Firewalld zones interface removal is not permanent #43440
Description
Description
It seems to me like dockers removal of firewalld zones interfaces is not permanent.
Steps to reproduce the issue:
- Check the current interfaces:
# firewall-cmd --list-all --zone=docker - Create a new network:
# docker network create test - A new bridge should be added to the interfaces:
# firewall-cmd --list-all --zone=docker - Remove the network:
# docker network rm test - The network should be removed here, too:
# firewall-cmd --list-all --zone=docker - Reload firewalld:
# firewall-cmd --reload - The previously deleted interface appears again:
# firewall-cmd --list-all --zone=docker
Only after rebooting the server the interface stopped appearing. Neither restarting docker or firewalld could solve the issue.
Describe the results you received:
After reloading firewalld, all previously deleted docker bridges appear in the firewalld docker zone interface list.
root@server# firewall-cmd --list-all --zone=docker
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: br-4be931ba093c docker0
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
root@server# docker network create test
b3f9a7383f13b7ea814946d88e5251f54a6a05a2e875e20a89908a2c381bf072
root@server# firewall-cmd --list-all --zone=docker
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: br-4be931ba093c br-b3f9a7383f13 docker0
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
root@server# docker network rm test
test
root@server# firewall-cmd --list-all --zone=docker
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: br-4be931ba093c docker0
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
root@server# firewall-cmd --reload
success
root@server# firewall-cmd --list-all --zone=docker
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: br-4be931ba093c br-b3f9a7383f13 docker0
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
root@server# ip l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether fa:16:3e:be:11:3f brd ff:ff:ff:ff:ff:ff
3: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether fa:16:3e:87:1b:5e brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:a7:79:0d:cd brd ff:ff:ff:ff:ff:ff
5: br-4be931ba093c: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 02:42:03:6d:68:2b brd ff:ff:ff:ff:ff:ff
7: veth7b13b40@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-4be931ba093c state UP mode DEFAULT group default
link/ether 0e:57:aa:b2:f4:c0 brd ff:ff:ff:ff:ff:ff link-netnsid 0
Describe the results you expected:
I expected that the interfaces were removed permanently and don't appear after a firewall-cmd --reload
Additional information you deem important (e.g. issue happens only occasionally):
Output of docker version:
Client: Docker Engine - Community
Version: 20.10.12
API version: 1.41
Go version: go1.16.12
Git commit: e91ed57
Built: Mon Dec 13 11:45:33 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.12
API version: 1.41 (minimum version 1.12)
Go version: go1.16.12
Git commit: 459d0df
Built: Mon Dec 13 11:43:42 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.12
GitCommit: 7b11cfaabd73bb80907dd23182b9347b4245eb5d
runc:
Version: 1.0.2
GitCommit: v1.0.2-0-g52b36a2
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Output of docker info:
lient:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Docker Buildx (Docker Inc., v0.7.1-docker)
compose: Docker Compose (Docker Inc., v2.2.3)
scan: Docker Scan (Docker Inc., v0.12.0)
Server:
Containers: 1
Running: 1
Paused: 0
Stopped: 0
Images: 14
Server Version: 20.10.12
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7b11cfaabd73bb80907dd23182b9347b4245eb5d
runc version: v1.0.2-0-g52b36a2
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 5.4.0-105-generic
Operating System: Ubuntu 20.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 1.89GiB
Name: funny-server-name
ID: CU4J:VST2:CHFF:LJSG:7XHL:MWOR:7HKN:V5BP:JLDC:LZOK:K25K:QVAO
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support
Additional environment details (AWS, VirtualBox, physical, etc.):
The server is an ubuntu 20.04 vm hosted on an openstack cluster.