docker breaks (podman) network (rules)

[zyclonite]

bug?

binding a port to the podman host interface and accessing it from another container is blocked by iptables rules
but if the docker service is started it seems something is messed up and the podman container is able to access the port (after a restart of the container)

reproducer

starting with a fresh installed fcos instance
binding a container to the host interface e.g.
podman run -d --name mongo -p 10.88.0.1:27017:27017 mongo
then running another container, trying to reach that ip:port
podman run --rm -it alpine sh -c "apk update && apk add busybox-extras && telnet 10.88.0.1 27017"
does not work (i assume this is intended)

after simply executing docker info (triggering a docker service start) and running the same from above again - it works

docker adds a lot of iptables rules but i tried that without touching docker service and it still did not work

fcos version

Version: 31.20200210.3.0 (2020-02-24T16:48:02Z)

[dustymabe]

Unfortunately I don't have links to past issues but I think it's generally known within the space that docker and podman can/do conflict if you try to use them at the same time. @zyclonite maybe we need an entry in the FAQ for this?

[zyclonite]

i understand that mixing both could lead to some strange effects... there i would agree to have this at least documented

what i tried to describe above is more of a security risk i see
imagine i plan to only use podman and assume that my containers are safe in terms of networking on that host and then someone logs into that server and accidentally runs a docker command (not starting a container or creating a network...) and this alone breaks the network isolation of my running podman containers...

i appreciate that fcos enforces selinux now but on the other side opens new security holes like that...
in that case it would maybe make sense to have an option to deactivate docker completely

[dustymabe]

@zyclonite - the default configuration is to have docker socket activated. We decided to do this so that users coming from Container Linux would have a smoother transition. However you can easily disable docker completely by masking the docker.service.

variant: fcos
version: 1.0.0
systemd:
  units:
    - name: docker.service
      mask: true

I added a faq entry in our docs that specifically tells users not to run docker and podman together and also how to mask the docker service. Can you review it?

coreos/fedora-coreos-docs#58

[zyclonite]

ok, makes sense

tested it and faq looks fine as well, thank you

[dustymabe]

ok, makes sense

tested it and faq looks fine as well, thank you

Thanks! I'll close this issue when the docs PR merges

[dustymabe]

merged: https://docs.fedoraproject.org/en-US/fedora-coreos/faq/#_can_i_run_containers_via_docker_and_podman_at_the_same_time

[olljanat]

@dustymabe How about those of us who want to stay on Docker and disable Podman? What is correct way to do it?

Main reason to do so would be able to keep things on control can do migration to FCOS first (we can coming from Rancher OS) before start evaluating Podman.

[dustymabe]

@dustymabe How about those of us who want to stay on Docker and disable Podman? What is correct way to do it?

AFAIU podman isn't a daemon that runs. If you don't call out to /usr/bin/podman no processes are running and it's like it was never there.