Skip to content

Firewalld zones interface removal is not permanent #43440

Open
Open
Firewalld zones interface removal is not permanent#43440
Labels
area/networkingNetworkingarea/networking/firewalldNetworkingarea/networking/firewallingNetworkingkind/bugBugs are bugs. The cause may or may not be known at triage time so debugging may be needed.
@jon4hz

Description

@jon4hz
jon4hz
opened on Mar 30, 2022

Description
It seems to me like dockers removal of firewalld zones interfaces is not permanent.

Steps to reproduce the issue:

  1. Check the current interfaces:
    # firewall-cmd --list-all --zone=docker
  2. Create a new network:
    # docker network create test
  3. A new bridge should be added to the interfaces:
    # firewall-cmd --list-all --zone=docker
  4. Remove the network:
    # docker network rm test
  5. The network should be removed here, too:
    # firewall-cmd --list-all --zone=docker
  6. Reload firewalld:
    # firewall-cmd --reload
  7. The previously deleted interface appears again:
    # firewall-cmd --list-all --zone=docker

Only after rebooting the server the interface stopped appearing. Neither restarting docker or firewalld could solve the issue.

Describe the results you received:
After reloading firewalld, all previously deleted docker bridges appear in the firewalld docker zone interface list.

root@server# firewall-cmd --list-all --zone=docker
docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: br-4be931ba093c docker0
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
root@server# docker network create test
b3f9a7383f13b7ea814946d88e5251f54a6a05a2e875e20a89908a2c381bf072
root@server# firewall-cmd --list-all --zone=docker
docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: br-4be931ba093c br-b3f9a7383f13 docker0
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
root@server# docker network rm test
test
root@server# firewall-cmd --list-all --zone=docker
docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: br-4be931ba093c docker0
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
root@server# firewall-cmd --reload
success
root@server# firewall-cmd --list-all --zone=docker
docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: br-4be931ba093c br-b3f9a7383f13 docker0
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
root@server# ip l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether fa:16:3e:be:11:3f brd ff:ff:ff:ff:ff:ff
3: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether fa:16:3e:87:1b:5e brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:a7:79:0d:cd brd ff:ff:ff:ff:ff:ff
5: br-4be931ba093c: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
    link/ether 02:42:03:6d:68:2b brd ff:ff:ff:ff:ff:ff
7: veth7b13b40@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-4be931ba093c state UP mode DEFAULT group default 
    link/ether 0e:57:aa:b2:f4:c0 brd ff:ff:ff:ff:ff:ff link-netnsid 0

Describe the results you expected:
I expected that the interfaces were removed permanently and don't appear after a firewall-cmd --reload

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client: Docker Engine - Community
 Version:           20.10.12
 API version:       1.41
 Go version:        go1.16.12
 Git commit:        e91ed57
 Built:             Mon Dec 13 11:45:33 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.12
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.12
  Git commit:       459d0df
  Built:            Mon Dec 13 11:43:42 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.12
  GitCommit:        7b11cfaabd73bb80907dd23182b9347b4245eb5d
 runc:
  Version:          1.0.2
  GitCommit:        v1.0.2-0-g52b36a2
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output of docker info:

lient:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Docker Buildx (Docker Inc., v0.7.1-docker)
  compose: Docker Compose (Docker Inc., v2.2.3)
  scan: Docker Scan (Docker Inc., v0.12.0)

Server:
 Containers: 1
  Running: 1
  Paused: 0
  Stopped: 0
 Images: 14
 Server Version: 20.10.12
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7b11cfaabd73bb80907dd23182b9347b4245eb5d
 runc version: v1.0.2-0-g52b36a2
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 5.4.0-105-generic
 Operating System: Ubuntu 20.04.3 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 1
 Total Memory: 1.89GiB
 Name: funny-server-name
 ID: CU4J:VST2:CHFF:LJSG:7XHL:MWOR:7HKN:V5BP:JLDC:LZOK:K25K:QVAO
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.):
The server is an ubuntu 20.04 vm hosted on an openstack cluster.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/networkingNetworkingarea/networking/firewalldNetworkingarea/networking/firewallingNetworkingkind/bugBugs are bugs. The cause may or may not be known at triage time so debugging may be needed.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions