cli
cli copied to clipboard
Non-docker bridge network doesn't work after docker installing
Description For some reason the docker makes all bridges with different settings stop their work. If I remove the docker, the network using bridge works.
Steps to reproduce the issue: I don't know how to reproduce the issue 'cos I have another machine with the same OS, same network settings & same docker version, but in the machine where I faced with the problem I did next steps:
- Setup Ethernet interface.
- Add bridge
- Add macvlan (vlan type) where bridge is the bridge from step 2
- Install
docker-ce
,docker-ce-cli
andcontainerd.io
- Reboot
I tried to use Oracle Linux and Alma Linux (RHEL 8 based). When I installed docker and then rebooted os, the network in devices using a bridge as master (virtual machines) didn't work. When I remove docker and then reboot system network works again. First I thought the problem is depends on my bridge configuration settings. I added a simple macvlan interface as a master to VM host and the network worked. Then I created a new bridge (with NAT. Without VLAN tagging) and the network didn't work again. I also can ping bridge parent IP but the network doesn't pass to the next hopes. Also, I get ARP reply from all sides about each other (VM, physical host, router (network core)). I also tried to remove all docker interfaces, disable SELinux, disable firewalld. flush all iptables rules. These ones didn't help. The issue exists even if docker has no container. (After activating docker service) Bridge interface uses additional IP from VRRP. And when I tried to get data from this IP I send requests but I don't get replies. I also tried to disable VRRP on this host.
Output of docker version
:
Docker version 20.10.10, build b485636
Output of docker info
:
Client:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Build with BuildKit (Docker Inc., v0.6.3-docker)
scan: Docker Scan (Docker Inc., v0.9.0)
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 20.10.10
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: false
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 5b46e404f6b9f661a205e28d59c982d3634148f8
runc version: v1.0.2-0-g52b36a2
init version: de40ad0
Security Options:
seccomp
Profile: default
Kernel Version: 5.4.17-2136.300.7.el8uek.x86_64
Operating System: Oracle Linux Server 8.4
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 6.711GiB
Name: srv1-prod
ID: KRMF:Y7XQ:KKSH:2KIU:ZJF4:A2IO:KEAL:AXXP:7LG3:QA7E:6K72:EOKN
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Additional environment details (AWS, VirtualBox, physical, etc.): Current OS: Oracle Linux 8 (x86-64).
UPD: Replaced OS with Ubuntu Server. Same problem
Solution in https://github.com/moby/moby/issues/34531
It doesn't work after reboot. After reboot iptables rules are loaded but the problem still exists. I need manually restart the iptables service to solve the problem. I also tried to change the default unit:
- Add delay = 10s
- Add delay = 1min
- Add After = docker.service
- Add After = docker.socket
UPD: Maybe I was wrong when I wrote docker doesn't create iptables rules. Maybe it creates excess rules. After reboot:
[root@srv1-prod ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
[root@srv1-prod ~]# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
[root@srv1-prod ~]# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
After restarting iptables service:
[root@srv1-prod ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
[root@srv1-prod ~]# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[root@srv1-prod ~]# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
For now, I've made it works by adding the restore iptables script as ExecStartPost in docker.service but I don't want to close the issue 'cos the algorithm iptables-restore -> docker init -> iptables-restore is not a solution. I think it is just a kludge to hide the docker bug.
I have the same issue. When I install docker-ce, the dhcp client at the other bridge doesn't work.
Same Issue Here. My VM's cant be reached thank you very much for a sane network setup.
This also bite me and my lxd. See Docker breaks libvirt bridge network on serverfault