Bug 1036217

Summary:	docker-io doesn't work without firewalld
Product:	[Fedora] Fedora	Reporter:	Michael Young <m.a.young>
Component:	docker-io	Assignee:	Lokesh Mandvekar <lsm5>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	19	CC:	golang-updates, jkeck, lnie, lsm5, mattdm, mgoldman, rocketraman, vbatts
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	docker-io-0.7.0-14.fc20	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-12-14 02:47:10 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Michael Young 2013-11-29 19:29:03 UTC

The recent changes to the docker.service systemd file won't work if firewalld isn't installed, and starts firewalld if it isn't running. This means a docker user is forced to use a particular firewall solution and can't choose to use alternate options. If this is really what is intended then the docker-io package should require the firewalld package. Otherwise I suggest you remove the
Requires=firewalld.service
line in the docker.service file or replace it with the weaker
Wants=firewalld.service
which will still try to start firewalld but doesn't block docker if it fails to start (eg. if it isn't installed).

Comment 1 Lokesh Mandvekar 2013-12-01 01:18:40 UTC

Michael, can you check if the unit file here works for you? https://bugzilla.redhat.com/show_bug.cgi?id=1033606#c36

Comment 2 Michael Young 2013-12-01 15:27:11 UTC

(In reply to Lokesh Mandvekar from comment #1)
> Michael, can you check if the unit file here works for you?
> https://bugzilla.redhat.com/show_bug.cgi?id=1033606#c36

That doesn't work, but the modified version below does work (systemd wants full paths for commands, and adding - at the start of the command tells systemd not to treat failure of that command as a failure of the whole unit).

[Unit]
Description=Docker container management daemon
Wants=firewalld.service
After=firewalld.service

[Service]
Type=simple
ExecStartPre=/usr/sbin/sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
ExecStart=/usr/bin/docker -d
ExecStartPost=-/usr/bin/firewall-cmd --add-masquerade
Restart=on-failure

[Install]
WantedBy=multi-user.target

Comment 3 Fedora Update System 2013-12-01 19:32:53 UTC

docker-io-0.7.0-12.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/docker-io-0.7.0-12.fc20

Comment 4 lnie 2013-12-02 06:08:33 UTC

0.7.0-12 works fine

Comment 5 Marek Goldmann 2013-12-02 09:30:39 UTC

+1 for "Wants". I was testing things and by accident showed Lokesh the wrong commit in which "Requires" was used.

Comment 6 Fedora Update System 2013-12-02 15:59:46 UTC

docker-io-0.7.0-14.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/docker-io-0.7.0-14.fc20

Comment 7 Fedora Update System 2013-12-02 23:54:22 UTC

Package docker-io-0.7.0-14.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing docker-io-0.7.0-14.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-22580/docker-io-0.7.0-14.fc20
then log in and leave karma (feedback).

Comment 8 Raman Gupta 2013-12-11 22:55:39 UTC

The fix does not appear to be in Fedora 19?

# rpm -q --info docker-io  | head -2
Name        : docker-io
Version     : 0.7.0

# cat /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker container management daemon
Wants=firewalld.service
After=firewalld.service

I use shorewall and ran into this issue on F19.

Comment 9 Marek Goldmann 2013-12-12 08:48:18 UTC

(In reply to Raman Gupta from comment #8)
> The fix does not appear to be in Fedora 19?
> 
> # rpm -q --info docker-io  | head -2
> Name        : docker-io
> Version     : 0.7.0
> 
> # cat /usr/lib/systemd/system/docker.service
> [Unit]
> Description=Docker container management daemon
> Wants=firewalld.service
> After=firewalld.service
> 
> I use shorewall and ran into this issue on F19.

The fix is available in all Fedora (and EPEL) versions. The bug is about having "Requires=firewalld.service", which was changed to "Wants=firewalld.service" which is the expected instruction, and you see this in your service file.

What issue do you see? If you have firwalld installed -it will be started. If you use shorewall, uninstall firewalld.

Comment 10 Raman Gupta 2013-12-12 15:42:21 UTC

(In reply to Marek Goldmann from comment #9)
> (In reply to Raman Gupta from comment #8)
> > I use shorewall and ran into this issue on F19.
> 
> The fix is available in all Fedora (and EPEL) versions. The bug is about
> having "Requires=firewalld.service", which was changed to
> "Wants=firewalld.service" which is the expected instruction, and you see
> this in your service file.
> 
> What issue do you see? If you have firwalld installed -it will be started.
> If you use shorewall, uninstall firewalld.

Thanks, you are exactly right: firewalld was installed but disabled, which was causing the issue. I have now uninstalled it. Thanks.

Comment 11 Matthew Miller 2013-12-12 16:36:43 UTC

You should also be able to disable firewalld completely with systemd mask firewalld service -- unfortunately, "disabled" does not actually mean what it seems like it might in systemd.

Comment 12 Fedora Update System 2013-12-14 02:47:10 UTC

docker-io-0.7.0-14.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.