has been identified and corrected within the container
Please read the Iron Bank Documentation for more info