Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

firewalld COMMAND_FAILED warnings #2622

Open
cyphar opened this issue Feb 16, 2021 · 3 comments
Open

firewalld COMMAND_FAILED warnings #2622

cyphar opened this issue Feb 16, 2021 · 3 comments

Comments

@cyphar
Copy link

cyphar commented Feb 16, 2021

Since #2548, we see firewalld warnings in systemd logs when Docker starts up. When we tried backporting #2548 these warnings resulted in fatal errors:

Dec 27 21:36:06.507740 susetest firewalld[578]: ERROR: INVALID_ZONE: docker
Dec 27 21:36:07.514557 susetest dockerd[9386]: failed to start daemon: Error initializing network controller: Error creating default "bridge" network: Failed to program NAT chain: INVALID_ZONE: docker

But on upstream Docker (20.03.x) these warnings are just warnings. Though it still seems to me that they should be fixed. The warnings from firewalld are:

Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables: No chain/target/match by that name.
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: Too many links.
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: Too many links.
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 16 13:32:42 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

And here are the interspersed dockerd and firewalld logs to lend some more context:

docker --debug + journald logs 
Feb 16 13:32:40 yavin systemd[1]: Starting Docker Application Container Engine...
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.756951533+11:00" level=debug msg="Listener created for HTTP on unix (/var/run/docker.sock)"
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.756998891+11:00" level=debug msg="Containerd not running, starting daemon managed containerd"
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.757824812+11:00" level=info msg="libcontainerd: started new containerd process" pid=24466
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.757860262+11:00" level=info msg="parsed scheme: \"unix\"" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.757869327+11:00" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.757886879+11:00" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock  <nil> 0 <nil>}] <nil> <nil>}" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.757902266+11:00" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.877477165+11:00" level=info msg="starting containerd" revision=269548fa27e0089a8b8278fc4fc781d7f65a939b version=v1.4.3
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.899733737+11:00" level=info msg="loading plugin \"io.containerd.content.v1.content\"..." type=io.containerd.content.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.899826476+11:00" level=info msg="loading plugin \"io.containerd.snapshotter.v1.aufs\"..." type=io.containerd.snapshotter.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.902777808+11:00" level=info msg="skip loading plugin \"io.containerd.snapshotter.v1.aufs\"..." error="aufs is not supported (modprobe aufs failed: exit status 1 \"modprobe: FATAL: Module aufs not found in directory /lib/modules/5.10.9-1-default\\n\"): skip plugin" type=io.containerd.snapshotter.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.902803810+11:00" level=info msg="loading plugin \"io.containerd.snapshotter.v1.btrfs\"..." type=io.containerd.snapshotter.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903108730+11:00" level=info msg="loading plugin \"io.containerd.snapshotter.v1.devmapper\"..." type=io.containerd.snapshotter.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903131386+11:00" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.devmapper" error="devmapper not configured"
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903142245+11:00" level=info msg="loading plugin \"io.containerd.snapshotter.v1.native\"..." type=io.containerd.snapshotter.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903169040+11:00" level=info msg="loading plugin \"io.containerd.snapshotter.v1.overlayfs\"..." type=io.containerd.snapshotter.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903246596+11:00" level=info msg="loading plugin \"io.containerd.snapshotter.v1.zfs\"..." type=io.containerd.snapshotter.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903469539+11:00" level=info msg="skip loading plugin \"io.containerd.snapshotter.v1.zfs\"..." error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.zfs must be a zfs filesystem to be used with the zfs snapshotter: skip plugin" type=io.containerd.snapshotter.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903487259+11:00" level=info msg="loading plugin \"io.containerd.metadata.v1.bolt\"..." type=io.containerd.metadata.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903507475+11:00" level=warning msg="could not use snapshotter devmapper in metadata plugin" error="devmapper not configured"
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903520669+11:00" level=info msg="metadata content store policy set" policy=shared
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903748336+11:00" level=info msg="loading plugin \"io.containerd.differ.v1.walking\"..." type=io.containerd.differ.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903768727+11:00" level=info msg="loading plugin \"io.containerd.gc.v1.scheduler\"..." type=io.containerd.gc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903795253+11:00" level=info msg="loading plugin \"io.containerd.service.v1.introspection-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903820228+11:00" level=info msg="loading plugin \"io.containerd.service.v1.containers-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903832810+11:00" level=info msg="loading plugin \"io.containerd.service.v1.content-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903852524+11:00" level=info msg="loading plugin \"io.containerd.service.v1.diff-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903867079+11:00" level=info msg="loading plugin \"io.containerd.service.v1.images-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903892733+11:00" level=info msg="loading plugin \"io.containerd.service.v1.leases-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903916480+11:00" level=info msg="loading plugin \"io.containerd.service.v1.namespaces-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903942722+11:00" level=info msg="loading plugin \"io.containerd.service.v1.snapshots-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.903963616+11:00" level=info msg="loading plugin \"io.containerd.runtime.v1.linux\"..." type=io.containerd.runtime.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904048780+11:00" level=info msg="loading plugin \"io.containerd.runtime.v2.task\"..." type=io.containerd.runtime.v2
