Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

With iptables=false dockerd still creates DOCKER-USER chain and rules #35777

Closed
robnagler opened this issue Dec 12, 2017 · 4 comments · Fixed by #39054
Closed

With iptables=false dockerd still creates DOCKER-USER chain and rules #35777

robnagler opened this issue Dec 12, 2017 · 4 comments · Fixed by #39054

Comments

@robnagler
Copy link

Description

When iptables=false, dockerd still creates iptables chain and rules:

-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A DOCKER-USER -j RETURN

Steps to reproduce the issue:

  1. Fresh install of docker, set iptables=false in daemon.json or systemd unit file
  2. systemctl start docker

Describe the results you received:

iptables -S produces after starting dockerd:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A DOCKER-USER -j RETURN

Describe the results you expected:

iptables -S should produce:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Additional information you deem important (e.g. issue happens only occasionally):

Repeatable.

Output of docker version:

Client:
 Version:      17.09.1-ce
 API version:  1.32
 Go version:   go1.8.3
 Git commit:   19e2cf6
 Built:        Thu Dec  7 22:23:40 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.09.1-ce
 API version:  1.32 (minimum version 1.12)
 Go version:   go1.8.3
 Git commit:   19e2cf6
 Built:        Thu Dec  7 22:25:03 2017
 OS/Arch:      linux/amd64
 Experimental: false

Output of docker info:

Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 0
Server Version: 17.09.1-ce
Storage Driver: overlay2
 Backing Filesystem: xfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: journald
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 06b9cb35161009dcb7123345749fef02f7cea8e0
runc version: 3f2f8b84a77f73d38244dd690525642a72156c64
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 3.10.0-693.11.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 40
Total Memory: 62.71GiB
Name: fnl4b.bivio.biz
ID: PWPC:6VWA:6HIQ:K5MV:G2CK:TIHG:PSLM:HB73:DXXM:DQCI:2A4R:IFLC
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: true

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Additional environment details (AWS, VirtualBox, physical, etc.):

physical CentOS 7 box:

Linux fnl4b.bivio.biz 3.10.0-693.11.1.el7.x86_64 #1 SMP Mon Dec 4 23:52:40 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
@rvRamakrishnan
Copy link

I am observing the same issue in Docker Versions 17.06.2, 17.12.0 as well. Is there any recent updates on this issue? Thanks

@TheRealAstroboy
Copy link

TheRealAstroboy commented Jan 11, 2018

I am observing the same issue in Docker Versions 17.06.2, 17.12.0 as well. Is there any recent updates on this issue?

Debian Stretch (9) running UFW :

sudo docker version result :

Client:
 Version:       17.12.0-ce
 API version:   1.35
 Go version:    go1.9.2
 Git commit:    c97c6d6
 Built: Wed Dec 27 20:11:19 2017
 OS/Arch:       linux/amd64

Server:
 Engine:
  Version:      17.12.0-ce
  API version:  1.35 (minimum version 1.12)
  Go version:   go1.9.2
  Git commit:   c97c6d6
  Built:        Wed Dec 27 20:09:54 2017
  OS/Arch:      linux/amd64
  Experimental: false

sudo docker info result :

Containers: 3
 Running: 2
 Paused: 0
 Stopped: 1
Images: 12
Server Version: 17.12.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 89623f28b87a6004d4b785663257362d1658a729
runc version: b2567b37d7b75eb4cf325b77297b140ea686ce8f
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.9.0-4-amd64
Operating System: Debian GNU/Linux 9 (stretch)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 3.77GiB
Name: XXXXXXXXXXXXXXXXXX
ID: XWJT:GRWP:K36B:KXZM:F7N3:PYE3:WWP4:JCTQ:BK5O:LJON:VNPR:M4OP
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 35
 Goroutines: 45
 System Time: 2018-01-11T11:54:30.15158472+01:00
 EventsListeners: 0
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

/etc/docker/daemon.json :
{ "iptables": false, "dns": ["80.67.169.12", "80.67.169.40"], "debug":true }

sudo iptables -L -n -t nat result :

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.19.0.0/16        0.0.0.0/0
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0
MASQUERADE  all  --  172.18.0.0/16        0.0.0.0/0
MASQUERADE  tcp  --  172.18.0.2           172.18.0.2           tcp dpt:5601
MASQUERADE  all  --  10.8.0.0/24          0.0.0.0/0
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5601 to:172.18.0.2:5601

@GordonTheTurtle Same here with 7.12.0-ce :°-(

@tianon
Copy link
Member

tianon commented Aug 14, 2018

Just for completeness, this is also filed over at docker/for-linux#136 (not sure if one or the other should be closed?)

