1245325 – Cannot link containers

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1245325 - Cannot link containers

Summary: Cannot link containers

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	docker
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:	1244124
Blocks:
TreeView+	depends on / blocked

Reported:	2015-07-21 18:46 UTC by Daniel Walsh
Modified:	2019-03-06 00:55 UTC (History)
CC List:	19 users (show)
Fixed In Version:	docker-1.7.1-105.el7.x86_64
Doc Type:	Bug Fix
Doc Text:	THIS WAS NEVER RELEASED SO WE SHOULD NOT BE IN THE ERRATA Cause: IPTables rules are being added out of order when Firewalld is running. Additionally, some code is missing to reload IPtable rules when Firewalld reloads. Consequence: When Firewalld is enabled, contaianers cannot communicate with one another. When firewalld is reloaded, IPTable rules are flushed. Fix: Adjust ICC rule to 'insert' instead of append. This moves the IPtable rule in the correct order. Missing firewalld functionality needed to be refactored in. Result: Containers can communicate with one another again. When Firewalld is reloaded, IPtable rules are not flushed.
Clone Of:	1244124
Environment:
Last Closed:	2016-06-23 16:17:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Well we need this patch back ported from docker-1.8 (1.28 KB, patch) 2015-07-21 21:32 UTC, Daniel Walsh	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:1274	0	normal	SHIPPED_LIVE	docker bug fix and enhancement update	2016-06-23 20:12:28 UTC

Description Daniel Walsh 2015-07-21 18:46:59 UTC

+++ This bug was initially created as a clone of Bug #1244124 +++

Description of problem:
Cannot link containers.


Version-Release number of selected component (if applicable):
docker-1.7.0-6.git74e7a7a.fc22.x86_64


How reproducible:
Always.


Steps to Reproduce:
1. Open 2 terminals.
2. In terminal 1, execute `docker run -it --rm --name db docker.io/postgres:9.2`
3. Wait until it says "LOG:  database system is ready to accept connections".
4. In terminal 2, execute `docker run -it --rm --link db:db postgres:9.2 bash -c 'psql -h $DB_PORT_5432_TCP_ADDR -p $DB_PORT_5432_TCP_PORT -U postgres'`


Actual results:
psql: could not connect to server: No route to host
    Is the server running on host "172.17.0.162" and accepting
    TCP/IP connections on port 5432?


Expected results:
Client connected to database.


Additional info:
Bug to postgres image: https://github.com/docker-library/postgres/issues/73

However, I tested with other images and none can be linked.

I tested with `setenforce 0` with same results.

You can try with `docker run -it --rm --link db:db docker.io/uzyexe/nmap db -p 5432` instead of step 4. It will say the port is "filtered", where it should be "open".

--- Additional comment from Yajo on 2015-07-17 04:37:03 EDT ---

Workaround is to downgrade docker. I know I will get back some bugs, but without linking I just cannot work:

$ sudo dnf downgrade docker-fish-completion docker
$ docker run -it --rm --name db docker.io/postgres:9.2

(new term)
$ docker run -it --rm --link db:db docker.io/uzyexe/nmap db -p 5432

Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-17 08:33 UTC
Nmap scan report for db (172.17.0.1)
Host is up (0.000063s latency).
PORT     STATE SERVICE
5432/tcp open  postgresql
MAC Address: 02:42:AC:11:00:01 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds

$ rpm -q docker
docker-1.6.0-3.git9d26a07.fc22.x86_64

--- Additional comment from Kayvan Sylvan on 2015-07-17 10:25:27 EDT ---

Same problem here. This used to work flawlessly for me, and now it does not.

The simple figest source (with a flask application linking redis with a python app) which used to work is no longer working, with the following error:

web_1   |     raise ConnectionError(self._error_message(e))
web_1   | ConnectionError: Error 113 connecting to redis:6379. No route to host.

From my host, I can access the redis container, but it looks like forwarding of network traffic between containers is not working:

$ docker inspect figtest_redis_1  | grep 172
        "Gateway": "172.17.42.1",
        "IPAddress": "172.17.0.7",

$ nc 172.17.0.7 6379
ping
+PONG

--- Additional comment from Kayvan Sylvan on 2015-07-17 13:28:08 EDT ---

In one window:

$ docker run --rm -it --name=one docker.io/busybox /bin/sh
/ # nc -l -p 4444

On the host:

$ docker inspect one | grep 172
        "Gateway": "172.17.42.1",
        "IPAddress": "172.17.0.11",
$ nc 172.17.0.11 4444
hello

And the "hello" shows up in the container.

