Univention Bugzilla – Bug 43471
Docker containers cannot reach network
Last modified: 2017-04-04 18:28:21 CEST
The firewall seems to block outgoing or incoming traffic. We need to adjust the Firewall settings for Docker.
Fixed in univention-firewall 9.0.0-5A~4.2.0.201702081252 Problem was /etc/init.d/docker status, which apparently may not be called in a systemd context.
The change is just a suspect work-around: the real problem is that docker was changed to support systemd, so /lib/systemd/system/docker.service is preferred over /etc/init.d/docker. And "/etc/init.d/docker status" calls to "systemctl status docker.service" anyway: /etc/init.d/docker:43 . /lib/lsb/init-functions /lib/lsb/init-functions:429 [ -r $hook ] && . $hook || true /lib/lsb/init-functions.d/40-systemd:83 systemctl_redirect $0 $1 /lib/lsb/init-functions.d/40-systemd:63 /bin/systemctl $command "$service" This by itself is not a problem, but /etc/default/docker is still an old UCR template, which is now sourced by both /etc/init.d/docker and /lib/systemd/system/docker.service:EnvironmentFile; the later only supported an restricted subset of shell variable assignments, e.g. "export http_proxy" will break systemd! I also suspect the real problem to be somewhere else: after my upgrade test "dbus" was no longer running and "systemd" was not yet reachable; thus "systemctl status" does not work; after an reboot everything was fine; even using the old code with ucs-4.2-0@76532 reverted. # iptables -L -v | grep -i -e docker -e ^Chain Chain INPUT (policy DROP 0 packets, 0 bytes) Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) 0 0 DOCKER-ISOLATION all -- any any anywhere anywhere 0 0 DOCKER all -- any docker0 anywhere anywhere 0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere 0 0 ACCEPT all -- docker0 docker0 anywhere anywhere Chain OUTPUT (policy ACCEPT 85 packets, 15362 bytes) Chain DOCKER (1 references) Chain DOCKER-ISOLATION (1 references)
Reverted in r76970. The script works fine without the patch after a reboot. The problem is that some system service is not fully functional right after the update.
OK: git diff `git svn find-rev r76532`~1..`git svn find-rev r76970` -- base/univention-firewall
UCS 4.2 has been released: https://docs.software-univention.de/release-notes-4.2-0-en.html https://docs.software-univention.de/release-notes-4.2-0-de.html If this error occurs again, please use "Clone This Bug".