Docker - firewalld errors

Issues related to applications and software problems
Przemas
Posts: 58
Joined: 2015/07/22 11:32:28

Docker - firewalld errors

Postby Przemas » 2017/03/20 21:57:33

While I've been trying to get network discovery working I've noticed some Docker errors reported by firewalld. Here's a sample:

Code: Select all

# systemctl status firewalld -l
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since pon 2017-03-20 20:51:20 CET; 2h 3min ago
     Docs: man:firewalld(1)
 Main PID: 1289 (firewalld)
   Memory: 38.2M
   CGroup: /system.slice/firewalld.service
           └─1289 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

mar 20 20:51:29 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8' failed:
mar 20 20:51:29 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed:
mar 20 20:51:29 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-ISOLATION' failed:
mar 20 20:51:29 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE' failed:
mar 20 20:51:29 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN' failed:
mar 20 20:51:29 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed:
mar 20 20:51:29 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT' failed:
mar 20 20:51:30 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT' failed:
mar 20 20:51:30 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed:
mar 20 20:51:30 dualxeon.domek firewalld[1289]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed:


Should I worry about that?

mathiasringhof
Posts: 1
Joined: 2017/07/16 18:33:05

Re: Docker - firewalld errors

Postby mathiasringhof » 2017/07/16 20:10:31

I'm facing the exact same thing on a new install of CentOS 7.3. As far as I can tell firewalld works as expected (ports to containers are blocked unless I open them) but I only briefly dabbled in Docker.

I found lots of older references, but the main difference is that there is no specific error message after the colon.

Code: Select all

2017-07-16 20:33:36 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed:

I checked both journalctl as well as /var/log/firewalld.

Enabled debug=4 doesn't help (me) either:

Code: Select all

2017-07-16 20:33:36 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed:
2017-07-16 20:33:36 DEBUG1: direct.passthrough('ipv4', '-I','FORWARD','-o','docker0','-j','DOCKER')
2017-07-16 20:33:36 DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>: /usr/sbin/iptables -w2 -I FORWARD -o docker0 -j DOCKER
2017-07-16 20:33:36 DEBUG1: direct.passthrough('ipv4', '-t','filter','-C','FORWARD','-j','DOCKER-ISOLATION')
2017-07-16 20:33:36 DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>: /usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-ISOLATION
2017-07-16 20:33:36 DEBUG1: direct.passthrough('ipv4', '-D','FORWARD','-j','DOCKER-ISOLATION')
2017-07-16 20:33:36 DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>: /usr/sbin/iptables -w2 -D FORWARD -j DOCKER-ISOLATION
2017-07-16 20:33:36 DEBUG1: direct.passthrough('ipv4', '-I','FORWARD','-j','DOCKER-ISOLATION')
2017-07-16 20:33:36 DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>: /usr/sbin/iptables -w2 -I FORWARD -j DOCKER-ISOLATION


Based on the fact that I can't find a lot of information about the issue I can only assume it's not serious but still, would love to understand what is happening and why there's no error message...

Thanks!