-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Firewalld zones interface removal is not permanent #43440
Comments
Great description! :) While this may seem harmless, it causes unwanted NAT hairpinning inside Docker networks due to duplicate rules in iptables
|
My workaround for the aformentioned issue was to write a small script to prune "zombie" interfaces... It looks like:
Notice how I had to stop the Docker daemon, because it seems to keep track of the "zombie" interface and it would re-add the NIC to the "docker" zone as soon as you reload firewalld ( To me, this demonstrate that the bug is in Docker, not in firewalld. Reproduced with last week's Docker version 20.10.19 |
Not sure who to ping for triage... @corhere ? Confirming that this is still reproducible with current releases:
Journalctl log outputSome logs from
Adding a network:
No logs for removing a network. Invoking a reload, logs are very similar to restarting the docker service, removed interface is logged:
Interface is present in Restart docker service, logs like shown originally, with existing networks but not the removed network. Firewalld still outputs the zone with the removed interface until invoking reload. Click to viewClient: Docker Engine - Community
Version: 24.0.1
API version: 1.43
Go version: go1.20.4
Git commit: 6802122
Built: Fri May 19 18:07:52 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 24.0.1
API version: 1.43 (minimum version 1.12)
Go version: go1.20.4
Git commit: 463850e
Built: Fri May 19 18:06:17 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.21
GitCommit: 3dce8eb055cbb6872793272b4f20ed16117344f8
runc:
Version: 1.1.7
GitCommit: v1.1.7-0-g860f061
docker-init:
Version: 0.19.0
GitCommit: de40ad0 docker infoClick to viewClient: Docker Engine - Community
Version: 24.0.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.10.4
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.18.1
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 3
Running: 3
Paused: 0
Stopped: 0
Images: 1
Server Version: 24.0.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 3dce8eb055cbb6872793272b4f20ed16117344f8
runc version: v1.1.7-0-g860f061
init version: de40ad0
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.2.12-200.fc37.x86_64
Operating System: Fedora Linux 37 (Server Edition)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 947.4MiB
Name: vpc-fedora
ID: 91d9ebe9-0988-4d55-9030-e7cff48f5dd2
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false |
Perhaps @akerouanton, who's making his way through networking-related tickets an creating an inventory |
Description
It seems to me like dockers removal of firewalld zones interfaces is not permanent.
Steps to reproduce the issue:
# firewall-cmd --list-all --zone=docker
# docker network create test
# firewall-cmd --list-all --zone=docker
# docker network rm test
# firewall-cmd --list-all --zone=docker
# firewall-cmd --reload
# firewall-cmd --list-all --zone=docker
Only after rebooting the server the interface stopped appearing. Neither restarting docker or firewalld could solve the issue.
Describe the results you received:
After reloading firewalld, all previously deleted docker bridges appear in the firewalld docker zone interface list.
Describe the results you expected:
I expected that the interfaces were removed permanently and don't appear after a
firewall-cmd --reload
Additional information you deem important (e.g. issue happens only occasionally):
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
The server is an ubuntu 20.04 vm hosted on an openstack cluster.
The text was updated successfully, but these errors were encountered: