Bug 43471 – Docker containers cannot reach network

Bug 43471 - Docker containers cannot reach network


Summary:	Docker containers cannot reach network

Status:	CLOSED INVALID

Product:	UCS
Classification:	Unclassified
Component:	Docker
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2
Assigned To:	Dirk Wiesenthal
QA Contact:	Philipp Hahn

URL:
Keywords:	interim-1

Depends on:
Blocks:	43607
	Show dependency tree / graph

Reported:	2017-02-01 16:56 CET by Dirk Wiesenthal
Modified:	2017-04-04 18:28 CEST (History)
CC List:	2 users (show)

See Also:	43458
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Wiesenthal

2017-02-01 16:56:03 CET

The firewall seems to block outgoing or incoming traffic. We need to adjust the Firewall settings for Docker.

Comment 1 Dirk Wiesenthal

2017-02-08 12:57:41 CET

Fixed in
  univention-firewall 9.0.0-5A~4.2.0.201702081252

Problem was /etc/init.d/docker status, which apparently may not be called in a systemd context.

Comment 2 Philipp Hahn

2017-02-10 17:26:13 CET

The change is just a suspect work-around: the real problem is that docker was changed to support systemd, so /lib/systemd/system/docker.service is preferred over /etc/init.d/docker. And "/etc/init.d/docker status" calls to "systemctl status docker.service" anyway:
 /etc/init.d/docker:43 . /lib/lsb/init-functions
 /lib/lsb/init-functions:429     [ -r $hook ] && . $hook || true
 /lib/lsb/init-functions.d/40-systemd:83         systemctl_redirect $0 $1
 /lib/lsb/init-functions.d/40-systemd:63     /bin/systemctl $command "$service"

This by itself is not a problem, but /etc/default/docker is still an old UCR template, which is now sourced by both /etc/init.d/docker and /lib/systemd/system/docker.service:EnvironmentFile; the later only supported an restricted subset of shell variable assignments, e.g. "export http_proxy" will break systemd!

I also suspect the real problem to be somewhere else: after my upgrade test "dbus" was no longer running and "systemd" was not yet reachable; thus "systemctl status" does not work; after an reboot everything was fine; even using the old code with ucs-4.2-0@76532 reverted.

# iptables -L -v | grep -i -e docker -e ^Chain
Chain INPUT (policy DROP 0 packets, 0 bytes)
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    0     0 DOCKER-ISOLATION  all  --  any    any     anywhere             anywhere            
    0     0 DOCKER     all  --  any    docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            
Chain OUTPUT (policy ACCEPT 85 packets, 15362 bytes)
Chain DOCKER (1 references)
Chain DOCKER-ISOLATION (1 references)

Comment 3 Dirk Wiesenthal

2017-02-22 13:12:45 CET

Reverted in r76970. The script works fine without the patch after a reboot. The problem is that some system service is not fully functional right after the update.

Comment 4 Philipp Hahn

2017-02-23 08:34:47 CET

OK: git diff `git svn find-rev r76532`~1..`git svn find-rev r76970` -- base/univention-firewall

Comment 5 Stefan Gohmann

2017-04-04 18:28:21 CEST

UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".