Docker Firewalld/iptables WARNING: COMMAND_FAILED
9,756
This is more like a warning that these rules already exists. Because the error message is missing it is not a real error.
See https://github.com/moby/moby/issues/16137
Author by
BigGold1310
Updated on September 18, 2022Comments
-
BigGold1310 over 1 year
Problem
I got a fresh installed Fedora 27 installation. I installed docker-ce-17.12.0 on it.
Now if I'm trying to start a container like the following:
docker run -d -p 10.1.1.56:80:8080 --restart always --volume /docker/magic_mirror/config:/opt/magic_mirror/config --volume /docker/magic_mirror/modules:/opt/magic_mirror/modules --name magic_mirror bastilimbach/docker-magicmirror
If I'm looking at the firewalld I see the following errors:
● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2018-01-09 19:51:07 CET; 1min 41s ago Docs: man:firewalld(1) Main PID: 1227 (firewalld) Tasks: 2 (limit: 4915) Memory: 40.2M CPU: 952ms CGroup: /system.slice/firewalld.service └─1227 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid Jan 09 19:51:19 fedora.naef.home firewalld[1227]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: Jan 09 19:51:19 fedora.naef.home firewalld[1227]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -n -L DOCKER-USER' failed: Jan 09 19:51:19 fedora.naef.home firewalld[1227]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER-USER -j RETURN' failed: Jan 09 19:51:19 fedora.naef.home firewalld[1227]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-USER' failed: Jan 09 19:51:19 fedora.naef.home firewalld[1227]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 10.1.1.56 --dport 80 -j DNAT --to-destination 172.17.0.2:8080 ! -i docker0' failed: Jan 09 19:51:19 fedora.naef.home firewalld[1227]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.2 --dport 8080 -j ACCEPT' failed: Jan 09 19:51:19 fedora.naef.home firewalld[1227]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.17.0.2 -d 172.17.0.2 --dport 8080 -j MASQUERADE' failed: Jan 09 19:52:39 fedora.naef.home firewalld[1227]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 10.1.1.56 --dport 80 -j DNAT --to-destination 172.17.0.2:8080 ! -i docker0' failed: Jan 09 19:52:39 fedora.naef.home firewalld[1227]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.2 --dport 8080 -j ACCEPT' failed: Jan 09 19:52:39 fedora.naef.home firewalld[1227]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.17.0.2 -d 172.17.0.2 --dport 8080 -j MASQUERADE' failed:
General Infos
docker info
Docker Info: Containers: 1 Running: 1 Paused: 0 Stopped: 0 Images: 1 Server Version: 17.12.0-ce Storage Driver: devicemapper Pool Name: docker-thinpool Pool Blocksize: 524.3kB Base Device Size: 10.74GB Backing Filesystem: xfs Udev Sync Supported: true Data Space Used: 1.561GB Data Space Total: 102GB Data Space Available: 100.4GB Metadata Space Used: 700.4kB Metadata Space Total: 1.07GB Metadata Space Available: 1.069GB Thin Pool Minimum Free Space: 10.2GB Deferred Removal Enabled: true Deferred Deletion Enabled: true Deferred Deleted Device Count: 0 Library Version: 1.02.144 (2017-10-06) Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: 89623f28b87a6004d4b785663257362d1658a729 runc version: b2567b37d7b75eb4cf325b77297b140ea686ce8f init version: 949e6fa Security Options: seccomp Profile: default Kernel Version: 4.14.11-300.fc27.x86_64 Operating System: Fedora 27 (Workstation Edition) OSType: linux Architecture: x86_64 CPUs: 16 Total Memory: 31.41GiB Name: fedora.naef.home ID: R5N6:WND3:PZI5:HJNF:BCUY:IX7A:VTF3:AQGU:EJ3R:E6JP:WYQ3:Y4UU Docker Root Dir: /var/lib/docker Debug Mode (client): false Debug Mode (server): false Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false
