Open wusikijeronii opened 2 years ago
Solution in https://github.com/moby/moby/issues/34531
It doesn't work after reboot. After reboot iptables rules are loaded but the problem still exists. I need manually restart the iptables service to solve the problem. I also tried to change the default unit:
UPD: Maybe I was wrong when I wrote docker doesn't create iptables rules. Maybe it creates excess rules. After reboot:
[root@srv1-prod ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
[root@srv1-prod ~]# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
[root@srv1-prod ~]# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
After restarting iptables service:
[root@srv1-prod ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
[root@srv1-prod ~]# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[root@srv1-prod ~]# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
For now, I've made it works by adding the restore iptables script as ExecStartPost in docker.service but I don't want to close the issue 'cos the algorithm iptables-restore -> docker init -> iptables-restore is not a solution. I think it is just a kludge to hide the docker bug.
I have the same issue. When I install docker-ce, the dhcp client at the other bridge doesn't work.
Same Issue Here. My VM's cant be reached thank you very much for a sane network setup.
This also bite me and my lxd. See Docker breaks libvirt bridge network on serverfault
Description For some reason the docker makes all bridges with different settings stop their work. If I remove the docker, the network using bridge works.
Steps to reproduce the issue: I don't know how to reproduce the issue 'cos I have another machine with the same OS, same network settings & same docker version, but in the machine where I faced with the problem I did next steps:
docker-ce
,docker-ce-cli
andcontainerd.io
I tried to use Oracle Linux and Alma Linux (RHEL 8 based). When I installed docker and then rebooted os, the network in devices using a bridge as master (virtual machines) didn't work. When I remove docker and then reboot system network works again. First I thought the problem is depends on my bridge configuration settings. I added a simple macvlan interface as a master to VM host and the network worked. Then I created a new bridge (with NAT. Without VLAN tagging) and the network didn't work again. I also can ping bridge parent IP but the network doesn't pass to the next hopes. Also, I get ARP reply from all sides about each other (VM, physical host, router (network core)). I also tried to remove all docker interfaces, disable SELinux, disable firewalld. flush all iptables rules. These ones didn't help. The issue exists even if docker has no container. (After activating docker service) Bridge interface uses additional IP from VRRP. And when I tried to get data from this IP I send requests but I don't get replies. I also tried to disable VRRP on this host.
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.): Current OS: Oracle Linux 8 (x86-64).
UPD: Replaced OS with Ubuntu Server. Same problem