https://bugzilla.redhat.com/show_bug.cgi?id=1036217
Bug ID: 1036217 Summary: docker-io doesn't work without firewalld Product: Fedora Version: 19 Component: docker-io Assignee: lsm5@redhat.com Reporter: m.a.young@durham.ac.uk QA Contact: extras-qa@fedoraproject.org CC: golang@lists.fedoraproject.org, lsm5@redhat.com, mattdm@redhat.com, mgoldman@redhat.com, vbatts@redhat.com
The recent changes to the docker.service systemd file won't work if firewalld isn't installed, and starts firewalld if it isn't running. This means a docker user is forced to use a particular firewall solution and can't choose to use alternate options. If this is really what is intended then the docker-io package should require the firewalld package. Otherwise I suggest you remove the Requires=firewalld.service line in the docker.service file or replace it with the weaker Wants=firewalld.service which will still try to start firewalld but doesn't block docker if it fails to start (eg. if it isn't installed).
https://bugzilla.redhat.com/show_bug.cgi?id=1036217
--- Comment #1 from Lokesh Mandvekar lsm5@redhat.com --- Michael, can you check if the unit file here works for you? https://bugzilla.redhat.com/show_bug.cgi?id=1033606#c36
https://bugzilla.redhat.com/show_bug.cgi?id=1036217
--- Comment #2 from Michael Young m.a.young@durham.ac.uk --- (In reply to Lokesh Mandvekar from comment #1)
Michael, can you check if the unit file here works for you? https://bugzilla.redhat.com/show_bug.cgi?id=1033606#c36
That doesn't work, but the modified version below does work (systemd wants full paths for commands, and adding - at the start of the command tells systemd not to treat failure of that command as a failure of the whole unit).
[Unit] Description=Docker container management daemon Wants=firewalld.service After=firewalld.service
[Service] Type=simple ExecStartPre=/usr/sbin/sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 ExecStart=/usr/bin/docker -d ExecStartPost=-/usr/bin/firewall-cmd --add-masquerade Restart=on-failure
[Install] WantedBy=multi-user.target
https://bugzilla.redhat.com/show_bug.cgi?id=1036217
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |MODIFIED
https://bugzilla.redhat.com/show_bug.cgi?id=1036217
--- Comment #3 from Fedora Update System updates@fedoraproject.org --- docker-io-0.7.0-12.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/docker-io-0.7.0-12.fc20
https://bugzilla.redhat.com/show_bug.cgi?id=1036217
lnie lnie@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |lnie@redhat.com
--- Comment #4 from lnie lnie@redhat.com --- 0.7.0-12 works fine
https://bugzilla.redhat.com/show_bug.cgi?id=1036217
--- Comment #5 from Marek Goldmann mgoldman@redhat.com --- +1 for "Wants". I was testing things and by accident showed Lokesh the wrong commit in which "Requires" was used.
https://bugzilla.redhat.com/show_bug.cgi?id=1036217
--- Comment #6 from Fedora Update System updates@fedoraproject.org --- docker-io-0.7.0-14.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/docker-io-0.7.0-14.fc20
https://bugzilla.redhat.com/show_bug.cgi?id=1036217
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |ON_QA
--- Comment #7 from Fedora Update System updates@fedoraproject.org --- Package docker-io-0.7.0-14.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing docker-io-0.7.0-14.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-22580/docker-io-0.7.0-14... then log in and leave karma (feedback).
https://bugzilla.redhat.com/show_bug.cgi?id=1036217
Raman Gupta rocketraman@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |rocketraman@gmail.com
--- Comment #8 from Raman Gupta rocketraman@gmail.com --- The fix does not appear to be in Fedora 19?
# rpm -q --info docker-io | head -2 Name : docker-io Version : 0.7.0
# cat /usr/lib/systemd/system/docker.service [Unit] Description=Docker container management daemon Wants=firewalld.service After=firewalld.service
I use shorewall and ran into this issue on F19.
https://bugzilla.redhat.com/show_bug.cgi?id=1036217
--- Comment #9 from Marek Goldmann mgoldman@redhat.com --- (In reply to Raman Gupta from comment #8)
The fix does not appear to be in Fedora 19?
# rpm -q --info docker-io | head -2 Name : docker-io Version : 0.7.0
# cat /usr/lib/systemd/system/docker.service [Unit] Description=Docker container management daemon Wants=firewalld.service After=firewalld.service
I use shorewall and ran into this issue on F19.
The fix is available in all Fedora (and EPEL) versions. The bug is about having "Requires=firewalld.service", which was changed to "Wants=firewalld.service" which is the expected instruction, and you see this in your service file.
What issue do you see? If you have firwalld installed -it will be started. If you use shorewall, uninstall firewalld.
https://bugzilla.redhat.com/show_bug.cgi?id=1036217
--- Comment #10 from Raman Gupta rocketraman@gmail.com --- (In reply to Marek Goldmann from comment #9)
(In reply to Raman Gupta from comment #8)
I use shorewall and ran into this issue on F19.
The fix is available in all Fedora (and EPEL) versions. The bug is about having "Requires=firewalld.service", which was changed to "Wants=firewalld.service" which is the expected instruction, and you see this in your service file.
What issue do you see? If you have firwalld installed -it will be started. If you use shorewall, uninstall firewalld.
Thanks, you are exactly right: firewalld was installed but disabled, which was causing the issue. I have now uninstalled it. Thanks.
https://bugzilla.redhat.com/show_bug.cgi?id=1036217
--- Comment #11 from Matthew Miller mattdm@redhat.com --- You should also be able to disable firewalld completely with systemd mask firewalld service -- unfortunately, "disabled" does not actually mean what it seems like it might in systemd.
https://bugzilla.redhat.com/show_bug.cgi?id=1036217
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Fixed In Version| |docker-io-0.7.0-14.fc20 Resolution|--- |ERRATA Last Closed| |2013-12-13 21:47:10
--- Comment #12 from Fedora Update System updates@fedoraproject.org --- docker-io-0.7.0-14.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
golang@lists.fedoraproject.org
-
Red Hat Bugzilla