Docker version
Client: Version: 17.12.0-ce API version: 1.35 Go version: go1.9.2 Git commit: c97c6d6 Built: Wed Dec 27 20:12:17 2017 OS/Arch: linux/amd64 Server: Engine: Version: 17.12.0-ce API version: 1.35 (minimum version 1.12) Go version: go1.9.2 Git commit: c97c6d6 Built: Wed Dec 27 20:14:50 2017 OS/Arch: linux/amd64 Experimental: false
cat /etc/sysconfig/network-scripts/ifcfg-docker0
DEVICE=docker0 STP=no TYPE=Bridge PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=none IPADDR=172.17.0.1 PREFIX=16 DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV4_DNS_PRIORITY=100 IPV6INIT=yes IPV6_AUTOCONF=no IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy IPV6_DNS_PRIORITY=100 NAME=docker0 UUID=0957d0b2-3ed7-418f-9399-e7b335bd2c3e ONBOOT=no ZONE=trusted
cat /etc/firewalld/zones/trusted.xml
<?xml version="1.0" encoding="utf-8"?> <zone target="ACCEPT"> <short>Trusted</short> <description>All network connections are accepted.</description> <interface name="docker0"/> </zone>
journalctl -f
Jan 09 20:25:06 fedora.naef.home dockerd[1952]: time="2018-01-09T20:25:06.179211912+01:00" level=info msg="Container 94c6657d6c7f47f20a29ab7f82e5ebad929144de319db79317872bcc00960928 failed to exit within 10 seconds of signal 15 - using the force" Jan 09 20:25:06 fedora.naef.home dockerd[1952]: time="2018-01-09T20:25:06.220316777+01:00" level=warning msg="unknown container" container=94c6657d6c7f47f20a29ab7f82e5ebad929144de319db79317872bcc00960928 module=libcontainerd namespace=plugins.moby Jan 09 20:25:06 fedora.naef.home dockerd[1952]: time="2018-01-09T20:25:06+01:00" level=info msg="shim reaped" id=94c6657d6c7f47f20a29ab7f82e5ebad929144de319db79317872bcc00960928 module="containerd/tasks" Jan 09 20:25:06 fedora.naef.home dockerd[1952]: time="2018-01-09T20:25:06.257560260+01:00" level=info msg="ignoring event" module=libcontainerd namespace=moby topic=/tasks/delete type="*events.TaskDelete" Jan 09 20:25:06 fedora.naef.home dockerd[1952]: time="2018-01-09T20:25:06.257571381+01:00" level=info msg="ignoring event" module=libcontainerd namespace=plugins.moby topic=/tasks/delete type="*events.TaskDelete" Jan 09 20:25:06 fedora.naef.home audit: NETFILTER_CFG table=nat family=2 entries=84 Jan 09 20:25:06 fedora.naef.home audit: NETFILTER_CFG table=nat family=2 entries=84 Jan 09 20:25:06 fedora.naef.home audit: NETFILTER_CFG table=filter family=2 entries=140 Jan 09 20:25:06 fedora.naef.home audit: NETFILTER_CFG table=nat family=2 entries=83 Jan 09 20:25:06 fedora.naef.home audit: NETFILTER_CFG table=nat family=2 entries=83 Jan 09 20:25:06 fedora.naef.home kernel: docker0: port 1(veth1efe87b) entered disabled state Jan 09 20:25:06 fedora.naef.home kernel: vethc9528bb: renamed from eth0 Jan 09 20:25:06 fedora.naef.home NetworkManager[1638]: <info> [1515525906.3229] manager: (vethc9528bb): new Veth device (/org/freedesktop/NetworkManager/Devices/12) Jan 09 20:25:06 fedora.naef.home systemd-udevd[6272]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. Jan 09 20:25:06 fedora.naef.home avahi-daemon[1249]: Interface veth1efe87b.IPv6 no longer relevant for mDNS. Jan 09 20:25:06 fedora.naef.home kernel: docker0: port 1(veth1efe87b) entered