Bug 1026045 - enable container networking (temporary solution for dm branch)
enable container networking (temporary solution for dm branch)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: docker-io (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lokesh Mandvekar
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-02 20:56 EDT by Lokesh Mandvekar
Modified: 2014-07-01 18:59 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-23 19:40:00 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lokesh Mandvekar 2013-11-02 20:56:50 EDT
Description of problem: container networking doesn't work by default 


Version-Release number of selected component (if applicable): docker-io 0.7.dm


How reproducible: iiuc, this occurs in the presence of a firewall (Matt, correct me if I'm wrong)


Steps to Reproduce:
1. install docker-io, and enter a container
2. try any command which requires network connections (ping, yum, ssh)
3. feel the pain


Josh has a pull request against the master branch here: https://github.com/dotcloud/docker/pull/2527 which is a little painful to apply against dm, so I used the ACCEPT rules in his patch in the docker.service file, so the current file looks like: 

------------docker.service-------------------
[Unit]
Description=Docker container management daemon

[Service]
Type=simple
ExecStartPre=/usr/sbin/sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
ExecStartPre=iptables -I FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ExecStartPre=iptables -l FORWARD -i docker0 ! -o docker0 -j ACCEPT
ExecStart=/usr/bin/docker -d
Restart=on-failure

[Install]
WantedBy=multi-user.target
------------docker.service-------------------

this seems to solve the problem for now, and if I'm not mistaken, isn't harmful. 

Comments?
Comment 1 Lokesh Mandvekar 2013-11-02 23:43:13 EDT
I think I spoke too soon. This unit file doesn't work as expected. I'll get back soon with an update hopefully. Sorry about that.
Comment 2 Lokesh Mandvekar 2013-11-03 00:25:43 EDT
This should work:

[Unit]
Description=Docker container management daemon

[Service]
Type=simple
ExecStartPre=/usr/sbin/sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
ExecStart=/usr/bin/docker -d
ExecStartPost=/usr/sbin/iptables -I FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ExecStartPost=/usr/sbin/iptables -I FORWARD -i docker0 ! -o docker0 -j ACCEPT
Restart=on-failure

[Install]
WantedBy=multi-user.target
Comment 3 Peter 2013-11-03 02:12:03 EST
Lokesh, but what will disable this iptables rules on stop?

Also you've referenced patch and as I see it adds similar functionality into docker. Why these rules are required in unit file?
Comment 4 Lokesh Mandvekar 2013-11-03 12:43:51 EST
(In reply to Peter from comment #3)
> Lokesh, but what will disable this iptables rules on stop?

Perhaps the disable rules could be added to ExecStopPost in the unit file.
And since it only concerns the docker0 interface, it probably won't mess with anything else.

> 
> Also you've referenced patch and as I see it adds similar functionality into
> docker. Why these rules are required in unit file?

So Josh's patch was for the master branch(which doesn't have devicemapper), but we're using the dm branch. Once Josh's patch makes it into some branch with devicemapper, I'll get rid of those rules in the unit file.
Comment 5 Lokesh Mandvekar 2013-11-03 14:00:39 EST
(In reply to Lokesh Mandvekar from comment #4)
> (In reply to Peter from comment #3)
> > Lokesh, but what will disable this iptables rules on stop?
> 
> Perhaps the disable rules could be added to ExecStopPost in the unit file.
> And since it only concerns the docker0 interface, it probably won't mess
> with anything else.

s/ExecStopPost/ExecStopPre

Note You need to log in before you can comment on or make changes to this bug.