[Bug 1943898] [NEW] docker.io modifies routing rules in a way which breaks LXD bridge

Paul Goins Thu, 16 Sep 2021 21:25:40 -0700

Public bug reported:

I was trying to bootstrap a Juju controller on LXD.  Unfortunately, this
never finished, and upon further investigation, I found that none of my
LXD containers could reach the Internet via the configured bridge,
lxdbr0.


This was working previously, but recently I installed docker.io.

I stopped and/or removed other components which were installing routing
rules, e.g. microk8s and multipass, but nothing resolved the problem
until I removed docker.io and restarted my computer.

Long story short, I traced down the reason why this wasn't working to a
routing rule.  I dumped my iptables rules while docker.io was
uninstalled and things were working, and then dumped again after I
installed docker.io and rebooted.  (The reboot was necessary; things
still worked after installing docker.io, but stopped working after
reboot.)

Here is the key diff that I saw:

[...]
 + sudo iptables -tfilter -S
 -P INPUT ACCEPT
--P FORWARD ACCEPT
+-P FORWARD DROP
[...]

I could manually run "sudo iptables -tfilter -P FORWARD ACCEPT" to make
things work again.  (Obviously that may not be the best workaround for
security reasons, but LXD doesn't seem to install rules sufficient for
routing to still work after docker.io makes this change.)

I'll leave it up to you whether this is a docker.io bug or an lxd bug,
but it was installation of docker.io which triggered the situation for
me.


Relevant information:

$ lsb_release -rd
Description:    Ubuntu 20.04.3 LTS
Release:        20.04

$ apt-cache policy docker.io | head -n2
docker.io:
  Installed: 20.10.7-0ubuntu1~20.04.1

Expected behavior: being able to use LXDs like normal without loss of
Internet connectivity after installing docker.io package.

What happened instead: lost Internet connectivity due to change in
filter table's -P FORWARD rule.


Best Regards,
Paul Goins

** Affects: docker.io (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1943898

Title:
  docker.io modifies routing rules in a way which breaks LXD bridge

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1943898/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1943898] [NEW] docker.io modifies routing rules in a way which breaks LXD bridge

Reply via email to