On Sat, 30 Sep 2023 06:18:49 -0400, Pablo Sanchez wrote:
Hi Jim,
Interestingly enough, I have a similar issue with my laptop. It may not be the same but it sounds strikingly similar.
::: TL;DR :::
In your case, can your user try to replicate the problem in a VM, using bridged networking?
I can ask the user who's having the issue; I've not been able to reproduce
the issue at all, but the user in the thread on the openSUSE forums
(tilfischer) as well as the individual helping in the Docker forums
(rimelek) can. The former is running on bare metal, the latter is running
TW inside an lxd VM.
I've been testing in VMware Workstation 17.0.2.
All are on the 20230926 release of TW. Rimelek's installation uses a pre-
built VM image from the lxd repositories, but both mine and tilfisher's
were installed from media using default options (his was KDE, mine was
GNOME, but I also tried KDE) and then updated with zypper dup.
I feel I need to emphasize that it's not a physical network issue, but a
virtual network issue in how rootless docker works.
I'm going to explain this in more detail, partly to help clarify the issue
for those reading this thread, and partly to help me make sure I
understand what I'm seeing.
Rootless docker is a way to run the docker daemon as a user, without root
privileges. In order to connect to the network, there's a userspace
network tool used that creates what appears to be a virtual routed
network. This is configured automatically by the /usr/bin/dockerd-
rootless-setuptool.sh script.
What you end up with is a network configuration that looks like this:
host <----> userspace network <----> docker networks
That "userspace network" is only present inside the host - it's a tap
interface that has its own subnet (10.0.2.x), and is configured with its
own routes and iptables firewall rules:
--- snip ---
localhost:/home/jhenderson # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere
anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere
anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
localhost:/home/jhenderson #
--- snip ---
From the host's perspective, it doesn't exist as a network interface at
all:
--- snip ---
jhenderson@localhost:~> ifconfig
ens33: flags=4163