Now, on the host again:

$ docker run --rm -it --name=two --link one:one docker.io/busybox /bin/sh
/ # 

Now, inside the "two" container:

/ # ping one
PING one (172.17.0.11): 56 data bytes
64 bytes from 172.17.0.11: seq=0 ttl=64 time=0.160 ms
64 bytes from 172.17.0.11: seq=1 ttl=64 time=0.100 ms
^C
--- one ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.100/0.130/0.160 ms

Looks like I can ping the other container, but this:

/ # nc one 4444
nc: can't connect to remote host (172.17.0.11): No route to host
/ #

--- Additional comment from Kayvan Sylvan on 2015-07-17 21:36:00 EDT ---

Quick and dirty workaround:

# sudo service firewalld stop

It seems that the correct rules to enable forwarding packets that originate from or go to the docker0 interface are not being setup.

I hope this gives the pointer to the developers for how to fix this.

Thanks!

--- Additional comment from Kayvan Sylvan on 2015-07-19 18:52:15 EDT ---

And one more (better) workaround:

After bringing up the docker daemon (so the DOCKER) firewall chain is there, as root, run:

iptables -A DOCKER --source 0.0.0.0/0 --destination 172.17.0.0/16 \
  -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A DOCKER --destination 0.0.0.0/0 --source 172.17.0.0/16 -j ACCEPT

Now the forwarding works as expected and linked containers work.

--- Additional comment from Yajo on 2015-07-20 04:44:15 EDT ---

@Kayvan I tried your workaround but I got hit by https://bugzilla.redhat.com/show_bug.cgi?id=1244659, so I'll stick with the downgraded docker for now.

--- Additional comment from Kayvan Sylvan on 2015-07-20 08:53:17 EDT ---

@Yajo which workaround? Fixing the DOCKER chain for iptables? I'll play around with it some more today and see if I can reproduce your issue.

--- Additional comment from Kayvan Sylvan on 2015-07-20 10:28:31 EDT ---

@Yajo The curl command in bug 1244659 works perfectly for me in the container, before and after applying the iptables workaround, so that is some other networking/routing bug.

--- Additional comment from Yajo on 2015-07-21 03:24:51 EDT ---

(In reply to Kayvan Sylvan from comment #7)
> @Yajo which workaround? Fixing the DOCKER chain for iptables? I'll play
> around with it some more today and see if I can reproduce your issue.

Disabling firewalld. I did not try to add the iptables rules because without firewalld it did not work too, so it had no sense to me.


(In reply to Kayvan Sylvan from comment #8)
> @Yajo The curl command in bug 1244659 works perfectly for me in the
> container, before and after applying the iptables workaround, so that is
> some other networking/routing bug.

That's why I reported it separately. But the workaround that works for me is the same: downgrade docker.

--- Additional comment from Kayvan Sylvan on 2015-07-21 05:22:27 EDT ---

@Yajo Disabling firewalld does not work too well, since docker-compose, for example seems to rely on it.

Can you try the other workaround instead? I'm curious if it will work for you.

--- Additional comment from Josef Skladanka on 2015-07-21 07:06:14 EDT ---

(In reply to Kayvan Sylvan from comment #10)

I tried the firewall rules proposed in comment #5, and it works for me - containers are now able to connect to each other.

--- Additional comment from Alec Benson on 2015-07-21 10:33:04 EDT ---

I've moved this over to firewalld so that they can take a look at this.

--- Additional comment from Daniel Walsh on 2015-07-21 10:39:06 EDT ---

Thomas I believe this problem is being caused by the firewalld patch you guys submitted to docker.  Could you check?

--- Additional comment from Daniel Walsh on 2015-07-21 14:06:18 EDT ---

https://github.com/docker/docker/issues/14396

Is covering this upstream.

https://github.com/Nightling states:

"
Just add a rule to the DOCKER chain in the filter table: -i docker0 -o docker0 -j ACCEPT

Here's an easier way to reproduce:
(Fedora Cloud does not ship firewalld as pointed out by @dustymabe.)

docker run -it --rm --name server busybox nc -lp 5000

docker run -it --rm --name client busybox nc \
$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" server) 5000

The root cause is simply firewall rules not being added automatically.
I also tested this with the latest 1.8 build in the weekend.
"

--- Additional comment from Daniel Walsh on 2015-07-21 14:11:11 EDT ---

This rule would break 

docker -d --icc=false

But the default is --icc=true

iptables -A DOCKER -i docker0 -o docker0 -j ACCEPT

Comment 3 Daniel Walsh 2015-07-21 21:19:42 UTC

Trevor  You suggested adding

sudo iptables -t filter -A DOCKER -d 172.17.0.0/16 -i docker0 -j ACCEPT

in

https://github.com/docker/docker/issues/14396

Do you suggest that we should do this by default, and then remove it when icc=false?

Comment 4 Daniel Walsh 2015-07-21 21:32:30 UTC

Created attachment 1054542 [details]
Well we need this patch back ported from docker-1.8

This will at least init firewalld and get docker talking to it.

