Bug 1222453
| Summary: | Setting --icc=false and restarting creates the DROP rule in wrong place | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Pazdziora (Red Hat) <jpazdziora> |
| Component: | docker | Assignee: | Lokesh Mandvekar <lsm5> |
| Status: | CLOSED ERRATA | QA Contact: | Luwen Su <lsu> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.1 | CC: | jpazdziora, lsm5, mjenner, sghosh |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | docker-1.6.2-14.el7.x86_64 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-06-23 09:29:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jan Pazdziora (Red Hat)
2015-05-18 09:10:13 UTC
The following patch looks like addressing the issue: https://github.com/docker/docker/commit/90a8e45604f42d60d58b4cefa37a5e5d3112b64a Ok I back ported the fix. to docker-1.6.2 release. In docker-1.6.2-10.el7.x86_64, --icc is true: -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT --icc is false: -A FORWARD -i docker0 -o docker0 -j DROP -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT Move to verified (In reply to Luwen Su from comment #8) > In docker-1.6.2-10.el7.x86_64, > > --icc is false: > -A FORWARD -i docker0 -o docker0 -j DROP > -A FORWARD -o docker0 -j DOCKER > -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i docker0 ! -o docker0 -j ACCEPT > > Move to verified I'm sorry but if the DROP rule is the first in the list, it's exactly the same problem as reported in comment 0 and then the issues was not fixed. Please reverify. (In reply to Jan Pazdziora from comment #9) > (In reply to Luwen Su from comment #8) > > In docker-1.6.2-10.el7.x86_64, > > > > --icc is false: > > -A FORWARD -i docker0 -o docker0 -j DROP > > -A FORWARD -o docker0 -j DOCKER > > -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > > -A FORWARD -i docker0 ! -o docker0 -j ACCEPT > > > > Move to verified > > I'm sorry but if the DROP rule is the first in the list, it's exactly the > same problem as reported in comment 0 and then the issues was not fixed. > Please reverify. Oops, sorry for the mistake. Lokesh, looks like we miss the patch in comment3, it's still iptables.Raw(append([]string{"-I", "FORWARD"}, dropArgs...) after rechecked the src In docker-1.6.2-14.el7.x86_64, it works for me and move to verified. 1.Add --icc=false in /etc/sysconfig/docker and restart service.2 2.Start two containers A.#docker run --name icctest -d -p 80 rhel/httpd Note:I use https://github.com/projectatomic/docker-image-examples/tree/master/rhel-httpd to build `rhel/httpd` B. docker run -it --link icctest:server rhel7 /bin/bash [root@29a72e00bf87 /]# env ICCTEST_NAME=/high_ptolemy/icctest ICCTEST_PORT_80_TCP=tcp://172.17.0.1:80 container_uuid=29a72e00-bf87-d26c-9c3b-bfe5f6ae4abc ICCTEST_PORT_80_TCP_PORT=80 SHLVL=1 HOME=/root ICCTEST_PORT_80_TCP_PROTO=tcp ICCTEST_PORT=tcp://172.17.0.1:80 ICCTEST_PORT_80_TCP_ADDR=172.17.0.1 container=docker ICCTEST_ENV_container=docker _=/usr/bin/env [root@29a72e00bf87 /]# curl http://172.17.0.1:80 Apache [root@29a72e00bf87 /]# curl http://172.17.0.1 Apache [root@29a72e00bf87 /]# curl http://icctest Apache [root@29a72e00bf87 /]# exit exit # iptables-save # Generated by iptables-save v1.4.21 on Tue Jun 16 11:01:05 2015 *mangle :PREROUTING ACCEPT [3537429:2222607709] :INPUT ACCEPT [2392120:1710000575] :FORWARD ACCEPT [1086302:508043193] :OUTPUT ACCEPT [768436:275894956] :POSTROUTING ACCEPT [1873205:784541114] -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill COMMIT # Completed on Tue Jun 16 11:01:05 2015 # Generated by iptables-save v1.4.21 on Tue Jun 16 11:01:05 2015 *nat :PREROUTING ACCEPT [48:3801] :INPUT ACCEPT [4:401] :OUTPUT ACCEPT [2:144] :POSTROUTING ACCEPT [5:324] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A POSTROUTING -s 172.17.0.40/32 -d 172.17.0.40/32 -p tcp -m tcp --dport 80 -j MASQUERADE -A POSTROUTING -s 172.17.0.1/32 -d 172.17.0.1/32 -p tcp -m tcp --dport 80 -j MASQUERADE -A POSTROUTING -s 172.17.0.1/32 -d 172.17.0.1/32 -p tcp -m tcp --dport 80 -j MASQUERADE -A POSTROUTING -s 172.17.0.1/32 -d 172.17.0.1/32 -p tcp -m tcp --dport 80 -j MASQUERADE -A DOCKER ! -i docker0 -p tcp -m tcp --dport 32768 -j DNAT --to-destination 172.17.0.1:80 COMMIT # Completed on Tue Jun 16 11:01:05 2015 # Generated by iptables-save v1.4.21 on Tue Jun 16 11:01:05 2015 *filter :INPUT ACCEPT [37:4566] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [11:976] :DOCKER - [0:0] -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j DROP -A DOCKER -d 172.17.0.1/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT COMMIT # Completed on Tue Jun 16 11:01:05 2015 Thanks. Should we be rigorous in using Fixed In Version? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1167.html |