https://bugzilla.redhat.com/show_bug.cgi?id=1033606
--- Comment #10 from Marek Goldmann mgoldman@redhat.com --- (In reply to Josh Poimboeuf from comment #9)
There should be more docker-related rules there. Is there a unit file that creates the docker0 device before docker starts? If so, remove it so that docker can create it and set up its iptables rules.
This is what I have:
$ systemctl list-units -a | grep docker sys-devices-virtual-net-docker0.device loaded active plugged /sys/devices/virtual/net/docker0 sys-subsystem-net-devices-docker0.device loaded active plugged /sys/subsystem/net/devices/docker0 docker.service loaded inactive dead Docker container management daemon
And indeed, the docker0 interface is up, even when we stop the docker service.