Description of problem: container networking doesn't work by default Version-Release number of selected component (if applicable): docker-io 0.7.dm How reproducible: iiuc, this occurs in the presence of a firewall (Matt, correct me if I'm wrong) Steps to Reproduce: 1. install docker-io, and enter a container 2. try any command which requires network connections (ping, yum, ssh) 3. feel the pain Josh has a pull request against the master branch here: https://github.com/dotcloud/docker/pull/2527 which is a little painful to apply against dm, so I used the ACCEPT rules in his patch in the docker.service file, so the current file looks like: ------------docker.service------------------- [Unit] Description=Docker container management daemon [Service] Type=simple ExecStartPre=/usr/sbin/sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 ExecStartPre=iptables -I FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ExecStartPre=iptables -l FORWARD -i docker0 ! -o docker0 -j ACCEPT ExecStart=/usr/bin/docker -d Restart=on-failure [Install] WantedBy=multi-user.target ------------docker.service------------------- this seems to solve the problem for now, and if I'm not mistaken, isn't harmful. Comments?
I think I spoke too soon. This unit file doesn't work as expected. I'll get back soon with an update hopefully. Sorry about that.
This should work: [Unit] Description=Docker container management daemon [Service] Type=simple ExecStartPre=/usr/sbin/sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 ExecStart=/usr/bin/docker -d ExecStartPost=/usr/sbin/iptables -I FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ExecStartPost=/usr/sbin/iptables -I FORWARD -i docker0 ! -o docker0 -j ACCEPT Restart=on-failure [Install] WantedBy=multi-user.target
Lokesh, but what will disable this iptables rules on stop? Also you've referenced patch and as I see it adds similar functionality into docker. Why these rules are required in unit file?
(In reply to Peter from comment #3) > Lokesh, but what will disable this iptables rules on stop? Perhaps the disable rules could be added to ExecStopPost in the unit file. And since it only concerns the docker0 interface, it probably won't mess with anything else. > > Also you've referenced patch and as I see it adds similar functionality into > docker. Why these rules are required in unit file? So Josh's patch was for the master branch(which doesn't have devicemapper), but we're using the dm branch. Once Josh's patch makes it into some branch with devicemapper, I'll get rid of those rules in the unit file.
(In reply to Lokesh Mandvekar from comment #4) > (In reply to Peter from comment #3) > > Lokesh, but what will disable this iptables rules on stop? > > Perhaps the disable rules could be added to ExecStopPost in the unit file. > And since it only concerns the docker0 interface, it probably won't mess > with anything else. s/ExecStopPost/ExecStopPre