Bug#1058795: installing docker.io makes all qemu guests lose internet connection

2023-12-29 Thread Wolfgang Rohdewald 
Am Freitag, dem 29.12.2023 um 02:46 +0800 schrieb Shengjing Zhu:
> On Tue, Dec 26, 2023 at 5:48 AM Michael Tokarev  wrote:
> > 
> > On Sat, 16 Dec 2023 14:54:32 +0100 Wolfgang Rohdewald 
> >  wrote:
> > > Package: docker.io
> > > Version: 20.10.24+dfsg1-1+b3
> > > Severity: critical
> > > Justification: breaks unrelated software
> > > 
> > > Dear Maintainer,
> > > 
> > >    * What led up to the situation?
> > > 
> > > installed docker.io with existing qemu guests in bridge mode, did not do
> > > anything else.
> > 
> > This seems to be because docker includes some firewall rules which does not
> > play nice with existing firewall rules.  For example, in my case I use
> > nftables, and after docker.io is installed, I had to
> > 
> 
> Does the suggestion on
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865975 help?

In my original post, I showed a solution for my situation. But that is out
of the scope of this bug report.

To repeat: Installing docker.io breaks unrelated software. Even before
using docker.io, the installation process by itself breaks unrelated software.

If maintainers really think this is acceptable behaviour, IMHO the preinst 
script
MUST show a big fat warning BEFORE docker.io is installed. And maybe offer 
choices
for solutions.

-- 
mit freundlichen Grüssen

Wolfgang Rohdewald

Bug#1058795: installing docker.io makes all qemu guests lose internet connection

2023-12-28 Thread Shengjing Zhu 
On Tue, Dec 26, 2023 at 5:48 AM Michael Tokarev  wrote:
>
> On Sat, 16 Dec 2023 14:54:32 +0100 Wolfgang Rohdewald  
> wrote:
> > Package: docker.io
> > Version: 20.10.24+dfsg1-1+b3
> > Severity: critical
> > Justification: breaks unrelated software
> >
> > Dear Maintainer,
> >
> >* What led up to the situation?
> >
> > installed docker.io with existing qemu guests in bridge mode, did not do
> > anything else.
>
> This seems to be because docker includes some firewall rules which does not
> play nice with existing firewall rules.  For example, in my case I use
> nftables, and after docker.io is installed, I had to
>

Does the suggestion on
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865975 help?
TLDR, please enable net.ipv4.ip_forward before starting docker.

-- 
Shengjing Zhu

Bug#1058795: installing docker.io makes all qemu guests lose internet connection

2023-12-25 Thread Michael Tokarev 

On Sat, 16 Dec 2023 14:54:32 +0100 Wolfgang Rohdewald  
wrote:

Package: docker.io
Version: 20.10.24+dfsg1-1+b3
Severity: critical
Justification: breaks unrelated software

Dear Maintainer,

   * What led up to the situation?

installed docker.io with existing qemu guests in bridge mode, did not do
anything else.


This seems to be because docker includes some firewall rules which does not
play nice with existing firewall rules.  For example, in my case I use
nftables, and after docker.io is installed, I had to

 rmmod xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo 
xt_addrtype nft_compat br_netfilter

in order to make my bridge working again.  It isn't only qemu guests which
are broken, it's everything connected to the host bridge besides the host
itself, - eg nspawn containers.

/mjt

Bug#1058795: installing docker.io makes all qemu guests lose internet connection

2023-12-16 Thread Wolfgang Rohdewald 
Package: docker.io
Version: 20.10.24+dfsg1-1+b3
Severity: critical
Justification: breaks unrelated software

Dear Maintainer,

   * What led up to the situation?

installed docker.io with existing qemu guests in bridge mode, did not do
anything else.

   * What was the outcome of this action?

qemu guests lost internet

   * What outcome did you expect instead?

qemu guests should still have internet OR the installer should notice that
other bridge users already exist and show a big fat warning.
Also, uninstalling docker.io should restore the original situation which it
does not.


In dmesg I found

Bridge firewalling registered
Initializing XFRM netlink socket

It seems this is what docker.io does.

