No networking in rootless docker with firewalld #43781
Labels
area/networking
area/rootless
Rootless mode
kind/bug
Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed.
Description
When running the docker daemon rootless, it still attempts to detect and use firewalld. If it succeeds (more on that later), iptables rules for NAT (necessary for traffic to be routed out of the docker0 bridge) are set up in the host network namespace instead of the network namespace dockerd runs in, so networking doesn't work. This is what the traffic looks like on the slirp4netns tap0 in the dockerd namespace:
No reply, obviously, 172.17.0.2 is connected to the bridge, it's meant to be masqueraded when forwarded to tap0.
Running
nsenter -U --preserve-credentials -n -m -t $(cat $XDG_RUNTIME_DIR/docker.pid) /usr/sbin/iptables-save
gives no output whatsoever, because there are no rules inside the net namespace.Now the important bit: this issue can only be reproduced with recent godbus/dbus (5.0.5+) because versions before that fail to connect to dbus from inside the user namespace. This is because it's uid 0 in that namespace, it tells dbus it's uid 0 (
AUTH EXTERNAL 30\r\n
), and from dbus' point of view it's obviously not uid 0, so it rejects the connection, and dockerd thinks there's no firewalld and correctly uses iptables as it should inside a network namespace. This auth issue is fixed in godbus/dbus 5.0.5. The 20.10 branch of moby vendors godbus/dbus 5.0.3 so it isn't affected, but moby 22.06 and master vendor godbus/dbus 5.0.6 so the bug is reproducible there. I've also reproduced the issue with Debian's packaging of moby 20.10 which doesn't use the vendored godbus/dbus and is built against godbus/dbus 5.0.6 instead (and I've reported the issue to Debian as well).tl;dr of the above: Not reproducible with 20.10.17, reproducible with 22.06 and master as of 2022-07-10, and also affects 20.10.14 in Debian which is built against godbus/dbus 5.0.6.
What I think the fix might look like: in libnetwork/iptables, firewalld should only be used when not running rootless, as it makes no sense to set up iptables rules in the host network namespace while the bridge is in another network namespace.
Steps to reproduce the issue:
dockerd-rootless-setuptool.sh
)debian:testing
)apt update
)Describe the results you received:
fails after it realises it can't resolve any hostnames
Describe the results you expected:
internet works
Additional information you deem important (e.g. issue happens only occasionally):
There's a workaround which involves bind-mounting /dev/null over /run/dbus/system_bus_socket and hoping nothing else breaks.
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
Reproduced on both my laptop and in a VM (debian testing image from vagrant), using both the version of docker.io shipped with Debian and binaries freshly built from this repo today. Not reproduced when using the packages from https://download.docker.com/linux/debian as those are built with the older vendored godbus/dbus.
The text was updated successfully, but these errors were encountered: