Bug 1036217 - docker-io doesn't work without firewalld
Summary: docker-io doesn't work without firewalld
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: docker-io
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-29 19:29 UTC by Michael Young
Modified: 2014-07-01 22:59 UTC (History)
8 users (show)

Fixed In Version: docker-io-0.7.0-14.fc20
Clone Of:
Environment:
Last Closed: 2013-12-14 02:47:10 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Michael Young 2013-11-29 19:29:03 UTC
The recent changes to the docker.service systemd file won't work if firewalld isn't installed, and starts firewalld if it isn't running. This means a docker user is forced to use a particular firewall solution and can't choose to use alternate options. If this is really what is intended then the docker-io package should require the firewalld package. Otherwise I suggest you remove the
Requires=firewalld.service
line in the docker.service file or replace it with the weaker
Wants=firewalld.service
which will still try to start firewalld but doesn't block docker if it fails to start (eg. if it isn't installed).

Comment 1 Lokesh Mandvekar 2013-12-01 01:18:40 UTC
Michael, can you check if the unit file here works for you? https://bugzilla.redhat.com/show_bug.cgi?id=1033606#c36

Comment 2 Michael Young 2013-12-01 15:27:11 UTC
(In reply to Lokesh Mandvekar from comment #1)
> Michael, can you check if the unit file here works for you?
> https://bugzilla.redhat.com/show_bug.cgi?id=1033606#c36

That doesn't work, but the modified version below does work (systemd wants full paths for commands, and adding - at the start of the command tells systemd not to treat failure of that command as a failure of the whole unit).

[Unit]
Description=Docker container management daemon
Wants=firewalld.service
After=firewalld.service

[Service]
Type=simple
ExecStartPre=/usr/sbin/sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
ExecStart=/usr/bin/docker -d
ExecStartPost=-/usr/bin/firewall-cmd --add-masquerade
Restart=on-failure

[Install]
WantedBy=multi-user.target

Comment 3 Fedora Update System 2013-12-01 19:32:53 UTC
docker-io-0.7.0-12.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/docker-io-0.7.0-12.fc20

Comment 4 lnie 2013-12-02 06:08:33 UTC
0.7.0-12 works fine

Comment 5 Marek Goldmann 2013-12-02 09:30:39 UTC
+1 for "Wants". I was testing things and by accident showed Lokesh the wrong commit in which "Requires" was used.

Comment 6 Fedora Update System 2013-12-02 15:59:46 UTC
docker-io-0.7.0-14.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/docker-io-0.7.0-14.fc20

Comment 7 Fedora Update System 2013-12-02 23:54:22 UTC
Package docker-io-0.7.0-14.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing docker-io-0.7.0-14.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-22580/docker-io-0.7.0-14.fc20
then log in and leave karma (feedback).

Comment 8 Raman Gupta 2013-12-11 22:55:39 UTC
The fix does not appear to be in Fedora 19?

# rpm -q --info docker-io  | head -2
Name        : docker-io
Version     : 0.7.0

# cat /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker container management daemon
Wants=firewalld.service
After=firewalld.service

I use shorewall and ran into this issue on F19.

Comment 9 Marek Goldmann 2013-12-12 08:48:18 UTC
(In reply to Raman Gupta from comment #8)
> The fix does not appear to be in Fedora 19?
> 
> # rpm -q --info docker-io  | head -2
> Name        : docker-io
> Version     : 0.7.0
> 
> # cat /usr/lib/systemd/system/docker.service
> [Unit]
> Description=Docker container management daemon
> Wants=firewalld.service
> After=firewalld.service
> 
> I use shorewall and ran into this issue on F19.

The fix is available in all Fedora (and EPEL) versions. The bug is about having "Requires=firewalld.service", which was changed to "Wants=firewalld.service" which is the expected instruction, and you see this in your service file.

What issue do you see? If you have firwalld installed -it will be started. If you use shorewall, uninstall firewalld.

Comment 10 Raman Gupta 2013-12-12 15:42:21 UTC
(In reply to Marek Goldmann from comment #9)
> (In reply to Raman Gupta from comment #8)
> > I use shorewall and ran into this issue on F19.
> 
> The fix is available in all Fedora (and EPEL) versions. The bug is about
> having "Requires=firewalld.service", which was changed to
> "Wants=firewalld.service" which is the expected instruction, and you see
> this in your service file.
> 
> What issue do you see? If you have firwalld installed -it will be started.
> If you use shorewall, uninstall firewalld.

Thanks, you are exactly right: firewalld was installed but disabled, which was causing the issue. I have now uninstalled it. Thanks.

Comment 11 Matthew Miller 2013-12-12 16:36:43 UTC
You should also be able to disable firewalld completely with systemd mask firewalld service -- unfortunately, "disabled" does not actually mean what it seems like it might in systemd.

Comment 12 Fedora Update System 2013-12-14 02:47:10 UTC
docker-io-0.7.0-14.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.