docker 1.13 container is not reachable after giving IP-address

jpetazzo / pipework

Software-Defined Networking tools for LXC (LinuX Containers)

Apache License 2.0

4.21k stars 727 forks source link

docker 1.13 container is not reachable after giving IP-address #211

Closed bebehei closed 5 months ago

bebehei commented 7 years ago

with the current new release of docker 1.13, the default Policy of iptables changes from FORWARD to DROP (see: docker/docker#28257)

pipework won't be successful anymore to assign valid global IPs to docker containers, as all packets get dropped by iptables.

m4h3 commented 7 years ago

is there any workaround known ?

jpetazzo commented 7 years ago

Change back the default policy?

bebehei commented 7 years ago

I hit this bug two weeks ago, so everything IIRC:

dockerd's --ip-forward=true won't help. I'd bet this is just a documentation bug and it had not been covered by docker/docker#28257

-> There is no possibility to change back the policy.

bebehei commented 7 years ago

Update: this is verified. See https://github.com/docker/docker/pull/28257#issuecomment-274246788

PR docker/docker#490 got unfixed by this.

jpetazzo commented 7 years ago

I meant – change it in the pipework script, with iptables -P FORWARD ACCEPT. But make sure to fully understand the implications first! If you try, let us know if that works and I'll update the README accordingly. Thank you!

bebehei commented 7 years ago

I meant – change it in the pipework script

Yeah. That's the solution and this is what pipework is actually should do.

I assign my containers an IP-Address on my system's main bridge. This IP should be reachable without any specific routing on other computers. Docker network does not do this. This is the reason, why I use pipework:

./pipework br1 container 141.58...@141.58...

This is very easy with pipework.

And with docker 1.13 I'm not able to reach my containers on this global IP anymore. IMO this should be pipework's job. It should add there an additional iptables entry, allowing all connections to/from this specific IP.

Also I think just fixing it for myself does not help others. I bet I'm not the only one using this scenario.

jpetazzo commented 7 years ago

I understand. We are trying to move away from pipework and use CNM plugins instead. We could change the iptables policy in pipework, but I'm afraid that this could have security implications in some cases.

Perhaps we could:

add a warning in pipework's documentation (i.e. the README file in this repo)
add a check in pipework, detecting if the FORWARD policy is not ACCEPT (and display a warning)

Let me know if you think that would be helpful!