Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker breaks iptables cgroup path match #1028

Closed
2 of 3 tasks
springzfx opened this issue Jun 2, 2020 · 3 comments
Closed
2 of 3 tasks

docker breaks iptables cgroup path match #1028

springzfx opened this issue Jun 2, 2020 · 3 comments

Comments

@springzfx
Copy link

springzfx commented Jun 2, 2020
edited
Loading

  • This is a bug report
  • This is a feature request
  • I searched existing issues before opening this one

Expected behavior

-m cgroup --path <CGROUP> is used in iptables to match a cgroup2 path.
For example, sudo iptables -A OUTPUT -m cgroup --path /test.slice -j REJECT will match packets from cgroup /test.slice and reject.
This works well in default hybrid mode.
Though docker use cgroup v1, it shall not break this.

Actual behavior

  • Firstly start docker service, cgroup2 path match works OK
  • Then start one container, break
  • Then stop the container, break
  • Then stop docker service, break
  • Then have to restart computer to make it work again

I also tried to change config to Cgroup Driver: systemd, no lucky

Steps to reproduce the behavior

This is a small test script to reproduce:

RED='\033[0;31m'
NC='\033[0m' # No Color

sudo mkdir -p  /sys/fs/cgroup/unified/test.slice

sudo iptables --flush
echo -e "${RED}iptables clean${NC}"
cat <<"EOF" |sudo bash
echo $$ >> /sys/fs/cgroup/unified/test.slice/cgroup.procs
ping -c 1 127.0.0.1
EOF

sudo iptables -A OUTPUT -m cgroup --path /test.slice  -j REJECT
echo -e "${RED}iptables cgroup reject${NC}"
cat <<"EOF" |sudo bash
echo $$ >> /sys/fs/cgroup/unified/test.slice/cgroup.procs
ping -c 1 127.0.0.1
EOF

sudo systemctl start docker
echo -e "${RED}start docker service"${NC} 
cat <<"EOF" |sudo bash
echo $$ >> /sys/fs/cgroup/unified/test.slice/cgroup.procs
ping -c 1 127.0.0.1
EOF

docker run --name test  --rm -dt alpine /bin/sh
echo -e "${RED}start docker container"${NC} 
cat <<"EOF" |sudo bash
echo $$ >> /sys/fs/cgroup/unified/test.slice/cgroup.procs
ping -c 1 127.0.0.1
EOF

docker stop test
echo -e "${RED}stop docker container"${NC} 
cat <<"EOF" |sudo bash
echo $$ >> /sys/fs/cgroup/unified/test.slice/cgroup.procs
ping -c 1 127.0.0.1
EOF

sudo systemctl stop docker
echo -e "${RED}stop docker service"${NC} 
cat <<"EOF" |sudo bash
echo $$ >> /sys/fs/cgroup/unified/test.slice/cgroup.procs
ping -c 1 127.0.0.1
EOF
  • if ping output Destination Port Unreachable, The iptables cgroup match rule works
    Here is the script result:
    Screenshot_20200602_131842

Output of docker version:

Client:
Version:           19.03.10-ce
API version:       1.40
Go version:        go1.14.3
Git commit:        9424aeaee9
Built:             Fri May 29 11:14:36 2020
OS/Arch:           linux/amd64
Experimental:      false

Server:
Engine:
Version:          19.03.10-ce
API version:      1.40 (minimum version 1.12)
Go version:       go1.14.3
Git commit:       9424aeaee9
Built:            Fri May 29 11:14:15 2020
OS/Arch:          linux/amd64
Experimental:     false
containerd:
Version:          v1.3.4.m
GitCommit:        d76c121f76a5fc8a462dc64594aea72fe18e1178.m
runc:
Version:          1.0.0-rc10
GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version:          0.18.0
GitCommit:        fec3683

Output of docker info:

Client:
Debug Mode: false

Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 19.03.10-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d76c121f76a5fc8a462dc64594aea72fe18e1178.m
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 5.6.15-arch1-1
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 7.506GiB
Name: fancy-pc
ID: WOOL:2O55:IYPZ:4CV4:W5VR:44OD:DWXT:SFUA:7XJ2:5LCS:AMSB:73NV
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.)
OS: archlinux
@springzfx springzfx mentioned this issue Jun 2, 2020
Closed
@springzfx springzfx changed the title docker breaks cgroup path match docker breaks iptables cgroup path match Jun 2, 2020
@springzfx
Copy link
Author

kernel log

[  +0.109803] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation

Found the cause. Close this now.

@cosbor11
Copy link

what was the cause @springzfx?

@n1vgabay
Copy link

@springzfx I'll be happy to get some info regarding this error and docker network issues in general. will be appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cosbor11 @springzfx @n1vgabay