Bug 1378920

Summary: Docker doesn't start in Fedora Atomic 25
Product: [Fedora] Fedora Reporter: Spyros Trigazis <strigazi>
Component: dockerAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: adimania, admiller, amurdaca, dwalsh, ichavero, jcajka, jchaloup, lsm5, marianne, miabbott, miminar, nalin, riek, strigazi, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-05 09:15:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Spyros Trigazis 2016-09-23 14:01:36 UTC 
Description of problem:
Docker doesn't start in Fedora Atomic 25 because the iptables binary is missing.

NOTE: in Fedora 25 docker starts


Version-Release number of selected component (if applicable):


How reproducible: 100% reproducible


Steps to Reproduce:
1. create a ostree compose from the f25 branch of fedora-atomic [1] on hostA (a fedora 25 host)
2. create hostB using the upstream fedora atomic 24 image [2]
3. do a rpm-ostree rebase from the compose built in hostA
4. try to start docker in hostB

[1] https://pagure.io/fedora-atomic/branch/f25
[2] https://download.fedoraproject.org/pub/alt/atomic/stable/Fedora-Atomic-24-20160921.0/CloudImages/x86_64/images/Fedora-Atomic-24-20160921.0.x86_64.qcow2

Actual results:
Sep 22 09:22:11 strigazi-fedora-atomic-24-upstream-01.cern.ch docker[1279]: time="2016-09-22T09:22:11.449860884Z" level=fatal msg="Error starting daemon: Error initializing network controller: error obtaining controller instance: failed to create NAT chain: Iptables not found"

It is clear that iptables are missing and the binary actually is not there.

In fedora atomic 23 (probably 24 as well) there are the following iptables packages:
 iptables-1.4.21-15.fc23.x86_64
 iptables-services-1.4.21-15.fc23.x86_64
But in fedora atomic 25:
 iptables-libs-1.6.0-2.fc25.x86_64
 iptables-services-1.6.0-2.fc25.x86_64

How to solve:
Option A:
do rpm-ostree pkg-add iptables and then start docker

OptionB:
in fedora-atomic/fedora-atomic-docker-host.json [3] add iptables, compose the rpm-ostree and rebase with this one.
You will get these packages:
 iptables-1.6.0-2.fc25.x86_64
 iptables-libs-1.6.0-2.fc25.x86_64
 iptables-services-1.6.0-2.fc25.x86_64

If you replace iptables-services with iptables you will get:
 iptables-1.6.0-2.fc25.x86_64
 iptables-libs-1.6.0-2.fc25.x86_64

I haven't tested if it works only by replacing  iptables-services with iptables.

[3] https://pagure.io/fedora-atomic/blob/master/f/fedora-atomic-docker-host.json#_48
Comment 1 Micah Abbott 2016-09-30 16:06:16 UTC 
Opened PRs upstream:

https://pagure.io/fedora-atomic/pull-request/20

https://pagure.io/fedora-atomic/pull-request/21
Comment 2 Lokesh Mandvekar 2016-09-30 16:15:25 UTC 
Micah, just curious, does iptables need to be mentioned separately in the manifest as in Comment 1, even if the docker rpm requires it at runtime?
Comment 3 Micah Abbott 2016-09-30 18:10:57 UTC 
Hmm...I see the 'Requires: iptables' in the spec file:

http://pkgs.fedoraproject.org/cgit/rpms/docker.git/tree/docker.spec?h=f25#n158

...so you would think that would pull in the right package.

However, if I compose an f25 ostree using what is in pagure now, I see the same log messages from comment #0.

If I add in the 'iptables' requirement in the manifest and re-compose, docker starts without trouble.  (See end of comment)

I wonder if something could be changed in the 'iptables' spec file to solve this?


# rpm -qa | grep iptables
iptables-services-1.6.0-2.fc25.x86_64
iptables-libs-1.6.0-2.fc25.x86_64
iptables-1.6.0-2.fc25.x86_64

# journalctl -b -u docker --no-pager
-- Logs begin at Fri 2016-09-30 15:37:56 UTC, end at Fri 2016-09-30 18:09:42 UTC. --
Sep 30 18:09:19 rhel-atomic-7.2-test systemd[1]: Starting Docker Application Container Engine...
Sep 30 18:09:20 rhel-atomic-7.2-test docker[1065]: time="2016-09-30T18:09:20.089859622Z" level=info msg="Graph migration to content-addressability took 0.00 seconds"
Sep 30 18:09:20 rhel-atomic-7.2-test docker[1065]: time="2016-09-30T18:09:20.090746026Z" level=info msg="Loading containers: start."
Sep 30 18:09:20 rhel-atomic-7.2-test docker[1065]: time="2016-09-30T18:09:20.123458091Z" level=info msg="Firewalld running: false"
Sep 30 18:09:20 rhel-atomic-7.2-test docker[1065]: time="2016-09-30T18:09:20.272544500Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
Sep 30 18:09:20 rhel-atomic-7.2-test docker[1065]: time="2016-09-30T18:09:20.334704349Z" level=info msg="Loading containers: done."
Sep 30 18:09:20 rhel-atomic-7.2-test docker[1065]: time="2016-09-30T18:09:20.335668653Z" level=info msg="Daemon has completed initialization"
Sep 30 18:09:20 rhel-atomic-7.2-test docker[1065]: time="2016-09-30T18:09:20.335721296Z" level=info msg="Docker daemon" commit="9a3752d/1.12.1" graphdriver=devicemapper version=1.12.1
Sep 30 18:09:20 rhel-atomic-7.2-test docker[1065]: time="2016-09-30T18:09:20.343753619Z" level=info msg="API listen on /var/run/docker.sock"
Sep 30 18:09:20 rhel-atomic-7.2-test systemd[1]: Started Docker Application Container Engine.
Comment 4 Spyros Trigazis 2016-10-05 09:12:25 UTC 
I tested it today and works fine, thanks miabbott!

Closing this.
Comment 5 Spyros Trigazis 2016-10-05 09:15:14 UTC 
I don't know what it the appropriate status.

Please close this bug, it's fixed.