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904118328+11:00" level=info msg="loading plugin \"io.containerd.monitor.v1.cgroups\"..." type=io.containerd.monitor.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904619202+11:00" level=info msg="loading plugin \"io.containerd.service.v1.tasks-service\"..." type=io.containerd.service.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904675871+11:00" level=info msg="loading plugin \"io.containerd.internal.v1.restart\"..." type=io.containerd.internal.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904753110+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.containers\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904780176+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.content\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904808448+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.diff\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904830764+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.events\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904853917+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.healthcheck\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904879318+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.images\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904901956+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.leases\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904923817+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.namespaces\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.904946515+11:00" level=info msg="loading plugin \"io.containerd.internal.v1.opt\"..." type=io.containerd.internal.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905025208+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.snapshots\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905054432+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.tasks\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905078001+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.version\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905099835+11:00" level=info msg="loading plugin \"io.containerd.grpc.v1.introspection\"..." type=io.containerd.grpc.v1
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905396943+11:00" level=info msg=serving... address=/var/run/docker/containerd/containerd-debug.sock
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905466872+11:00" level=info msg=serving... address=/var/run/docker/containerd/containerd.sock.ttrpc
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905523914+11:00" level=info msg=serving... address=/var/run/docker/containerd/containerd.sock
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905548031+11:00" level=debug msg="sd notification" error="<nil>" notified=false state="READY=1"
Feb 16 13:32:40 yavin dockerd[24466]: time="2021-02-16T13:32:40.905567978+11:00" level=info msg="containerd successfully booted in 0.028977s"
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.911080679+11:00" level=debug msg="Created containerd monitoring client" address=/var/run/docker/containerd/containerd.sock
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.911880777+11:00" level=debug msg="Started daemon managed containerd"
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.912668425+11:00" level=debug msg="Golang's threads limit set to 114210"
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.943271082+11:00" level=info msg="parsed scheme: \"unix\"" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.943291154+11:00" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.943307112+11:00" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock  <nil> 0 <nil>}] <nil> <nil>}" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.943318849+11:00" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.943361377+11:00" level=debug msg="metrics API listening on /var/run/docker/metrics.sock"
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.943954766+11:00" level=info msg="parsed scheme: \"unix\"" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.943983660+11:00" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.944010627+11:00" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock  <nil> 0 <nil>}] <nil> <nil>}" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.944032252+11:00" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.944603422+11:00" level=debug msg="processing event stream" module=libcontainerd namespace=plugins.moby
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.944879944+11:00" level=debug msg="Using default logging driver json-file"
Feb 16 13:32:40 yavin dockerd[24453]: time="2021-02-16T13:32:40.945563193+11:00" level=debug msg="[graphdriver] priority list: [btrfs zfs overlay2 fuse-overlayfs aufs overlay devicemapper vfs]"
Feb 16 13:32:41 yavin dockerd[24466]: time="2021-02-16T13:32:41.011955105+11:00" level=debug msg="garbage collected" d=7.990467ms
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.027746044+11:00" level=debug msg="backingFs=btrfs, projectQuotaSupported=false, indexOff=\"index=off,\"" storage-driver=overlay2
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.027771353+11:00" level=info msg="[graphdriver] using prior storage driver: overlay2"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.027782278+11:00" level=debug msg="Initialized graph driver overlay2"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.049447709+11:00" level=debug msg="No quota support for local volumes in /var/lib/docker/volumes: Filesystem does not support, or has not enabled quotas"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.053371593+11:00" level=warning msg="Your kernel does not support CPU realtime scheduler"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.053388497+11:00" level=warning msg="Your kernel does not support cgroup blkio weight"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.053401423+11:00" level=warning msg="Your kernel does not support cgroup blkio weight_device"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.053556959+11:00" level=debug msg="Max Concurrent Downloads: 3"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.053570248+11:00" level=debug msg="Max Concurrent Uploads: 5"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.053579428+11:00" level=debug msg="Max Download Attempts: 5"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.053617563+11:00" level=info msg="Loading containers: start."
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.053733174+11:00" level=debug msg="processing event stream" module=libcontainerd namespace=moby
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.054765661+11:00" level=debug msg="loaded container" container=58417eb92d91c241e79055257497ecfc698a1d4fc2fca7184c1f618ea740c096 paused=false running=false
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.059347992+11:00" level=debug msg="restoring container" container=58417eb92d91c241e79055257497ecfc698a1d4fc2fca7184c1f618ea740c096 paused=false restarting=false running=false
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.059814518+11:00" level=debug msg="alive: false" container=58417eb92d91c241e79055257497ecfc698a1d4fc2fca7184c1f618ea740c096 paused=false restarting=false running=false
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.059833925+11:00" level=debug msg="done restoring container" container=58417eb92d91c241e79055257497ecfc698a1d4fc2fca7184c1f618ea740c096 paused=false restarting=false running=false
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.059861384+11:00" level=debug msg="Option Experimental: false"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.059868963+11:00" level=debug msg="Option DefaultDriver: bridge"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.059874263+11:00" level=debug msg="Option DefaultNetwork: bridge"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.059880054+11:00" level=debug msg="Network Control Plane MTU: 1500"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.096114254+11:00" level=info msg="Firewalld: docker zone already exists, returning"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.098664092+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -j DOCKER-ISOLATION]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.137759089+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.174981239+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.211084764+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER]"
