Bug 1817022

This is known. See this Change:
   https://fedoraproject.org/wiki/Changes/firewalld_default_to_nftables

It must be fixed on the docker/moby side. What needs to be done is outlined in the Change.
See this fesco ticket or the decision:
   https://pagure.io/fesco/issue/2231#comment-601798

Alternatively, move over to using podman as it does the right thing.

I'm reassigning this to moby-engine.

Alternatively, users may revert to using the iptables backend. However, the firewalld maintainers do not recommend this as a long term solution.

In /etc/firewalld/firewalld.conf:

  # FirewallBackend
  # Selects the firewall backend implementation.
  # Choices are:
  #       - nftables (default)
  #       - iptables (iptables, ip6tables, ebtables and ipset)
  FirewallBackend=iptables

Then restart firewalld:

  # systemctl restart firewalld

At this point, podman isn't able to replace docker completely. And Fedora Workstation is supposed to be a... workstation. Spending a whole work day fighting it isn't fun. 😕

There's no docs on this also. Users should be clearly warned that docker will stop working after the upgrade IMHO.

Upstream issues:

- https://github.com/moby/moby/issues/26824
- https://github.com/docker/for-linux/issues/955

To make it work immediately, apply workaround from first comment, but also do the fiewall-cmd command without --permanent to be applied immediately. Basically:

firewall-cmd --zone=trusted --add-interface=docker0
firewall-cmd --zone=trusted --add-interface=docker0 --permanent

Oops sorry that doesn't work.

The workaround to be used is the one explained in comment 2.

(In reply to Yajo from comment #3)
> At this point, podman isn't able to replace docker completely.

Can you clarify here? I was under the impression that podman is fully capable of replacing docker.

It can replace tools tht used docker CLI, but not those that used docker API. One of those, docker compose, is essential in my company's devel workflow.
I hope with podman 2 I'm really able to dump Docker.

*** Bug 1830188 has been marked as a duplicate of this bug. ***

- It is indeed possible to add docker0 to the trusted zone (firewall-cmd --zone=trusted --add-interface=docker0) and it fixes the issue IF the docker bridge name is docker0.

@Yajo, why do you say "Oops sorry that doesn't work"?

- However, I also tried to use iptables-nft, but I'm a little bit lost... iptables-nft should work as a CLI-compatible iptables and communicates with nftables (https://www.redhat.com/en/blog/using-iptables-nft-hybrid-linux-firewall).

1) On a fresh installation where resolution fails:

  $ sudo docker run --rm fedora curl http://google.com
  curl: (6) Could not resolve host: google.com

2) I select iptables-nft as the iptables alternative:

  $ iptables -V
  iptables v1.8.4 (legacy)

  $ sudo alternatives --config iptables

  There are 2 programs which provide 'iptables'.

    Selection    Command
  -----------------------------------------------
  *+ 1           /usr/sbin/iptables-legacy
     2           /usr/sbin/iptables-nft

  Enter to keep the current selection[+], or type selection number: 2

  $ iptables -V
  iptables v1.8.4 (nf_tables)

3) Then I flush nft. This action is performed by "systemctl restart nftables" but I don't really understand why I have to do it here... as I'm unsure why service "nftables" is disabled.

  sudo nft flush ruleset

4) Then, after restarting Docker engine:

  sudo systemctl restart docker

5) Containers have network access:

  $ sudo docker run --rm fedora curl -s http://google.com
  <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
  <TITLE>301 Moved</TITLE></HEAD><BODY>
  <H1>301 Moved</H1>
  The document has moved
  <A HREF="http://www.google.com/">here</A>.
  </BODY></HTML>

@Eric Garver: could it be a solution?

(In reply to Olivier Lemasle from comment #8)
> @Eric Garver: could it be a solution?

No. "nft flush ruleset" above flushed all the firewalld rules. That's why it works. :)

FEDORA-2020-a658d9abde has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-a658d9abde

FEDORA-2020-a658d9abde has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-a658d9abde`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-a658d9abde

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

(In reply to Olivier Lemasle from comment #8)
> @Yajo, why do you say "Oops sorry that doesn't work"?

According to my tests, a simple container command like that above works, but Docker was still unable to create networks and use them properly.

FEDORA-2020-a658d9abde has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

The fix seems to break libvirt and cause interfaces to stop being added to any zones if you implemented the workaround so it's probably a good idea to remove the workaround once you update to the new package.

https://bugzilla.redhat.com/show_bug.cgi?id=1829090#c3

I can see that the latest version of the moby-engine package pushed to Fedora 32 repo (19.03.8-2.ce.gitafacb8b.fc32) now provides its own docker zone out of the box that docker0 is assigned to:

$ firewall-cmd --get-active-zones
FedoraWorkstation
  interfaces: wlp2s0
docker
  interfaces: docker0
libvirt
  interfaces: virbr0

However this still wasn't enough to allow didn't get my web container to communicate with my db container specified in my docker-compose. I still had to additionally run:

$ firewall-cmd --zone=FedoraWorkstation --add-masquerade

Found a reference to this workaround here: https://github.com/docker/for-linux/issues/955#issuecomment-628407032. Is there anything the moby-engine package could do differently so that containers defined in a docker-compose can communicate with each other out of the box?