Issue with Docker 1.12.1 and Firewalld on RHEL 7

wraithfive · October 26, 2016, 10:30pm

Whenever I start docker on RHEL7 I get the following in /var/log/firewalld

2016-10-26 17:29:10 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER’ failed: iptables: No chain/target/match by that name.
2016-10-26 17:29:10 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -D PREROUTING’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
2016-10-26 17:29:10 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -D OUTPUT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
2016-10-26 17:29:10 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t filter -X DOCKER’ failed: iptables: Too many links.
2016-10-26 17:29:10 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t filter -X DOCKER-ISOLATION’ failed: iptables: Too many links.
2016-10-26 17:29:10 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -n -L DOCKER’ failed: iptables: No chain/target/match by that name.
2016-10-26 17:29:10 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION -j RETURN’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
2016-10-26 17:29:10 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
2016-10-26 17:29:10 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
2016-10-26 17:29:10 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER’ failed: iptables: No chain/target/match by that name.
2016-10-26 17:29:10 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8’ failed: iptables: No chain/target/match by that name.
2016-10-26 17:29:10 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -C DOCKER -i docker_gwbridge -j RETURN’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
2016-10-26 17:29:10 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -D FORWARD -i docker_gwbridge -o docker_gwbridge -j ACCEPT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
2016-10-26 17:29:10 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION -i docker_gwbridge -o docker0 -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
2016-10-26 17:29:10 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION -i docker0 -o docker_gwbridge -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
2016-10-26 17:29:11 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE’ failed: iptables: No chain/target/match by that name.
2016-10-26 17:29:11 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
2016-10-26 17:29:11 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
2016-10-26 17:29:11 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
2016-10-26 17:29:11 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
2016-10-26 17:29:11 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
2016-10-26 17:29:11 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER’ failed: iptables: No chain/target/match by that name.
2016-10-26 17:29:11 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION -i docker0 -o docker_gwbridge -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
2016-10-26 17:29:11 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION -i docker_gwbridge -o docker0 -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
2016-10-26 17:29:16 ERROR: COMMAND_FAILED: ‘/sbin/iptables -w2 -t mangle -C OUTPUT -p udp --dport 4789 -m u32 --u32 0>>22&0x3C@12&0xFFFFFF00=65536 -j MARK --set-mark 13681891’ failed: iptables: No chain/target/match by that name.

This seems to be preventing joining workers after “docker swarm init” as no worker can join until I disable firewalld.

However, with firewalld disables container networking does not work properly as no container can get outbound network access.

kinghuang · November 16, 2016, 9:21pm

On our RHEL 7 hosts, we had to turn on masquerade on firewalld for Docker (especially in Swarm mode) to work correctly. Maybe give that a try?

firewall-cmd --zone=public --permanent --add-masquerade