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables: No chain/target/match by that name.
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.222012404+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -D PREROUTING]"
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.227752665+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -D OUTPUT]"
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.234227282+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -F DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.263020151+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -X DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.298971128+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -F DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.342980998+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -X DOCKER]"
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: Too many links.
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.348304745+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -F DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.375042082+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -X DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: Too many links.
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.380544273+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -F DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.410963023+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -X DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.451041560+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -F DOCKER-ISOLATION]"
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.456245288+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -X DOCKER-ISOLATION]"
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.461538998+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -n -L DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.468555370+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -N DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.511040407+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -n -L DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.516187725+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -n -L DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.520941320+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -n -L DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.526283422+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -N DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.550922853+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-1 -j RETURN]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.555942443+11:00" level=debug msg="Firewalld passthrough: ipv4, [-A DOCKER-ISOLATION-STAGE-1 -j RETURN]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.583025338+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-2 -j RETURN]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.588973754+11:00" level=debug msg="Firewalld passthrough: ipv4, [-A DOCKER-ISOLATION-STAGE-2 -j RETURN]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.624216219+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.630487360+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C DOCKER -i docker0 -j RETURN]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.636455114+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -I DOCKER -i docker0 -j RETURN]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.667007103+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -i docker0 -o docker0 -j DROP]"
Feb 16 13:32:41 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.672229221+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.677165627+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.685793768+11:00" level=info msg="Firewalld: interface docker0 already part of docker zone, returning"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.685823547+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.690648734+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.723123512+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.728392284+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -A OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.773126596+11:00" level=info msg="Firewalld: interface docker0 already part of docker zone, returning"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.773161637+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -j DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.778156267+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -j DOCKER]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.782754154+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.787282673+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.792100139+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -j DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.796844612+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -j DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.831119649+11:00" level=debug msg="Firewalld passthrough: ipv4, [-I FORWARD -j DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.883112411+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.887994393+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -I DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.927091562+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.932163553+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -I DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.959070847+11:00" level=debug msg="Network (4c1d786) restored"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.959805622+11:00" level=debug msg="Allocating IPv4 pools for network bridge (4c1d786e65a9783b82ac8c019004b0b65bd787dec7bc96b4e028b8f1e845b0dc)"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.959822503+11:00" level=debug msg="RequestPool(LocalDefault, 172.17.0.0/16, , map[], false)"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.959845092+11:00" level=debug msg="RequestAddress(LocalDefault/172.17.0.0/16, 172.17.0.1, map[RequestAddressType:com.docker.network.gateway])"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.959861304+11:00" level=debug msg="Request address PoolID:172.17.0.0/16 App: ipam/default/data, ID: LocalDefault/172.17.0.0/16, DBIndex: 0x0, Bits: 65536, Unselected: 65534, Sequence: (0x80000000, 1)->(0x0, 2046)->(0x1, 1)->end Curr:0 Serial:false PrefAddress:172.17.0.1 "
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.962370447+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.967371328+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -D POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]"
