Bug 1129622
| Summary: | Docker daemon parameter --iptable=true leave mess in iptables after daemon finish | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jiri Zupka <jzupka> |
| Component: | docker | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | dwalsh, jzupka, mjenner |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-09-24 19:11:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1113141 | ||
Not sure if cleaning up here is a good idea either. Does docker know if it added the rules, so that it can remove them? I would hate to have docker make firewall rules less strict when it exits When docker will make containers standalone then it shouldn't be problem any more, moreover it will be needed behavior.
Standalone docker container -> when system kill docker daemon all docker
containers stay alive
|
Description of problem: rhel with disabled firewalld.service. Docker daemon with started with paramter --iptable=true --icc=false. Leaves in iptables some rules. 0 0 DROP all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 When docker is started again with with --iptables=false then it could makes hidden problems with containers which are not able communicate. + really minor think and minor problem in implementation in networkdriver/bridge/driver.go L:178 in got master branch with last commit 4398108433121ce2ac9942e607da20fa1680871a Docker daemon iptables rules are different order after iptables -F docker -d --iptables=true --icc=true ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 docker -d --iptables=true --icc=false DROP all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 docker -d --iptables=true --icc=true ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Version-Release number of selected component (if applicable): docker-1.1.2-9.el7 How reproducible: always Steps to Reproduce: 1. systemctl stop firewalld.service 2. iptables -F (for sure) 3. systemctl stop docker.socket 4. systemctl stop docker.service 5. docker -d --iptables=true --icc=false 6. iptable -L show some docker rules 7. terminate correctly docker daemon (ctrl-c) 8. iptables -L show iptables rules which left there after docker daemon finish Actual results: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Expected results: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Additional info: