RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1222453 - Setting --icc=false and restarting creates the DROP rule in wrong place
Summary: Setting --icc=false and restarting creates the DROP rule in wrong place
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: Luwen Su
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-18 09:10 UTC by Jan Pazdziora (Red Hat)
Modified: 2019-03-06 02:24 UTC (History)
4 users (show)

Fixed In Version: docker-1.6.2-14.el7.x86_64
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-06-23 09:29:48 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1167 0 normal SHIPPED_LIVE docker bug fix update 2015-06-23 13:29:05 UTC

Description Jan Pazdziora (Red Hat) 2015-05-18 09:10:13 UTC 
Description of problem:

By default, ICC is enabled and iptables-save shows:

-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT

When --icc=false is added to /etc/sysconfig/docker and service restarted, iptables-save shows

-A FORWARD -i docker0 -o docker0 -j DROP
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT

Then, no matter what --link is used, communication is dropped.

When iptables are cleared and service restarted, rules are finally in correct order:

-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j DROP

Version-Release number of selected component (if applicable):

docker-1.6.0-11.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have docker service enabled with --icc=true (the default).
2. Change OPTIONS in /etc/sysconfig/docker to --icc=false.
3. Restart the service.
4. Run iptables-save and observe the DROP rule is before -j DOCKER.
5. Try to run two container with --link.

Actual results:

DROP rule is before -j DOCKER.
No ICC is possible.

Expected results:

DROP rule is after -j DOCKER.
ISS is possible.

Additional info:
Comment 3 Jan Pazdziora (Red Hat) 2015-05-19 08:25:52 UTC 
The following patch looks like addressing the issue:

https://github.com/docker/docker/commit/90a8e45604f42d60d58b4cefa37a5e5d3112b64a
Comment 5 Daniel Walsh 2015-05-19 12:16:46 UTC 
Ok I back ported the fix. to docker-1.6.2 release.
Comment 8 Luwen Su 2015-06-15 08:03:37 UTC 
In docker-1.6.2-10.el7.x86_64,
--icc is true:
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT

--icc is false:
-A FORWARD -i docker0 -o docker0 -j DROP
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT

Move to verified
Comment 9 Jan Pazdziora (Red Hat) 2015-06-15 12:10:24 UTC 
(In reply to Luwen Su from comment #8)
> In docker-1.6.2-10.el7.x86_64,
> 
> --icc is false:
> -A FORWARD -i docker0 -o docker0 -j DROP
> -A FORWARD -o docker0 -j DOCKER
> -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
> 
> Move to verified

I'm sorry but if the DROP rule is the first in the list, it's exactly the same problem as reported in comment 0 and then the issues was not fixed. Please reverify.
Comment 10 Luwen Su 2015-06-15 16:38:04 UTC 
(In reply to Jan Pazdziora from comment #9)
> (In reply to Luwen Su from comment #8)
> > In docker-1.6.2-10.el7.x86_64,
> > 
> > --icc is false:
> > -A FORWARD -i docker0 -o docker0 -j DROP
> > -A FORWARD -o docker0 -j DOCKER
> > -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
> > 
> > Move to verified
> 
> I'm sorry but if the DROP rule is the first in the list, it's exactly the
> same problem as reported in comment 0 and then the issues was not fixed.
> Please reverify.

Oops, sorry for the mistake.

Lokesh, looks like we miss the patch in comment3, it's still
 iptables.Raw(append([]string{"-I", "FORWARD"}, dropArgs...)
after rechecked the src
Comment 11 Luwen Su 2015-06-16 03:18:18 UTC 
In docker-1.6.2-14.el7.x86_64, it works for me and move to verified.

1.Add --icc=false in /etc/sysconfig/docker and restart service.2
2.Start two containers
A.#docker run --name icctest -d -p 80 rhel/httpd
Note:I use https://github.com/projectatomic/docker-image-examples/tree/master/rhel-httpd to build `rhel/httpd`
B. docker run -it --link icctest:server rhel7 /bin/bash
[root@29a72e00bf87 /]# env
ICCTEST_NAME=/high_ptolemy/icctest
ICCTEST_PORT_80_TCP=tcp://172.17.0.1:80
container_uuid=29a72e00-bf87-d26c-9c3b-bfe5f6ae4abc
ICCTEST_PORT_80_TCP_PORT=80
SHLVL=1
HOME=/root
ICCTEST_PORT_80_TCP_PROTO=tcp
ICCTEST_PORT=tcp://172.17.0.1:80
ICCTEST_PORT_80_TCP_ADDR=172.17.0.1
container=docker
ICCTEST_ENV_container=docker
_=/usr/bin/env
[root@29a72e00bf87 /]# curl http://172.17.0.1:80
Apache
[root@29a72e00bf87 /]# curl http://172.17.0.1   
Apache
[root@29a72e00bf87 /]# curl http://icctest  
Apache
[root@29a72e00bf87 /]# exit
exit


# iptables-save 
# Generated by iptables-save v1.4.21 on Tue Jun 16 11:01:05 2015
*mangle
:PREROUTING ACCEPT [3537429:2222607709]
:INPUT ACCEPT [2392120:1710000575]
:FORWARD ACCEPT [1086302:508043193]
:OUTPUT ACCEPT [768436:275894956]
:POSTROUTING ACCEPT [1873205:784541114]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Tue Jun 16 11:01:05 2015
# Generated by iptables-save v1.4.21 on Tue Jun 16 11:01:05 2015
*nat
:PREROUTING ACCEPT [48:3801]
:INPUT ACCEPT [4:401]
:OUTPUT ACCEPT [2:144]
:POSTROUTING ACCEPT [5:324]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 172.17.0.40/32 -d 172.17.0.40/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.1/32 -d 172.17.0.1/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.1/32 -d 172.17.0.1/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.1/32 -d 172.17.0.1/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 32768 -j DNAT --to-destination 172.17.0.1:80
COMMIT
# Completed on Tue Jun 16 11:01:05 2015
# Generated by iptables-save v1.4.21 on Tue Jun 16 11:01:05 2015
*filter
:INPUT ACCEPT [37:4566]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11:976]
:DOCKER - [0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j DROP
-A DOCKER -d 172.17.0.1/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Tue Jun 16 11:01:05 2015
Comment 12 Jan Pazdziora (Red Hat) 2015-06-16 06:05:59 UTC 
Thanks. Should we be rigorous in using Fixed In Version?
Comment 14 errata-xmlrpc 2015-06-23 09:29:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1167.html
Note You need to log in before you can comment on or make changes to this bug.