Bug 43607 - Docker containers cannot reach network
Docker containers cannot reach network
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: App Center
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2
Assigned To: Dirk Wiesenthal
Felix Botner
: interim-2
Depends on: 43471
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-22 13:11 CET by Dirk Wiesenthal
Modified: 2017-04-04 18:29 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Wiesenthal univentionstaff 2017-02-22 13:11:36 CET
As discussed. There is no problem in the firewall script 20_docker.sh. Instead, right after an update, something seems to be not running. Suspect: kdbus.

Instead of fixing the firewall script, we will enforce a restart before the App Center may be called.

+++ This bug was initially created as a clone of Bug #43471 +++

The firewall seems to block outgoing or incoming traffic. We need to adjust the Firewall settings for Docker.
Comment 1 Dirk Wiesenthal univentionstaff 2017-02-22 17:13:49 CET
Checking for kernel 4.9 in
  univention-appcenter 6.0.1-33A~4.2.0.201702221712

This means that the user rebooted the system once. This should get services in order.
Comment 2 Felix Botner univentionstaff 2017-02-27 14:35:13 CET
There is a problem with 20_docker.sh

/etc/init.d/docker status in /etc/security/packetfilter.d/20_docker.sh always returns != 0 and therefor all nat rules are missing and apps can't get a network connection.

Changing this test to "systemctl status docker" works for me.

The rest is ok.

I couldn't test it in UMC (Bug #43653) but at least the command line installation failed correctly

-> univention-app install owncloud82
Going to install ownCloud (9.1.1-20170120)
(must_have_fitting_kernel_version) 
Unable to install owncloud82. Aborting...

reboot

-> univention-app install etherpad-lite
...
Comment 3 Philipp Hahn univentionstaff 2017-02-28 07:38:38 CET
(In reply to Felix Botner from comment #2)
> There is a problem with 20_docker.sh
> 
> /etc/init.d/docker status in /etc/security/packetfilter.d/20_docker.sh
> always returns != 0 and therefor all nat rules are missing and apps can't
> get a network connection.
> 
> Changing this test to "systemctl status docker" works for me.

systemctl -q is-active docker.service
Comment 4 Dirk Wiesenthal univentionstaff 2017-03-01 02:32:46 CET
Fixed in
  univention-firewall 9.0.0-8A~4.2.0.201703010231
Comment 5 Felix Botner univentionstaff 2017-03-01 11:29:58 CET
OK
Comment 6 Stefan Gohmann univentionstaff 2017-04-04 18:29:47 CEST
UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".