http://bugzilla.opensuse.org/show_bug.cgi?id=1046024 http://bugzilla.opensuse.org/show_bug.cgi?id=1046024#c1 Jordi Massaguer changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |adam@mizerski.pl Flags| |needinfo?(adam@mizerski.pl) --- Comment #1 from Jordi Massaguer --- (In reply to Adam Mizerski from comment #0)

After reboot docker networking is usually broken, with various symptoms.

Sometimes the containers are created, but have not network inside.

Sometimes creating container fails with the following message: docker: Error response from daemon: driver failed programming external connectivity on endpoint twister (46c42ea16960cd7002792b62e844c68f560a1ec336061dd8ef4a03a53e1ab7d6): iptables failed: iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.2 --dport 28332 -j ACCEPT: iptables: No chain/target/match by that name. (exit status 1).

Fixing this is possible by restarting docker service, but sometimes it also requires restarting Networkmanager or SuSEFirewall2 before and manually deleting docker0 bridge interface.

On the internet I've found various reports and solutions, but couldn't find anything reliable.

I suspect it's a race condition to iptables between docker and SuSEFirewall2.

It might be also a problem with systemd. Archlinux wiki has some hints: https://wiki.archlinux.org/index.php/Docker

Hi. This looks indeed a conflict with the rules docker adds to iptables and SUSEFirewall. Just to confirm, can you disable SUSEFirewall and try again to reboot? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1046024 http://bugzilla.opensuse.org/show_bug.cgi?id=1046024#c4 --- Comment #4 from Adam Mizerski --- Created attachment 730939 --> http://bugzilla.opensuse.org/attachment.cgi?id=730939&action=edit iptables after manually starting SuSEFirewall2 -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1046024 http://bugzilla.opensuse.org/show_bug.cgi?id=1046024#c6 --- Comment #6 from Adam Mizerski --- Created attachment 730941 --> http://bugzilla.opensuse.org/attachment.cgi?id=730941&action=edit iptables with both docker and firewall enabled at boot -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1046024 http://bugzilla.opensuse.org/show_bug.cgi?id=1046024#c8 --- Comment #8 from Jordi Massaguer --- Please try adding SuSEfirewall2.service into the "After" in /usr/lib/systemd/system/docker.service: After=network.target containerd.socket containerd.service SuSEfirewall2.service This will make docker start after SuSEfirewall2 and potentially fix your issue. Having 2 process deal with iptables is not generally a good idea but starting docker after SuSEfirewall may fix your issue. Can you try that and let us know if that fixed your issue? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1046024 http://bugzilla.opensuse.org/show_bug.cgi?id=1046024#c9 --- Comment #9 from Adam Mizerski --- It fixed the issue. It's a good hot-fix for problems shortly after booting, but still there will be issues. For example if you reconfigure your firewall, it's restarted with new configuration and all docker changes are gone. Isn't it possible to disable iptables fiddling by docker and make sure SuSEFirewall2 sets up everything correctly? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1046024 Tomáš Chvátal changed: What |Removed |Added ---------------------------------------------------------------------------- Version|Leap 42.2 |Leap 42.3 -- You are receiving this mail because: You are on the CC list for the bug.