mercredi, avril 29 2020, 09:31

Fixing docker-engine, docker-ce on Fedora 32

I've been using Fedora for some years now (probably 5). I have participated in a bunch of beta when new releases were approaching. At my new job I'm building our next infrastructure, which will be based on docker. So When I joined 2 months ago I installed the official docker packages following these instructions. Things worked well.

I've been willing to beta test Fedora32, because I can, I like using unstable software (I've been using firebox unstable since probably 2000 when it was called mozilla suite) and filling bug reports. In the past I've been bitten by selinux once - and nits of issues with gnupg - but nothing that prevented me from going back quickly to work. So I've been wanting to use 32 for a while but was reluctant because of :

root@saraan firewalld# dnf update
Docker CE Stable - x86_64                                                                                                   725  B/s | 577  B     00:00    
Errors during downloading metadata for repository 'docker-ce-stable':
 - Status code: 404 for https://download.docker.com/linux/fedora/32/x86_64/stable/repodata/repomd.xml (IP: 2600:9000:2047:de00:3:db06:4200:93a1)
Error: Failed to download metadata for repo 'docker-ce-stable': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
Docker CE Test - x86_64                                                                                                     654  B/s | 575  B     00:00    
Errors during downloading metadata for repository 'docker-ce-test':
 - Status code: 404 for https://download.docker.com/linux/fedora/32/x86_64/test/repodata/repomd.xml (IP: 2600:9000:2047:d800:3:db06:4200:93a1)
Error: Failed to download metadata for repo 'docker-ce-test': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
Ignoring repositories: docker-ce-stable, docker-ce-test

And I wanted to make sure that I could still work. I've asked on Mastodon/Twitter when the docker repos would have 32 equivalent without any answers. I when to the docker forums and posted there.I didn't get a single reply.

Finally, last Sunday I updated to 32 without a single issue. Until yesterday when I did a docker-compose up and that docker project dind't work at all (issue connecting to the http interface of the service / issue between the app and it's postgresql backend). I tried cleaning up everything I could, it didn't help, nor did qwanting, googling or binging. journalctl -e -u docker.servicel was of course almost empty :

No non-localhost DNS nameservers are left in resolv.conf. Using default external servers: nameserver 8.8.8.8 nameserver 8.8.4...

Which I'm very unhappy about. So I ended doing a quick search on twitter and found a twitt in japanese which gave me a hint. I confirmed the hint :

root@saraan firewalld# systemctl status firewalld.service 
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2020-04-28 17:56:10 CEST; 15h ago
       Docs: man:firewalld(1)
   Main PID: 1079 (firewalld)
      Tasks: 2 (limit: 18853)
     Memory: 46.2M
     CGroup: /system.slice/firewalld.service
             └─1079 /usr/bin/python3 /usr/sbin/firewalld nofork nopid

Apr 28 17:56:17 saraan firewalld1079: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: No chain/target/match by t>
Apr 28 17:56:17 saraan firewalld1079: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain> 
Apr 28 17:56:17 saraan firewalld1079: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain>

Switching the backend for firewalld from nftable to iptable did fix my issue. Thanks twitter.