Docker Community Forums

Share and learn in the Docker community.

How to fix these two Docker warnings on CentOS 8

WARNING: No blkio weight support
WARNING: No blkio weight_device support

docker info

 Context:    default
 Debug Mode: false
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.5.0-docker)

 Containers: 5
  Running: 5
  Paused: 0
  Stopped: 0
 Images: 5
 Server Version: 20.10.1
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 269548fa27e0089a8b8278fc4fc781d7f65a939b
 runc version: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
 init version: de40ad0
 Security Options:
   Profile: default
 Kernel Version: 4.18.0-240.1.1.el8_3.x86_64
 Operating System: CentOS Linux 8
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 7.559GiB
 Name: V-app-push2021
 Docker Root Dir: /data/lib/docker/1000.1000
 Debug Mode: false
 Experimental: false
 Insecure Registries:
 Registry Mirrors:
 Live Restore Enabled: false

WARNING: No blkio weight support
WARNING: No blkio weight_device support

After spending a couple of days looking at logs and configurations for the involved components, I was about to throw in the towel and revert back to Fedora 30, where this seems to work straight out of the box.

Focusing on firewalling, I realized that disabling firewalld seemed to do the trick, but I would prefer not to do that. While inspecting network rules with iptables, I realized that the switch to nftables means that iptables is now an abstraction layer that only shows a small part of the nftables rules. That means most - if not all - of the firewalld configuration will be applied outside the scope of iptables.

I was used to be able to find the whole truth in iptables, so this will take some getting used to.

Long story short - for this to work, I had to enable masquerading. It looked like dockerd already did this through iptables, but apparently this needs to be specifically enabled for the firewall zone for iptables masquerading to work:

Masquerading allows for docker ingress and egress (this is the juicy bit)

firewall-cmd --zone=public --add-masquerade --permanent

Specifically allow incoming traffic on port 80/443 (nothing new here)

firewall-cmd --zone=public --add-port=80/tcp
firewall-cmd --zone=public --add-port=443/tcp

Reload firewall to apply permanent rules

firewall-cmd --reload
Reboot or restart dockerd, and both ingress and egress should work.

@lisonfan @moderators the content of lewish95’s post is shamelessly stolen from, which addresses a whole different topic.