Feb 16 13:32:41 yavin dockerd[24453]: time="2021-02-16T13:32:41.998934258+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C DOCKER -i docker0 -j RETURN]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.004947488+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -D DOCKER -i docker0 -j RETURN]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.063193783+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.069429699+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -i docker0 -o docker0 -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.123229994+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.129303272+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -i docker0 ! -o docker0 -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.165540012+11:00" level=debug msg="Firewalld: removing docker0 interface from docker zone"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.194606371+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -j DOCKER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.198963202+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -j DOCKER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.203656959+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -o docker0 -j DOCKER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.243020045+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.248269696+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.253017869+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.287026053+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.291817437+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -D DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.351090718+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.356330238+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -D DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.384595807+11:00" level=debug msg="releasing IPv4 pools from network bridge (4c1d786e65a9783b82ac8c019004b0b65bd787dec7bc96b4e028b8f1e845b0dc)"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.384620243+11:00" level=debug msg="ReleaseAddress(LocalDefault/172.17.0.0/16, 172.17.0.1)"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.384638663+11:00" level=debug msg="Released address PoolID:LocalDefault/172.17.0.0/16, Address:172.17.0.1 Sequence:App: ipam/default/data, ID: LocalDefault/172.17.0.0/16, DBIndex: 0x0, Bits: 65536, Unselected: 65533, Sequence: (0xc0000000, 1)->(0x0, 2046)->(0x1, 1)->end Curr:0"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.384653136+11:00" level=debug msg="ReleasePool(LocalDefault/172.17.0.0/16)"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.386189228+11:00" level=debug msg="cleanupServiceDiscovery for network:4c1d786e65a9783b82ac8c019004b0b65bd787dec7bc96b4e028b8f1e845b0dc"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.386202775+11:00" level=debug msg="cleanupServiceBindings for 4c1d786e65a9783b82ac8c019004b0b65bd787dec7bc96b4e028b8f1e845b0dc"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.389878763+11:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.389909067+11:00" level=debug msg="Allocating IPv4 pools for network bridge (5d1cabc379e2e9d9d41dd87d51ac6e81c5c5bfbc24ae07eeece180131d9c74e0)"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.389921254+11:00" level=debug msg="RequestPool(LocalDefault, 172.17.0.0/16, , map[], false)"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.389938806+11:00" level=debug msg="RequestAddress(LocalDefault/172.17.0.0/16, 172.17.0.1, map[RequestAddressType:com.docker.network.gateway])"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.389952897+11:00" level=debug msg="Request address PoolID:172.17.0.0/16 App: ipam/default/data, ID: LocalDefault/172.17.0.0/16, DBIndex: 0x0, Bits: 65536, Unselected: 65534, Sequence: (0x80000000, 1)->(0x0, 2046)->(0x1, 1)->end Curr:0 Serial:false PrefAddress:172.17.0.1 "
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.390171389+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.395159446+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -I POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.427065294+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C DOCKER -i docker0 -j RETURN]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.432027383+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -I DOCKER -i docker0 -j RETURN]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.463157996+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -i docker0 -o docker0 -j DROP]"
Feb 16 13:32:42 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.468648661+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.473441683+11:00" level=debug msg="Firewalld passthrough: ipv4, [-I FORWARD -i docker0 -o docker0 -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.506958967+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.512489182+11:00" level=debug msg="Firewalld passthrough: ipv4, [-I FORWARD -i docker0 ! -o docker0 -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.541222469+11:00" level=debug msg="Firewalld: adding docker0 interface to docker zone"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.547675394+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.552074168+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.557091052+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.562170917+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.568754358+11:00" level=info msg="Firewalld: interface docker0 already part of docker zone, returning"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.568779276+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -j DOCKER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.572926956+11:00" level=debug msg="Firewalld passthrough: ipv4, [-I FORWARD -o docker0 -j DOCKER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.635069835+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.640105470+11:00" level=debug msg="Firewalld passthrough: ipv4, [-I FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.679130317+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -j DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.683983614+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -j DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.710897861+11:00" level=debug msg="Firewalld passthrough: ipv4, [-I FORWARD -j DOCKER-ISOLATION-STAGE-1]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.750943902+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.756400008+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -I DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.794803504+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.799461615+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -I DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.837137329+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -n -L DOCKER-USER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.842284679+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C DOCKER-USER -j RETURN]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.846441251+11:00" level=debug msg="Firewalld passthrough: ipv4, [-t filter -C FORWARD -j DOCKER-USER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.850877732+11:00" level=debug msg="Firewalld passthrough: ipv4, [-D FORWARD -j DOCKER-USER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.887073285+11:00" level=debug msg="Firewalld passthrough: ipv4, [-I FORWARD -j DOCKER-USER]"
Feb 16 13:32:42 yavin dockerd[24453]: time="2021-02-16T13:32:42.924160593+11:00" level=info msg="Loading containers: done."
Feb 16 13:32:43 yavin dockerd[24453]: time="2021-02-16T13:32:43.015740425+11:00" level=info msg="Docker daemon" commit=46229ca1d815 graphdriver(s)=overlay2 version=20.10.3_ce
Feb 16 13:32:43 yavin dockerd[24453]: time="2021-02-16T13:32:43.015817248+11:00" level=info msg="Daemon has completed initialization"
Feb 16 13:32:43 yavin systemd[1]: Started Docker Application Container Engine.

