Bug 1026045

Summary: enable container networking (temporary solution for dm branch)
Product: [Fedora] Fedora Reporter: Lokesh Mandvekar <lsm5>
Component: docker-ioAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dkl, golang-updates, jkeck, jpoimboe, kraman, lsm5, mattdm, mgoldman, pva, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-24 00:40:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lokesh Mandvekar 2013-11-03 00:56:50 UTC 
Description of problem: container networking doesn't work by default 


Version-Release number of selected component (if applicable): docker-io 0.7.dm


How reproducible: iiuc, this occurs in the presence of a firewall (Matt, correct me if I'm wrong)


Steps to Reproduce:
1. install docker-io, and enter a container
2. try any command which requires network connections (ping, yum, ssh)
3. feel the pain


Josh has a pull request against the master branch here: https://github.com/dotcloud/docker/pull/2527 which is a little painful to apply against dm, so I used the ACCEPT rules in his patch in the docker.service file, so the current file looks like: 

------------docker.service-------------------
[Unit]
Description=Docker container management daemon

[Service]
Type=simple
ExecStartPre=/usr/sbin/sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
ExecStartPre=iptables -I FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ExecStartPre=iptables -l FORWARD -i docker0 ! -o docker0 -j ACCEPT
ExecStart=/usr/bin/docker -d
Restart=on-failure

[Install]
WantedBy=multi-user.target
------------docker.service-------------------

this seems to solve the problem for now, and if I'm not mistaken, isn't harmful. 

Comments?
Comment 1 Lokesh Mandvekar 2013-11-03 03:43:13 UTC 
I think I spoke too soon. This unit file doesn't work as expected. I'll get back soon with an update hopefully. Sorry about that.
Comment 2 Lokesh Mandvekar 2013-11-03 04:25:43 UTC 
This should work:

[Unit]
Description=Docker container management daemon

[Service]
Type=simple
ExecStartPre=/usr/sbin/sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
ExecStart=/usr/bin/docker -d
ExecStartPost=/usr/sbin/iptables -I FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ExecStartPost=/usr/sbin/iptables -I FORWARD -i docker0 ! -o docker0 -j ACCEPT
Restart=on-failure

[Install]
WantedBy=multi-user.target
Comment 3 Peter 2013-11-03 07:12:03 UTC 
Lokesh, but what will disable this iptables rules on stop?

Also you've referenced patch and as I see it adds similar functionality into docker. Why these rules are required in unit file?
Comment 4 Lokesh Mandvekar 2013-11-03 17:43:51 UTC 
(In reply to Peter from comment #3)
> Lokesh, but what will disable this iptables rules on stop?

Perhaps the disable rules could be added to ExecStopPost in the unit file.
And since it only concerns the docker0 interface, it probably won't mess with anything else.

> 
> Also you've referenced patch and as I see it adds similar functionality into
> docker. Why these rules are required in unit file?

So Josh's patch was for the master branch(which doesn't have devicemapper), but we're using the dm branch. Once Josh's patch makes it into some branch with devicemapper, I'll get rid of those rules in the unit file.
Comment 5 Lokesh Mandvekar 2013-11-03 19:00:39 UTC 
(In reply to Lokesh Mandvekar from comment #4)
> (In reply to Peter from comment #3)
> > Lokesh, but what will disable this iptables rules on stop?
> 
> Perhaps the disable rules could be added to ExecStopPost in the unit file.
> And since it only concerns the docker0 interface, it probably won't mess
> with anything else.

s/ExecStopPost/ExecStopPre