Control: forwarded -1 https://github.com/moby/moby/issues/43781
On Sat, Jul 9, 2022 at 3:57 PM Tomas Janousek <t...@nomi.cz> wrote: > > Package: docker.io > Version: 20.10.14+dfsg1-1+b1 > Severity: normal > > Dear Maintainer, > > When running the docker daemon rootless, it still attempts to detect and > use firewalld. If it succeeds (and with the godbus/dbus Debian builds > against, it does; more on that later), iptables rules for NAT (necessary > for traffic to be routed out of the docker0 bridge) are set up in the > host network namespace instead of the network namespace dockerd runs in, > so networking doesn't work. This is what the traffic looks like on the > slirp4netns tap0 in the dockerd namespace: > > 15:30:41.600319 IP 172.17.0.2.52323 > 10.0.2.3.53: 1825+ A? > deb.debian.org. (32) > 15:30:41.606028 ARP, Request who-has 172.17.0.2 tell 10.0.2.2, length 28 > > No reply, obviously, 172.17.0.2 is connected to the bridge, it's meant > to be masqueraded when forwarded to tap0. > > Running > > nsenter -U --preserve-credentials -n -m -t $(cat > $XDG_RUNTIME_DIR/docker.pid) /usr/sbin/iptables-save > > gives no output whatsoever, because there are no rules inside the net > namespace. > > Now the important bit: this issue can only be reproduced with > godbus/dbus 5.0.5+ which it's built against in Debian, but docker/moby > upstream vendors 5.0.3 so the issue isn't reproducible with their > builds. The reason older godbus/dbus "works" is because it fails to > connect to dbus from inside the _user_ namespace. This is because it's > uid 0 in that namespace, it tells dbus it's uid 0 (AUTH EXTERNAL > 30\r\n), and from dbus' point of view it's obviously not uid 0, so it > rejects the connection, and dockerd thinks there's no firewalld and > correctly uses iptables as it should inside a network namespace. > But this auth issue is "fixed" in godbus/dbus 5.0.5 > (https://github.com/godbus/dbus/pull/265), so if docker is built with > that (it is in Debian), network doesn't work inside any containers. > > I've reported the issue upstream nonetheless: > https://github.com/moby/moby/issues/43781, > as I believe firewalld detection shouldn't be attempted at all when > running in rootless mode, as it makes no sense to set up iptables rules > in the host network namespace while the bridge is in another network > namespace. It will probably (understandably) be low-priority for them > since it happens to work fine with the version of godbus/dbus they > vendor in the moby repo. So it might be worth coming up with a fix in > Debian, as it's Debian packaging of docker breaking things now. > Thanks for the detailed report! I just checked that Docker 22.06 has bumped godbus to 5.0.6, https://github.com/moby/moby/blob/22.06/vendor.mod So it would be an issue for upstream too. We will backport patch if they fix it in the 22.06 branch. - Shengjing Zhu
