Bug 46612 – UCS 4.3 docker version sets default rule FORWARD policy DROP

Bug 46612 - UCS 4.3 docker version sets default rule FORWARD policy DROP


Summary:	UCS 4.3 docker version sets default rule FORWARD policy DROP

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Docker
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.3
Assigned To:	Daniel Tröder
QA Contact:	Erik Damrose

URL:
Keywords:	interim-4

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-03-13 11:17 CET by Erik Damrose
Modified:	2018-03-14 14:38 CET (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.429
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Damrose

2018-03-13 11:17:52 CET

The UCS 4.3 docker version by default configures the packetfilter rule FORWARD policy DROP. In UCS 4.2 the default was ACCEPT.

KVM virtual machines cannot use the network with this new default.

Comment 1 Daniel Tröder

2018-03-13 13:52:25 CET

The Docker source code was patched to not change the default policy of the FORWARD chain.

docker.io 1.13.1-0ubuntu6A~4.3.0.201803131344


PS: Alternative solution would have been to start dockerd with --ip-forward=false (ucr set docker/daemon/default/opts/ip-forward=false) and enable ip_forwarding (sysctl net.ipv4.ip_forward=1).

Comment 2 Erik Damrose

2018-03-13 14:56:09 CET

OK: Default for FORWARD is now ACCEPT
OK: Patch applied and build
reopen: changelog. We actually differ from the upstream behavior with this version of docker and should mention it.

Comment 3 Daniel Tröder

2018-03-13 15:26:29 CET

[4.3-0 3a8460ee73] Bug #46612: release changelog entry

Comment 4 Erik Damrose

2018-03-13 15:43:38 CET

OK: changelog
verified

Comment 5 Stefan Gohmann

2018-03-14 14:38:15 CET

UCS 4.3 has been released:
 https://docs.software-univention.de/release-notes-4.3-0-en.html
 https://docs.software-univention.de/release-notes-4.3-0-de.html

If this error occurs again, please use "Clone This Bug".