disabled state Jan 09 20:25:06 fedora.naef.home avahi-daemon[1249]: Leaving mDNS multicast group on interface veth1efe87b.IPv6 with address fe80::c830:5dff:fe33:cd5a. Jan 09 20:25:06 fedora.naef.home audit: ANOM_PROMISCUOUS dev=veth1efe87b prom=0 old_prom=256 auid=4294967295 uid=0 gid=0 ses=4294967295 Jan 09 20:25:06 fedora.naef.home kernel: device veth1efe87b left promiscuous mode Jan 09 20:25:06 fedora.naef.home kernel: docker0: port 1(veth1efe87b) entered disabled state Jan 09 20:25:06 fedora.naef.home libvirtd[1951]: 2018-01-09 19:25:06.328+0000: 1951: error : virFileReadAll:1390 : Failed to open file '/sys/class/net/vethc9528bb/operstate': No such file or directory Jan 09 20:25:06 fedora.naef.home libvirtd[1951]: 2018-01-09 19:25:06.329+0000: 1951: error : virNetDevGetLinkInfo:2504 : unable to read: /sys/class/net/vethc9528bb/operstate: No such file or directory Jan 09 20:25:06 fedora.naef.home avahi-daemon[1249]: Withdrawing address record for fe80::c830:5dff:fe33:cd5a on veth1efe87b. Jan 09 20:25:06 fedora.naef.home NetworkManager[1638]: <info> [1515525906.3395] device (veth1efe87b): released from master device docker0 Jan 09 20:25:06 fedora.naef.home gnome-shell[2756]: async_got_type: could not read properties for /org/freedesktop/NetworkManager/Devices/12: No such interface 'org.freedesktop.DBus.Properties' on object at path /org/freedesktop/NetworkManager/Devices/12 Jan 09 20:25:06 fedora.naef.home gnome-shell[2756]: async_got_type: could not read properties for /org/freedesktop/NetworkManager/Devices/12: No such interface 'org.freedesktop.DBus.Properties' on object at path /org/freedesktop/NetworkManager/Devices/12 Jan 09 20:25:06 fedora.naef.home kernel: XFS (dm-10): Unmounting Filesystem Jan 09 20:25:06 fedora.naef.home dockerd[1952]: time="2018-01-09T20:25:06.638002427+01:00" level=info msg="ignoring event" module=libcontainerd namespace=moby topic=/containers/delete type="*events.ContainerDelete" Jan 09 20:25:06 fedora.naef.home kernel: XFS (dm-10): Mounting V5 Filesystem Jan 09 20:25:06 fedora.naef.home kernel: XFS (dm-10): Ending clean mount Jan 09 20:25:06 fedora.naef.home kernel: XFS (dm-10): Unmounting Filesystem Jan 09 20:25:06 fedora.naef.home kernel: XFS (dm-10): Mounting V5 Filesystem Jan 09 20:25:06 fedora.naef.home kernel: XFS (dm-10): Ending clean mount Jan 09 20:25:07 fedora.naef.home kernel: XFS (dm-10): Unmounting Filesystem Jan 09 20:25:07 fedora.naef.home kernel: XFS (dm-10): Mounting V5 Filesystem Jan 09 20:25:07 fedora.naef.home kernel: XFS (dm-10): Ending clean mount Jan 09 20:25:07 fedora.naef.home audit: ANOM_PROMISCUOUS dev=veth48f92ff prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 Jan 09 20:25:07 fedora.naef.home kernel: docker0: port 1(veth48f92ff) entered blocking state Jan 09 20:25:07 fedora.naef.home kernel: docker0: port 1(veth48f92ff) entered disabled state Jan 09 20:25:07 fedora.naef.home kernel: device veth48f92ff entered promiscuous mode Jan 09 20:25:07 fedora.naef.home kernel: IPv6: ADDRCONF(NETDEV_UP): veth48f92ff: link is not ready Jan 09 20:25:07 fedora.naef.home kernel: docker0: port 1(veth48f92ff) entered blocking state Jan 09 20:25:07 fedora.naef.home kernel: docker0: port 1(veth48f92ff) entered forwarding state Jan 09 20:25:07 fedora.naef.home systemd-udevd[6354]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. Jan 09 20:25:07 fedora.naef.home systemd-udevd[6355]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. Jan 