Comment 5 Alec Benson 2015-07-22 04:34:23 UTC

With firewalld ENABLED, this is the FORWARD chain in my IP tables:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   120 DOCKER     all  --  any    docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  any    virbr0  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 any     192.168.122.0/24     anywhere            
    0     0 ACCEPT     all  --  virbr0 virbr0  anywhere             anywhere            
    0     0 REJECT     all  --  any    virbr0  anywhere             anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 any     anywhere             anywhere             reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
    2   120 FORWARD_direct  all  --  any    any     anywhere             anywhere            
    2   120 FORWARD_IN_ZONES_SOURCE  all  --  any    any     anywhere             anywhere            
    2   120 FORWARD_IN_ZONES  all  --  any    any     anywhere             anywhere            
    2   120 FORWARD_OUT_ZONES_SOURCE  all  --  any    any     anywhere             anywhere            
    2   120 FORWARD_OUT_ZONES  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
    2   120 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-host-prohibited
    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere



If I delete the rule to the reject target at the bottom, it seems that I can get containers talking to each-other again. I will take a closer look at this first thing tomorrow morning.

Comment 6 Trevor Jay 2015-07-22 05:11:11 UTC

(In reply to Daniel Walsh from comment #3)
> Trevor  You suggested adding
> 
> sudo iptables -t filter -A DOCKER -d 172.17.0.0/16 -i docker0 -j ACCEPT
> 
> in
> 
> https://github.com/docker/docker/issues/14396
> 
> Do you suggest that we should do this by default, and then remove it when
> icc=false?
>

As much as I'd like to lock docker0 down just a little bit more, I think the right thing to do here is provide the same docker0 behavior with firewalld as vanilla Docker provides without it. Refining your earlier suggestion, I would think adding:

    sudo iptables -t filter -A DOCKER -i docker0 -o docker0 -j ACCEPT

by default and removing it when icc=false is fine.

Comment 7 Kayvan Sylvan 2015-07-22 05:36:31 UTC

@Alec I don't think that removing the Reject at the end of the forward chain is the right solution. Adding some explicit rules before that to ACCEPT forwarding from/to the docker0 interface seems correct.

That's what I did in my workaround. It's certainly a missing set of rules regarding forwarding packets to/from docker0.

Comment 8 Yajo 2015-07-22 08:43:40 UTC

(In reply to Trevor Jay from comment #6)
>     sudo iptables -t filter -A DOCKER -i docker0 -o docker0 -j ACCEPT

Works for me.

Comment 9 Luwen Su 2015-07-24 10:24:06 UTC

In firewalld-0.3.9-12.el7.noarch, docker-1.7.1-105.el7.x86_64

# docker run -it --rm --link db:db postgres:9.2 bash -c 'psql -h $DB_PORT_5432_TCP_ADDR -p $DB_PORT_5432_TCP_PORT -U postgres'
Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
psql (9.2.13)
Type "help" for help.

postgres=# 


# iptables-save | grep -i docker
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
:DOCKER - [0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j DROP
-A DOCKER -s 172.17.0.2/32 -d 172.17.0.1/32 -i docker0 -o docker0 -p tcp -m tcp --dport 5432 -j ACCEPT
-A DOCKER -s 172.17.0.1/32 -d 172.17.0.2/32 -i docker0 -o docker0 -p tcp -m tcp --sport 5432 -j ACCEPT

So, i'd like to move to verified

Comment 10 Kayvan Sylvan 2015-07-24 15:14:53 UTC

How do I install a fixed version?

$ sudo dnf --enablerepo updates-testing update docker

Installing from updates-testing got me this:

$ docker -v
Docker version 1.7.1.fc22, build b6416b7/1.7.1

And my use cases still fail the same way and start working again when I do this:

iptables -A DOCKER --source 0.0.0.0/0 --destination 172.17.0.0/16 \
    -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A DOCKER --destination 0.0.0.0/0 --source 172.17.0.0/16 -j ACCEPT

Comment 11 Daniel Walsh 2015-07-24 18:10:53 UTC

docker-1.7.1-5.gitc8962ac.fc22 has the fix. It might not have gotten to the mirrors yet.

rpm -q docker


You can grab the packages directly from here.

http://koji.fedoraproject.org/koji/buildinfo?buildID=671790

Comment 12 Alec Benson 2015-07-24 18:12:14 UTC

I just tested on CentOS 7 as well and everything worked as expected.

Comment 13 Luwen Su 2015-07-27 13:58:51 UTC

Re-check with docker-1.7.1-107.el7.x86_64, it works fine

Comment 14 Kayvan Sylvan 2015-07-28 14:53:33 UTC

The latest docker RPMs have problems still. Does not work correctly on Fedora 22. See comments at the end of bug 1244124.

Comment 15 Lokesh Mandvekar 2015-07-28 14:58:26 UTC

Hi Kayvan, let's keep the fedora and rhel bugs separate. Fedora bugs will get updated separately.

Comment 16 Kayvan Sylvan 2015-07-28 14:59:23 UTC

Gotcha, Lokesh. Thanks.

Comment 21 errata-xmlrpc 2016-06-23 16:17:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1274

Note You need to log in before you can comment on or make changes to this bug.