Bug 1562838 - Docker removes iptables rules for flannel
Summary: Docker removes iptables rules for flannel
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.6.0
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
: 3.10.z
Assignee: Casey Callendrello
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-02 16:33 UTC by Juan Luis de Sousa-Valadas
Modified: 2021-06-10 15:37 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-20 15:44:38 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Juan Luis de Sousa-Valadas 2018-04-02 16:33:56 UTC 
Description of problem:
According to our docs [1] when using flannel it's mandatory to add the following rules:

iptables -A DOCKER -p all -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

and be made persistent using the following script

cp /etc/sysconfig/iptables{,.orig}
sh -c "tac /etc/sysconfig/iptables.orig | sed -e '0,/:DOCKER -/ s/:DOCKER -/:DOCKER ACCEPT/' | awk '"\!"p && /POSTROUTING/{print \"-A POSTROUTING -o eth1 -j MASQUERADE\"; p=1} 1' | tac > /etc/sysconfig/iptables"

Docker deletes the docker rule

1- https://docs.openshift.com/container-platform/3.6/install_config/configuring_sdn.html#using-flannel

Version-Release number of selected component (if applicable):
docker-1.12.6-71.git3e8e77d.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. systemctl stop docker
2. iptables -A DOCKER -p all -j ACCEPT && iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
3. Verify the rules are there with iptables -nvL
4. systemctl start docker
5. The rules aren't applied

Actual results:
Docker removes the rule in the docker chain

Expected results:
the rule is preserved
Comment 3 Juan Luis de Sousa-Valadas 2018-04-16 08:50:49 UTC 
Temporary workaround:

cat <<EOF > /usr/lib/systemd/system/docker-flannel-rules.service
[Unit]
Description=Add rules for flannel in docker chain
After=docker.service
Wants=docker.service
PartOf=docker.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/bash -c "/sbin/iptables -A DOCKER -p all -j ACCEPT && iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE"

[Install]
WantedBy=multi-user.target
EOF

systemctl enable docker-flannel-rules
Comment 4 Rajat Chopra 2018-04-26 18:49:11 UTC 
Updated flannel release with the fix will be available in RHEL7.6!
Until then, please use the workaround.
Comment 5 zhaozhanqi 2018-05-03 08:34:08 UTC 
hi, I did testing using above workaround. When I stop and start the docker service. the docker-flannel-rules service will become inactive.thus the related docker chain still NOT exist.  

 see the following steps. please let me know if the steps are wrong.

*****************************************
[root@host-172-16-120-61 ~]# systemctl enable docker-flannel-rules
Created symlink from /etc/systemd/system/multi-user.target.wants/docker-flannel-rules.service to /usr/lib/systemd/system/docker-flannel-rules.service.
[root@host-172-16-120-61 ~]# systemctl status docker-flannel-rules
● docker-flannel-rules.service - Add rules for flannel in docker chain
   Loaded: loaded (/usr/lib/systemd/system/docker-flannel-rules.service; enabled; vendor preset: disabled)
   Active: inactive (dead)
[root@host-172-16-120-61 ~]# systemctl start docker-flannel-rules
[root@host-172-16-120-61 ~]# systemctl status docker-flannel-rules
● docker-flannel-rules.service - Add rules for flannel in docker chain
   Loaded: loaded (/usr/lib/systemd/system/docker-flannel-rules.service; enabled; vendor preset: disabled)
   Active: active (exited) since Thu 2018-05-03 04:27:12 EDT; 3s ago
  Process: 15271 ExecStart=/bin/bash -c /sbin/iptables -A DOCKER -p all -j ACCEPT && iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE (code=exited, status=0/SUCCESS)
 Main PID: 15271 (code=exited, status=0/SUCCESS)

May 03 04:27:12 host-172-16-120-61 systemd[1]: Starting Add rules for flannel in docker chain...
May 03 04:27:12 host-172-16-120-61 systemd[1]: Started Add rules for flannel in docker chain.
[root@host-172-16-120-61 ~]# systemctl stop docker
[root@host-172-16-120-61 ~]# systemctl start docker
[root@host-172-16-120-61 ~]# systemctl status docker-flannel-rules
● docker-flannel-rules.service - Add rules for flannel in docker chain
   Loaded: loaded (/usr/lib/systemd/system/docker-flannel-rules.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Thu 2018-05-03 04:27:28 EDT; 39s ago
  Process: 15271 ExecStart=/bin/bash -c /sbin/iptables -A DOCKER -p all -j ACCEPT && iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE (code=exited, status=0/SUCCESS)
 Main PID: 15271 (code=exited, status=0/SUCCESS)

May 03 04:27:12 host-172-16-120-61 systemd[1]: Starting Add rules for flannel in docker chain...
May 03 04:27:12 host-172-16-120-61 systemd[1]: Started Add rules for flannel in docker chain.
May 03 04:27:28 host-172-16-120-61 systemd[1]: Stopped Add rules for flannel in docker chain.
May 03 04:27:28 host-172-16-120-61 systemd[1]: Stopping Add rules for flannel in docker chain...
***********************************
Comment 6 Juan Luis de Sousa-Valadas 2018-05-03 13:08:06 UTC 
zhaozhanqi, can you try:

cat <<EOF > /usr/lib/systemd/system/docker-flannel-rules.service
[Unit]
Description=Add rules for flannel in docker chain
PartOf=docker.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/bash -c "/sbin/iptables -A DOCKER -p all -j ACCEPT && iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE"

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl restart docker
systemctl status docker
systemctl status docker-flannel-rules.service


Thank you
Comment 7 zhaozhanqi 2018-05-04 09:59:05 UTC 
Juan Luis de Sousa-Valadas 

 when above steps. the docker-flannel-rules service can be executed once the docker restart. but seems the iptable rules still cannot be added, see:

# systemctl daemon-reload
[root@host-172-16-120-108 ~]# systemctl restart docker
[root@host-172-16-120-108 ~]# systemctl status docker-flannel-rules.service
● docker-flannel-rules.service - Add rules for flannel in docker chain
   Loaded: loaded (/usr/lib/systemd/system/docker-flannel-rules.service; disabled; vendor preset: disabled)
   Active: active (exited) since Fri 2018-05-04 05:55:49 EDT; 9s ago
  Process: 20612 ExecStart=/bin/bash -c /sbin/iptables -A DOCKER -p all -j ACCEPT && iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE (code=exited, status=0/SUCCESS)
 Main PID: 20612 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/docker-flannel-rules.service

May 04 05:55:49 host-172-16-120-108 systemd[1]: Stopping Add rules for flannel in docker chain...
May 04 05:55:49 host-172-16-120-108 systemd[1]: Starting Add rules for flannel in docker chain...
May 04 05:55:49 host-172-16-120-108 systemd[1]: Started Add rules for flannel in docker chain.
[root@host-172-16-120-108 ~]# iptables-save  | grep DOCKER
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A DOCKER-ISOLATION -j RETURN
[root@host-172-16-120-108 ~]#
Comment 10 Stephen Cuppett 2019-11-20 15:44:38 UTC 
OCP 3.10 has reached the end of full support [1]. Closing this BZ as WONTFIX. If there is a customer case to be attached with a valid support exception and we still need a fix here, please post those details and reopen.

[1] - https://access.redhat.com/support/policy/updates/openshift
Note You need to log in before you can comment on or make changes to this bug.