Bug 1279015
| Summary: | Docker 1.8.2 fails to set iptables rules | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Daniel Walsh <dwalsh> |
| Component: | docker | Assignee: | smahajan <smahajan> |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.1 | CC: | adimania, admiller, dwalsh, extras-qa, ichavero, jcajka, jchaloup, lsm5, lsu, miminar, smahajan, vbatts, vsimonianpress |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| URL: | https://github.com/docker/docker/pull/16038 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1279002 | Environment: | |
| Last Closed: | 2016-03-31 23:22:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1279002 | ||
| Bug Blocks: | |||
|
Comment 2
Daniel Walsh
2015-11-07 06:27:55 UTC
Fixed in docker-1.9 Hi,
I still get the firewalld's noisy in docker-1.9.1-23.el7.x86_64, just install and start the docker.service,
any suggestion to debug with it?
Other packages:
firewalld-0.3.9-14.el7.noarch
iptables-1.4.21-16.el7.x86_64
2016-03-18 03:18:59 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE' failed: iptables: No chain/target/match by that name.
Mar 18 03:18:59 timesu.com firewalld[32368]: 2016-03-18 03:18:59 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Mar 18 03:18:59 timesu.com firewalld[32368]: 2016-03-18 03:18:59 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Mar 18 03:18:59 timesu.com firewalld[32368]: 2016-03-18 03:18:59 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Mar 18 03:18:59 timesu.com firewalld[32368]: 2016-03-18 03:18:59 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Mar 18 03:18:59 timesu.com firewalld[32368]: 2016-03-18 03:18:59 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.4.21: Couldn't load target `DOCKER':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
Mar 18 03:18:59 timesu.com firewalld[32368]: 2016-03-18 03:18:59 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.4.21: Couldn't load target `DOCKER':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
There is nothing to debug here. This is just the way docker works. Docker sends a message to firewalld to remove all records for DOCKER, and then adds rules for it. Since DOCKER does not exist when it runs, firewalld reports no rules exist. Sadly their is no rm -f foobar, where we could tell firewalld remove this rules if they exist and don't complain if they do not. Okay, thus then i'd like to move this to verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0536.html |