09 20:25:07 fedora.naef.home NetworkManager[1638]: <info> [1515525907.1143] manager: (vethb62fe93): new Veth device (/org/freedesktop/NetworkManager/Devices/13) Jan 09 20:25:07 fedora.naef.home systemd-udevd[6355]: Could not generate persistent MAC address for veth48f92ff: No such file or directory Jan 09 20:25:07 fedora.naef.home systemd-udevd[6354]: Could not generate persistent MAC address for vethb62fe93: No such file or directory Jan 09 20:25:07 fedora.naef.home NetworkManager[1638]: <info> [1515525907.1168] manager: (veth48f92ff): new Veth device (/org/freedesktop/NetworkManager/Devices/14) Jan 09 20:25:07 fedora.naef.home firewalld[1227]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 10.1.1.56 --dport 80 -j DNAT --to-destination 172.17.0.2:8080 ! -i docker0' failed: Jan 09 20:25:07 fedora.naef.home audit: NETFILTER_CFG table=nat family=2 entries=82 Jan 09 20:25:07 fedora.naef.home firewalld[1227]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.2 --dport 8080 -j ACCEPT' failed: Jan 09 20:25:07 fedora.naef.home audit: NETFILTER_CFG table=filter family=2 entries=139 Jan 09 20:25:07 fedora.naef.home firewalld[1227]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.17.0.2 -d 172.17.0.2 --dport 8080 -j MASQUERADE' failed: Jan 09 20:25:07 fedora.naef.home audit: NETFILTER_CFG table=nat family=2 entries=83 Jan 09 20:25:07 fedora.naef.home dockerd[1952]: time="2018-01-09T20:25:07.177440952+01:00" level=info msg="ignoring event" module=libcontainerd namespace=moby topic=/containers/create type="*events.ContainerCreate" Jan 09 20:25:07 fedora.naef.home dockerd[1952]: time="2018-01-09T20:25:07+01:00" level=info msg="shim docker-containerd-shim started" address="/containerd-shim/moby/f41833e372d588f38d6889be51fb1fd45d82eda1465a6f24b840e7f26948cbdd/shim.sock" debug=false module="containerd/tasks" pid=6371 Jan 09 20:25:07 fedora.naef.home kernel: docker0: port 1(veth48f92ff) entered disabled state Jan 09 20:25:07 fedora.naef.home kernel: eth0: renamed from vethb62fe93 Jan 09 20:25:07 fedora.naef.home kernel: IPv6: ADDRCONF(NETDEV_CHANGE): veth48f92ff: link becomes ready Jan 09 20:25:07 fedora.naef.home kernel: docker0: port 1(veth48f92ff) entered blocking state Jan 09 20:25:07 fedora.naef.home kernel: docker0: port 1(veth48f92ff) entered forwarding state Jan 09 20:25:07 fedora.naef.home NetworkManager[1638]: <info> [1515525907.3819] device (veth48f92ff): link connected Jan 09 20:25:07 fedora.naef.home NetworkManager[1638]: <info> [1515525907.3821] device (docker0): link connected Jan 09 20:25:07 fedora.naef.home dockerd[1952]: time="2018-01-09T20:25:07.440555022+01:00" level=warning msg="unknown container" container=f41833e372d588f38d6889be51fb1fd45d82eda1465a6f24b840e7f26948cbdd module=libcontainerd namespace=plugins.moby Jan 09 20:25:07 fedora.naef.home dockerd[1952]: time="2018-01-09T20:25:07.458195638+01:00" level=warning msg="unknown container" container=f41833e372d588f38d6889be51fb1fd45d82eda1465a6f24b840e7f26948cbdd module=libcontainerd namespace=plugins.moby Jan 09 20:25:09 fedora.naef.home avahi-daemon[1249]: Joining mDNS multicast group on interface veth48f92ff.IPv6 with address fe80::1867:1eff:fea3:4277. Jan 09 20:25:09 fedora.naef.home avahi-daemon[1249]: New relevant interface veth48f92ff.IPv6 for mDNS. Jan 09 20:25:09 fedora.naef.home avahi-daemon[1249]: Registering new address record for fe80::1867:1eff:fea3:4277 on veth48f92ff.*.
