docker breaks iptables cgroup path match
springzfx opened this issue · 3 comments
springzfx commented
- This is a bug report
- This is a feature request
- I searched existing issues before opening this one
Expected behavior
-m cgroup --path <CGROUP> is used in iptables to match a cgroup2 path.
For example, sudo iptables -A OUTPUT -m cgroup --path /test.slice -j REJECT will match packets from cgroup /test.slice and reject.
This works well in default hybrid mode.
Though docker use cgroup v1, it shall not break this.
Actual behavior
- Firstly start docker service, cgroup2 path match works OK
- Then start one container, break
- Then stop the container, break
- Then stop docker service, break
- Then have to restart computer to make it work again
I also tried to change config to Cgroup Driver: systemd, no lucky
Steps to reproduce the behavior
This is a small test script to reproduce:
RED='\033[0;31m'
NC='\033[0m' # No Color
sudo mkdir -p /sys/fs/cgroup/unified/test.slice
sudo iptables --flush
echo -e "${RED}iptables clean${NC}"
cat <<"EOF" |sudo bash
echo $$ >> /sys/fs/cgroup/unified/test.slice/cgroup.procs
ping -c 1 127.0.0.1
EOF
sudo iptables -A OUTPUT -m cgroup --path /test.slice -j REJECT
echo -e "${RED}iptables cgroup reject${NC}"
cat <<"EOF" |sudo bash
echo $$ >> /sys/fs/cgroup/unified/test.slice/cgroup.procs
ping -c 1 127.0.0.1
EOF
sudo systemctl start docker
echo -e "${RED}start docker service"${NC}
cat <<"EOF" |sudo bash
echo $$ >> /sys/fs/cgroup/unified/test.slice/cgroup.procs
ping -c 1 127.0.0.1
EOF
docker run --name test --rm -dt alpine /bin/sh
echo -e "${RED}start docker container"${NC}
cat <<"EOF" |sudo bash
echo $$ >> /sys/fs/cgroup/unified/test.slice/cgroup.procs
ping -c 1 127.0.0.1
EOF
docker stop test
echo -e "${RED}stop docker container"${NC}
cat <<"EOF" |sudo bash
echo $$ >> /sys/fs/cgroup/unified/test.slice/cgroup.procs
ping -c 1 127.0.0.1
EOF
sudo systemctl stop docker
echo -e "${RED}stop docker service"${NC}
cat <<"EOF" |sudo bash
echo $$ >> /sys/fs/cgroup/unified/test.slice/cgroup.procs
ping -c 1 127.0.0.1
EOF- if
pingoutputDestination Port Unreachable, The iptables cgroup match rule works
Here is the script result:
Output of docker version:
Client:
Version: 19.03.10-ce
API version: 1.40
Go version: go1.14.3
Git commit: 9424aeaee9
Built: Fri May 29 11:14:36 2020
OS/Arch: linux/amd64
Experimental: false
Server:
Engine:
Version: 19.03.10-ce
API version: 1.40 (minimum version 1.12)
Go version: go1.14.3
Git commit: 9424aeaee9
Built: Fri May 29 11:14:15 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.3.4.m
GitCommit: d76c121f76a5fc8a462dc64594aea72fe18e1178.m
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
Output of docker info:
Client:
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 19.03.10-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d76c121f76a5fc8a462dc64594aea72fe18e1178.m
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 5.6.15-arch1-1
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 7.506GiB
Name: fancy-pc
ID: WOOL:2O55:IYPZ:4CV4:W5VR:44OD:DWXT:SFUA:7XJ2:5LCS:AMSB:73NV
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Additional environment details (AWS, VirtualBox, physical, etc.)
OS: archlinux
springzfx commented
kernel log
[ +0.109803] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
Found the cause. Close this now.
cosbor11 commented
what was the cause @springzfx?
n1vgabay commented
@springzfx I'll be happy to get some info regarding this error and docker network issues in general. will be appreciated.