Docker bridge networks not automatically added to appropriate firewalld zone #48375
Description
Description
After upgrading to docker Docker version 27.1.2, build d01f264 and firewalld 1.3.3, Debian 12 container to container communication within the same bridge network is no longer automatically observed.
Reproduce
- Make sure iptables is disabled.
- Make sure firewalld is enabled
- Run these
docker network create --driver bridge mytestnet
docker run --net mytestnet --name terminal_a -it busybox sh
docker run --net mytestnet --name terminal_b -it busybox sh
- Get in the containers and try to ping. Observe it does not work.
- Disable firewalld.
- Observe it works
- Re-enable firewalld with
sudo systemctl start firewalld.service - Aditionally, run
ip -br ato save which interface points to the network you created above, in my case it isbr-281213661d1e - Run
sudo firewall-cmd --zone=docker --change-interface=br-281213661d1eto add said interface to the docker zone - Repeat ping. Observe it works.
Expected behavior
I would expect the automatically created host interfaces to be assigned to the correct docker zone in firewalld as to maintain the expected connectivity.
docker version
➜ ~ docker version
Client: Docker Engine - Community
Version: 27.1.2
API version: 1.46
Go version: go1.21.13
Git commit: d01f264
Built: Mon Aug 12 11:51:13 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 27.1.2
API version: 1.46 (minimum version 1.24)
Go version: go1.21.13
Git commit: f9522e5
Built: Mon Aug 12 11:51:13 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.7.20
GitCommit: 8fc6bcff51318944179630522a095cc9dbf9f353
runc:
Version: 1.1.13
GitCommit: v1.1.13-0-g58aa920
docker-init:
Version: 0.19.0
GitCommit: de40ad0docker info
~ docker info
Client: Docker Engine - Community
Version: 27.1.2
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.16.2
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.29.1
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 24
Running: 19
Paused: 0
Stopped: 5
Images: 101
Server Version: 27.1.2
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 8fc6bcff51318944179630522a095cc9dbf9f353
runc version: v1.1.13-0-g58aa920
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.1.0-23-amd64
Operating System: Debian GNU/Linux 12 (bookworm)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.38GiB
Name: cubi
ID: KFDH:M3K3:VY5B:WQZV:NX7U:3PSX:Y2QH:KWLU:GQ4T:QHRH:OZ5D:EFVU
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: falseAdditional Info
No response