Updated
iptables -S
-P INPUT ACCEPT -P FORWARD DROP -P OUTPUT ACCEPT -N DOCKER -N DOCKER-ISOLATION -N DOCKER-USER -N FORWARD_IN_ZONES -N FORWARD_IN_ZONES_SOURCE -N FORWARD_OUT_ZONES -N FORWARD_OUT_ZONES_SOURCE -N FORWARD_direct -N FWDI_FedoraWorkstation -N FWDI_FedoraWorkstation_allow -N FWDI_FedoraWorkstation_deny -N FWDI_FedoraWorkstation_log -N FWDI_trusted -N FWDI_trusted_allow -N FWDI_trusted_deny -N FWDI_trusted_log -N FWDO_FedoraWorkstation -N FWDO_FedoraWorkstation_allow -N FWDO_FedoraWorkstation_deny -N FWDO_FedoraWorkstation_log -N FWDO_trusted -N FWDO_trusted_allow -N FWDO_trusted_deny -N FWDO_trusted_log -N INPUT_ZONES -N INPUT_ZONES_SOURCE -N INPUT_direct -N IN_FedoraWorkstation -N IN_FedoraWorkstation_allow -N IN_FedoraWorkstation_deny -N IN_FedoraWorkstation_log -N IN_trusted -N IN_trusted_allow -N IN_trusted_deny -N IN_trusted_log -N OUTPUT_direct -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j OUTPUT_direct -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT -A DOCKER-ISOLATION -j RETURN -A DOCKER-USER -j RETURN -A FORWARD_IN_ZONES -i enp5s0 -g FWDI_FedoraWorkstation -A FORWARD_IN_ZONES -i docker0 -j FWDI_trusted -A FORWARD_IN_ZONES -g FWDI_FedoraWorkstation -A FORWARD_OUT_ZONES -o enp5s0 -g FWDO_FedoraWorkstation -A FORWARD_OUT_ZONES -o docker0 -j FWDO_trusted -A FORWARD_OUT_ZONES -g FWDO_FedoraWorkstation -A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_log -A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_deny -A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_allow -A FWDI_FedoraWorkstation -p icmp -j ACCEPT -A FWDI_trusted -j FWDI_trusted_log -A FWDI_trusted -j FWDI_trusted_deny -A FWDI_trusted -j FWDI_trusted_allow -A FWDI_trusted -j ACCEPT -A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_log -A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_deny -A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_allow -A FWDO_trusted -j FWDO_trusted_log -A FWDO_trusted -j FWDO_trusted_deny -A FWDO_trusted -j FWDO_trusted_allow -A FWDO_trusted -j ACCEPT -A INPUT_ZONES -i enp5s0 -g IN_FedoraWorkstation -A INPUT_ZONES -i docker0 -j IN_trusted -A INPUT_ZONES -g IN_FedoraWorkstation -A IN_FedoraWorkstation -j IN_FedoraWorkstation_log -A IN_FedoraWorkstation -j IN_FedoraWorkstation_deny -A IN_FedoraWorkstation -j IN_FedoraWorkstation_allow -A IN_FedoraWorkstation -p icmp -j ACCEPT -A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_FedoraWorkstation_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_FedoraWorkstation_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_FedoraWorkstation_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_FedoraWorkstation_allow -p udp -m udp --dport 1025:65535 -m conntrack --ctstate NEW -j ACCEPT -A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 1025:65535 -m conntrack --ctstate NEW -j ACCEPT -A IN_trusted -j IN_trusted_log -A IN_trusted -j IN_trusted_deny -A IN_trusted -j IN_trusted_allow -A IN_trusted -j ACCEPT