Processed: Re: Bug#903635: This is RC; breaks unrelated software
Processing commands for cont...@bugs.debian.org: > clone 903635 -1 Bug #903635 [docker.io] docker.io: Modifies iptables despite --iptables=false Bug 903635 cloned as bug 930302 > retitle -1 installing and starting docker changes iptables FORWARD policy, > breaking unrelated things Bug #930302 [docker.io] docker.io: Modifies iptables despite --iptables=false Changed Bug title to 'installing and starting docker changes iptables FORWARD policy, breaking unrelated things' from 'docker.io: Modifies iptables despite --iptables=false'. > severity 903635 important Bug #903635 [docker.io] docker.io: Modifies iptables despite --iptables=false Severity set to 'important' from 'critical' > found 903635 18.09.1+dfsg1-7 Bug #903635 [docker.io] docker.io: Modifies iptables despite --iptables=false Marked as found in versions docker.io/18.09.1+dfsg1-7. > found -1 18.09.1+dfsg1-7 Bug #930302 [docker.io] installing and starting docker changes iptables FORWARD policy, breaking unrelated things Marked as found in versions docker.io/18.09.1+dfsg1-7. > thanks Stopping processing here. Please contact me if you need assistance. -- 903635: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903635 930302: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930302 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#903635: This is RC; breaks unrelated software
clone 903635 -1 retitle -1 installing and starting docker changes iptables FORWARD policy, breaking unrelated things severity 903635 important found 903635 18.09.1+dfsg1-7 found -1 18.09.1+dfsg1-7 thanks On Mon, Jun 10, 2019 at 01:27:45AM +0800, Shengjing Zhu wrote: Could you provide more info about "changed my FORWARD chain policy to DROP"? In a fresh test Buster installation. Before: # iptables -L | grep FORWARD Chain FORWARD (policy ACCEPT) # dpkg -l docker.io # dpkg-query: no packages found matching docker.io # apt install -y docker.io After # iptables -L | grep FORWARD Chain FORWARD (policy ACCEPT) # systemctl start docker # iptables -L | grep FORWARD Chain FORWARD (policy DROP) So: Installing (*and* starting) Docker, with no other configuration steps performed by the user, changes the FORWARD table policy, which breaks e.g. any running VMs on the host. I set add `"iptables": false` to `/etc/docker/daemon.json`. Then reboot my laptop. Then run `iptables-save`. Setting that does stop this from happening, yes. If this was the package default that would resolve the issue I have. But that would not address the original filer's issue (unnecessary chain DOCKER-USER creation, which I can reproduce). I should have filed a separate issue really, sorry. I've cloned now. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland ⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net ⠈⠳⣄
Bug#903635: This is RC; breaks unrelated software
Hi Jonathan, On Wed, Apr 24, 2019 at 08:04:43PM +0100, Jonathan Dowland wrote: > severity 903635 critical > thanks > > Justification: "makes unrelated software on the system (or the whole system) > break" > > Installing docker.io changed my FORWARD chain policy to DROP, breaking > networking for unrelated virsh-based VMs that I had installed on the machine > at > the time. This matches exactly the text for severity: serious. Could you provide more info about "changed my FORWARD chain policy to DROP"? I set add `"iptables": false` to `/etc/docker/daemon.json`. Then reboot my laptop. Then run `iptables-save`. The result is ``` # Generated by xtables-save v1.8.2 on Mon Jun 10 01:22:35 2019 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :DOCKER-USER - [0:0] -A FORWARD -j DOCKER-USER -A DOCKER-USER -j RETURN COMMIT # Completed on Mon Jun 10 01:22:35 2019 ``` The FORWARD policy is ACCEPT. The origin bug is true that, docker still adds an empty chain, when iptables=false is set. But IMHO your justification is not real. -- Shengjing Zhu signature.asc Description: PGP signature
Bug#903635: This is RC; breaks unrelated software
On Wed, Apr 24, 2019 at 08:04:43PM +0100, Jonathan Dowland wrote: Installing docker.io changed my FORWARD chain policy to DROP, breaking networking for unrelated virsh-based VMs that I had installed on the machine at the time. This matches exactly the text for severity: serious. Sorry that should obviously have read "severity: critical". -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland ⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net ⠈⠳⣄
Bug#903635: This is RC; breaks unrelated software
Looks like a fix was proposed at: https://github.com/docker/libnetwork/pull/2339/files However this fix didn't receive any feedback from upstream so far, and I'm not familiar with the docker codebase myself. So I'm a bit reluctant to import this patch. And on the other hand, after a quick look the patch looks pretty straightforward and harmless. Maybe someone else wants to have a look at this patch and give some feedback? On Wed, 24 Apr 2019 20:04:43 +0100 Jonathan Dowland wrote: > severity 903635 critical > thanks > > Justification: "makes unrelated software on the system (or the whole system) break" > > Installing docker.io changed my FORWARD chain policy to DROP, breaking > networking for unrelated virsh-based VMs that I had installed on the machine at > the time. This matches exactly the text for severity: serious. > > -- > > ⢀⣴⠾⠻⢶⣦⠀ > ⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland > ⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net > ⠈⠳⣄ > >