cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon docker

Non-docker bridge network doesn't work after docker installing

Open wusikijeronii opened this issue 2 years ago • 3 comments

Description For some reason the docker makes all bridges with different settings stop their work. If I remove the docker, the network using bridge works.

Steps to reproduce the issue: I don't know how to reproduce the issue 'cos I have another machine with the same OS, same network settings & same docker version, but in the machine where I faced with the problem I did next steps:

  1. Setup Ethernet interface.
  2. Add bridge
  3. Add macvlan (vlan type) where bridge is the bridge from step 2
  4. Install docker-ce, docker-ce-cli and containerd.io
  5. Reboot

I tried to use Oracle Linux and Alma Linux (RHEL 8 based). When I installed docker and then rebooted os, the network in devices using a bridge as master (virtual machines) didn't work. When I remove docker and then reboot system network works again. First I thought the problem is depends on my bridge configuration settings. I added a simple macvlan interface as a master to VM host and the network worked. Then I created a new bridge (with NAT. Without VLAN tagging) and the network didn't work again. I also can ping bridge parent IP but the network doesn't pass to the next hopes. Also, I get ARP reply from all sides about each other (VM, physical host, router (network core)). I also tried to remove all docker interfaces, disable SELinux, disable firewalld. flush all iptables rules. These ones didn't help. The issue exists even if docker has no container. (After activating docker service) Bridge interface uses additional IP from VRRP. And when I tried to get data from this IP I send requests but I don't get replies. I also tried to disable VRRP on this host.

Output of docker version:

Docker version 20.10.10, build b485636

Output of docker info:

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.6.3-docker)
  scan: Docker Scan (Docker Inc., v0.9.0)

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 1
 Server Version: 20.10.10
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: false
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 5b46e404f6b9f661a205e28d59c982d3634148f8
 runc version: v1.0.2-0-g52b36a2
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.4.17-2136.300.7.el8uek.x86_64
 Operating System: Oracle Linux Server 8.4
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 6.711GiB
 Name: srv1-prod
 ID: KRMF:Y7XQ:KKSH:2KIU:ZJF4:A2IO:KEAL:AXXP:7LG3:QA7E:6K72:EOKN
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.): Current OS: Oracle Linux 8 (x86-64).

UPD: Replaced OS with Ubuntu Server. Same problem

wusikijeronii avatar Oct 27 '21 21:10 wusikijeronii

Solution in https://github.com/moby/moby/issues/34531

wusikijeronii avatar Nov 02 '21 12:11 wusikijeronii

It doesn't work after reboot. After reboot iptables rules are loaded but the problem still exists. I need manually restart the iptables service to solve the problem. I also tried to change the default unit:

  • Add delay = 10s
  • Add delay = 1min
  • Add After = docker.service
  • Add After = docker.socket

UPD: Maybe I was wrong when I wrote docker doesn't create iptables rules. Maybe it creates excess rules. After reboot:

[root@srv1-prod ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
[root@srv1-prod ~]# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
[root@srv1-prod ~]# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

After restarting iptables service:

[root@srv1-prod ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
[root@srv1-prod ~]# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[root@srv1-prod ~]# iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT

For now, I've made it works by adding the restore iptables script as ExecStartPost in docker.service but I don't want to close the issue 'cos the algorithm iptables-restore -> docker init -> iptables-restore is not a solution. I think it is just a kludge to hide the docker bug.

wusikijeronii avatar Nov 02 '21 21:11 wusikijeronii

I have the same issue. When I install docker-ce, the dhcp client at the other bridge doesn't work.

dfldylan avatar Aug 05 '22 05:08 dfldylan

Same Issue Here. My VM's cant be reached thank you very much for a sane network setup.

Bram-diederik avatar Nov 16 '22 18:11 Bram-diederik

This also bite me and my lxd. See Docker breaks libvirt bridge network on serverfault

hi-ko avatar Sep 15 '23 11:09 hi-ko