[Bug 1046024] New: Docker networking broken after boot
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024 Bug ID: 1046024 Summary: Docker networking broken after boot Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: bnc-team-screening@forge.provo.novell.com Reporter: adam@mizerski.pl QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- After reboot docker networking is usually broken, with various symptoms. Sometimes the containers are created, but have not network inside. Sometimes creating container fails with the following message: docker: Error response from daemon: driver failed programming external connectivity on endpoint twister (46c42ea16960cd7002792b62e844c68f560a1ec336061dd8ef4a03a53e1ab7d6): iptables failed: iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.2 --dport 28332 -j ACCEPT: iptables: No chain/target/match by that name. (exit status 1). Fixing this is possible by restarting docker service, but sometimes it also requires restarting Networkmanager or SuSEFirewall2 before and manually deleting docker0 bridge interface. On the internet I've found various reports and solutions, but couldn't find anything reliable. I suspect it's a race condition to iptables between docker and SuSEFirewall2. It might be also a problem with systemd. Archlinux wiki has some hints: https://wiki.archlinux.org/index.php/Docker -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024#c1
Jordi Massaguer
After reboot docker networking is usually broken, with various symptoms.
Sometimes the containers are created, but have not network inside.
Sometimes creating container fails with the following message: docker: Error response from daemon: driver failed programming external connectivity on endpoint twister (46c42ea16960cd7002792b62e844c68f560a1ec336061dd8ef4a03a53e1ab7d6): iptables failed: iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.2 --dport 28332 -j ACCEPT: iptables: No chain/target/match by that name. (exit status 1).
Fixing this is possible by restarting docker service, but sometimes it also requires restarting Networkmanager or SuSEFirewall2 before and manually deleting docker0 bridge interface.
On the internet I've found various reports and solutions, but couldn't find anything reliable.
I suspect it's a race condition to iptables between docker and SuSEFirewall2.
It might be also a problem with systemd. Archlinux wiki has some hints: https://wiki.archlinux.org/index.php/Docker
Hi. This looks indeed a conflict with the rules docker adds to iptables and SUSEFirewall. Just to confirm, can you disable SUSEFirewall and try again to reboot? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024#c3
--- Comment #3 from Adam Mizerski
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024#c4
--- Comment #4 from Adam Mizerski
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024#c5
--- Comment #5 from Adam Mizerski
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024#c6
--- Comment #6 from Adam Mizerski
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024#c7
--- Comment #7 from Adam Mizerski
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024#c8
--- Comment #8 from Jordi Massaguer
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024
Jordi Massaguer
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024#c9
--- Comment #9 from Adam Mizerski
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024#c10
--- Comment #10 from Jordi Massaguer
It fixed the issue.
It's a good hot-fix for problems shortly after booting, but still there will be issues. For example if you reconfigure your firewall, it's restarted with new configuration and all docker changes are gone. Isn't it possible to disable iptables fiddling by docker and make sure SuSEFirewall2 sets up everything correctly?
See comment #2 thanks -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024
Tomáš Chvátal
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024
http://bugzilla.opensuse.org/show_bug.cgi?id=1046024#c14
Valentin Rothberg
participants (1)
-
bugzilla_noreply@novell.com