I can fix the problem by disabling sysctl net.bridge.bridge-nf-
call-{ip6tables,iptables,arptables}
Found the solution here:
https://wiki.libvirt.org/Net.bridge.bridge-nf-call_and_sysctl.conf.html

apt remove --purge does NOT fix the problem, an additional reboot is needed.

In the attachment please find networking info before installing docker.io


-- System Information:
Debian Release: 12.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.61-169 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages docker.io depends on:
ii  adduser3.134
ii  containerd 1.6.20~ds1-1+b1
ii  init-system-helpers1.65.2
ii  iptables   1.8.9-2
ii  libc6  2.36-9+deb12u3
ii  libdevmapper1.02.1 2:1.02.185-2
ii  libsystemd0252.19-1~deb12u1
ii  lsb-base   11.6
ii  runc   1.1.5+ds1-1+b1
ii  sysvinit-utils [lsb-base]  3.06-4
ii  tini   0.19.0-1

Versions of packages docker.io recommends:
ii  apparmor 3.0.8-3
ii  ca-certificates  20230311
ii  cgroupfs-mount   1.4
ii  git  1:2.39.2-1.1
ii  needrestart  3.6-4
ii  xz-utils 5.4.1-0.2

Versions of packages docker.io suggests:
pn  aufs-tools 
ii  btrfs-progs6.2-1
ii  debootstrap1.0.128+nmu2+deb12u1
pn  docker-doc 
ii  e2fsprogs  1.47.0-2
pn  rinse  
pn  rootlesskit
ii  xfsprogs   6.1.0-1
pn  zfs-fuse | zfsutils-linux  

-- no debconf information
 ip r ==
default via 10.210.30.1 dev br0 onlink 
10.210.30.0/24 dev br0 proto kernel scope link src 10.210.30.3 
 ip a ==
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group 
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute 
   valid_lft forever preferred_lft forever
2: lan0:  mtu 1500 qdisc pfifo_fast master br0 
state UP group default qlen 1000
link/ether 50:eb:f6:2c:3f:74 brd ff:ff:ff:ff:ff:ff
3: br0:  mtu 1500 qdisc noqueue state UP group 
default qlen 1000
link/ether 1a:12:4d:40:d2:62 brd ff:ff:ff:ff:ff:ff
inet 10.210.30.3/24 brd 10.210.30.255 scope global br0
   valid_lft forever preferred_lft forever
inet6 fe80::1812:4dff:fe40:d262/64 scope link 
   valid_lft forever preferred_lft forever
4: vnet0:  mtu 1500 qdisc noqueue master br0 
state UNKNOWN group default qlen 1000
link/ether fe:54:00:51:71:5c brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe51:715c/64 scope link 
   valid_lft forever preferred_lft forever
5: vnet1:  mtu 1500 qdisc noqueue master br0 
state UNKNOWN group default qlen 1000
link/ether fe:54:00:7f:ef:9d brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe7f:ef9d/64 scope link 
   valid_lft forever preferred_lft forever
 iconfig -a ==
br0: flags=4163  mtu 1500
inet 10.210.30.3  netmask 255.255.255.0  broadcast 10.210.30.255
inet6 fe80::1812:4dff:fe40:d262  prefixlen 64  scopeid 0x20
ether 1a:12:4d:40:d2:62  txqueuelen 1000  (Ethernet)
RX packets 42346  bytes 6405978 (6.1 MiB)
RX errors 0  dropped 375  overruns 0  frame 0
TX packets 28794  bytes 237355775 (226.3 MiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lan0: flags=4163  mtu 1500
ether 50:eb:f6:2c:3f:74  txqueuelen 1000  (Ethernet)
RX packets 44272  bytes 8116108 (7.7 MiB)
RX errors 0  dropped 18  overruns 0  frame 0
TX packets 179833  bytes 247674510 (236.2 MiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73  mtu 65536
inet 127.0.0.1  netmask 255.0.0.0
inet6 ::1  prefixlen 128  scopeid 0x10
loop  txqueuelen 1000