If you restart firewalld before starting Docker you get some extra errors:

Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.8.7 (legacy): Couldn't load target `DOCKER':No such file or directory
                                       
                                       Try `iptables -h' or 'iptables --help' for more information.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER' failed: iptables v1.8.7 (legacy): Couldn't load target `DOCKER':No such file or directory
                                       
                                       Try `iptables -h' or 'iptables --help' for more information.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.8.7 (legacy): Couldn't load target `DOCKER':No such file or directory
                                       
                                       Try `iptables -h' or 'iptables --help' for more information.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -F DOCKER' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -X DOCKER' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Feb 12 00:28:35 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Feb 12 00:28:37 yavin firewalld[1690]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
@msaimper
Copy link

msaimper commented Apr 8, 2021

Just to comment on the fact that I am experiencing a similar issue. My docker services just run fine and are visible from the outside but it seems they somehow by-pass firewalld instead of being included in it.

[XXXXX]$ sudo docker version
Client: Docker Engine - Community
 Version:           20.10.5
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        55c4c88
 Built:             Tue Mar  2 20:33:55 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.5
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       363e9a8
  Built:            Tue Mar  2 20:32:17 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.4
  GitCommit:        05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc:
  Version:          1.0.0-rc93
  GitCommit:        12644e614e25b05da6fd08a38ffa0cfe1903fdec
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

[XXXXX]$ sudo systemctl status firewalld -l
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-04-06 21:48:24 CEST; 1 day 16h ago
     Docs: man:firewalld(1)
 Main PID: 1310 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─1310 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

Apr 08 12:34:23 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
Apr 08 12:34:23 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Apr 08 12:34:23 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Apr 08 12:34:23 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 08 12:37:43 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker_gwbridge -o docker_gwbridge -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Apr 08 12:37:43 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
Apr 08 12:37:43 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
Apr 08 12:38:02 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
Apr 08 12:38:22 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.
Apr 08 12:38:22 dphppcj57 firewalld[1310]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -nL DOCKER-INGRESS' failed: iptables: No chain/target/match by that name.

[XXXXX]$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

[XXXXX]$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: em1
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

@kiocosta
Copy link

kiocosta commented Mar 7, 2022

any updates on this?

@ubaldino
Copy link

ubaldino commented Mar 14, 2022
edited
Loading

Possible solution

https://erfansahaf.medium.com/why-docker-and-firewall-dont-get-along-with-each-other-ddca7a002e10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ubaldino @cyphar @kiocosta @msaimper