CentOS 7 firewalld warning COMMAND_FAILED while publish port to host

General
1

I’m new to docker and followed the instructions here to install docker on CentOS 7 server.

I wanted to use the Prometheus container so ran command,

docker run -p 9090:9090 prom/prometheus

The container is running now, but I cannot access the Prometheus web interface. I realized I’ve firewalld enabled, so I whitelisted the port 9090/tcp but still no luck. Google search sent me here, and I added docker0 interface to the zone and restarted the server.

I can access the Prometheus web interface now, happy days, but I still see following messages,

# journalctl -f -a -u firewalld.service
...
Jul 28 20:52:37 xxxxx firewalld[936]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 0/0 --dport 9090 -j DNAT --to-destination 172.17.0.2:9090 ! -i docker0' failed:
Jul 28 20:52:37 xxxxx firewalld[936]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.2 --dport 9090 -j ACCEPT' failed:
Jul 28 20:52:37 xxxxx firewalld[936]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.17.0.2 -d 172.17.0.2 --dport 9090 -j MASQUERADE' failed:

Can someone please guide me on how to fix these failures?

# lsb_release -a
LSB Version:	:core-4.1-amd64:core-4.1-noarch
Distributor ID:	CentOS
Description:	CentOS Linux release 7.3.1611 (Core)
Release:	7.3.1611
Codename:	Core
# docker version
Client:
 Version:      17.06.0-ce
 API version:  1.30
 Go version:   go1.8.3
 Git commit:   02c1d87
 Built:        Fri Jun 23 21:20:36 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.06.0-ce
 API version:  1.30 (minimum version 1.12)
 Go version:   go1.8.3
 Git commit:   02c1d87
 Built:        Fri Jun 23 21:21:56 2017
 OS/Arch:      linux/amd64
 Experimental: false
2

Freshly installed & updated CentOS 7.4.1708

After installing docker 1.12.6-61.git85d7426.el7.centos from extras repo and startind docker i getting the same warnings from firewalld.
With 17.06.0-ce - same problem.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER’ failed: iptables v1.4.21: Couldn’t load target `DOCKER’:No such file or directory

Try `iptables -h’ or ‘iptables --help’ for more information.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER’ failed: iptables v1.4.21: Couldn’t load target `DOCKER’:No such file or directory

Try `iptables -h’ or ‘iptables --help’ for more information.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -D PREROUTING’ failed: iptables: Bad rule (does a matching rule exist in that chain?).

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -D OUTPUT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -F DOCKER’ failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -X DOCKER’ failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -F DOCKER’ failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -X DOCKER’ failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -F DOCKER-ISOLATION’ failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -X DOCKER-ISOLATION’ failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -n -L DOCKER’ failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -n -L DOCKER’ failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -n -L DOCKER-ISOLATION’ failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION -j RETURN’ failed: iptables: Bad rule (does a matching rule exist in that chain?).

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE’ failed: iptables: No chain/target/match by that name.

2017-12-03 20:59:08 WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN’ failed: iptables: Bad rule (does a matching rule exist in that chain?).

3

I have the same question.