@elboulangero
Copy link
Contributor

This was also reported in the debian bug reports, and is now a blocker for the buster release: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903635

thaJeztah added a commit to thaJeztah/docker that referenced this issue Jun 25, 2019
full diffs:

- moby/libnetwork@fc5a7d9...62a13ae
- vishvananda/netlink@b2de5d1...v1.0.0
- vishvananda/netns@604eaf1...13995c7

notable changes in libnetwork:

- moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
  - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
  - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
  - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- moby/libnetwork#2394 Make DNS records and queries case-insensitive
  - addresses moby#28689 Embedded DNS is case-sensitive
  - addresses moby#21169 hostnames with new networking are case-sensitive

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Jun 27, 2019
full diffs:

- moby/libnetwork@fc5a7d9...62a13ae
- vishvananda/netlink@b2de5d1...v1.0.0
- vishvananda/netns@604eaf1...13995c7

notable changes in libnetwork:

- moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
  - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
  - addresses moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
  - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- moby/libnetwork#2394 Make DNS records and queries case-insensitive
  - addresses moby/moby#28689 Embedded DNS is case-sensitive
  - addresses moby/moby#21169 hostnames with new networking are case-sensitive

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 344b093258fcb2195fa393081e5224a6c766c798
Component: engine
thaJeztah added a commit to thaJeztah/docker that referenced this issue Sep 16, 2019
full diffs:

- moby/libnetwork@fc5a7d9...62a13ae
- vishvananda/netlink@b2de5d1...v1.0.0
- vishvananda/netns@604eaf1...13995c7

notable changes in libnetwork:

- moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
  - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
  - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
  - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- moby/libnetwork#2394 Make DNS records and queries case-insensitive
  - addresses moby#28689 Embedded DNS is case-sensitive
  - addresses moby#21169 hostnames with new networking are case-sensitive

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 344b093)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Sep 17, 2019
full diffs:

- moby/libnetwork@fc5a7d9...62a13ae
- vishvananda/netlink@b2de5d1...v1.0.0
- vishvananda/netns@604eaf1...13995c7

notable changes in libnetwork:

- moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
  - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
  - addresses moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
  - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- moby/libnetwork#2394 Make DNS records and queries case-insensitive
  - addresses moby/moby#28689 Embedded DNS is case-sensitive
  - addresses moby/moby#21169 hostnames with new networking are case-sensitive

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 344b093258fcb2195fa393081e5224a6c766c798)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: f3e1aff81df959e9178433b77e7f3364c22aee59
Component: engine
burnMyDread pushed a commit to burnMyDread/moby that referenced this issue Oct 21, 2019
full diffs:

- moby/libnetwork@fc5a7d9...62a13ae
- vishvananda/netlink@b2de5d1...v1.0.0
- vishvananda/netns@604eaf1...13995c7

notable changes in libnetwork:

- moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
  - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
  - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
  - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- moby/libnetwork#2394 Make DNS records and queries case-insensitive
  - addresses moby#28689 Embedded DNS is case-sensitive
  - addresses moby#21169 hostnames with new networking are case-sensitive

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: zach <Zachary.Joyner@linux.com>
thaJeztah added a commit to thaJeztah/docker that referenced this issue Nov 7, 2019
full diff: moby/libnetwork@0025177...90afbb0

includes:

- docker/libnetwork#/2459 Fix Error Check in NewNetwork
- docker/libnetwork#/2466 Revert "Merge pull request moby#2339 from phyber/iptables-check"
    - reverts docker/libnetwork#/2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
    - re-opens moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
    - re-opens moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
    - re-opens docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this issue Nov 8, 2019
full diff: moby/libnetwork@0025177...90afbb0

includes:

- docker/libnetwork#/2459 Fix Error Check in NewNetwork
- docker/libnetwork#/2466 Revert "Merge pull request #2339 from phyber/iptables-check"
    - reverts docker/libnetwork#/2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
    - re-opens moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
    - re-opens moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
    - re-opens docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 9cf349d0f80d2399cdfad0321e0f181c2e7efa17
Component: engine
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants