Bug ID 1233690
Summary Docker containers are not reachable from network
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Major
Priority P5 - None
Component MicroOS
Assignee forgotten_u0-bnvADNc@user.net
Reporter seifert@alesak.net
QA Contact qa-bugs@suse.de
Target Milestone ---
Found By ---
Blocker ---

After regular OS update from 20241114 to 20241115 or later makes containers
unreachable. Containers seams to be normally bind to correct interfaces.
As it is on production server I was not able to investigate for very long time,
reverting to previous OS snapshot resolved the problem.

Installed current version of
"openSUSE-MicroOS.x86_64-ContainerHost-kvm-and-xen.qcow2" into VM but unable to
reproduce the issue, everything seams to work normally.

The only symptom in journal is high occurrence of similar lines:

Nov 24 02:23:46 backup1 dockerd[1340]: time="2024-11-24T02:23:46.068350205Z"
level=error msg="[resolver] failed to query external DNS server"
client-addr="udp:172.20.0.66:42800" dns-server="udp:213.186.33.99:53"
error="read udp 172.20.0.66:42800->213.186.33.99:53: i/o timeout"
question=";certbot.\tIN\t AAAA" spanID=850c3ffdfcec0675
traceID=e1693dcfdf213f90555090b6285ac906

Also there is a difference in IPTABLES:

NOT working:

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate
RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

working:

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate
RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate
RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate
RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate
RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate
RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate
RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere


You are receiving this mail because: