Qemu clients lose Internet access on upgrade to Groovy Gorilla

Bug #1903420 reported by Cliff
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
docker (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Starting configuration. Ubuntu 20.04, Qemu (repository version), also the latest Docker snap.

Actions: Upgrade to Ubuntu 20.10. Qemu and Docker will have been upgraded too, I assume.

Result: The system is fine. However, when I start a Qemu client, it can no longer access the Internet (via the host machine).

Investigation: The network is fine. Clients can access the host. Everything checked out. I suspected that there were issues with the iptables.

I discovered that Ubuntu 20.10 had been switched to using nftables rather than the legacy iptables. There are now two iptables command variants - 'iptables-nft' (aliased to 'iptables') and 'iptables-legacy'. Investigation using 'iptables-legacy' showed a rule on the FORWARD chain which dropped all packets. The rule was added by the Docker snap.

I replaced the iptables legacy DROP rule with an ACCEPT rule and the clients were able to access the Internet again. This confirmed the cause of the issue.

I disabled the Docker snap package and rebooted and the legacy rules were not created and the clients could access the Internet via the host.

Conclusion: The Canonical supplied Docker snap is creating the iptables rules using the legacy command, and not the nft version of the command. This is causing the issue with the Qemu client.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in docker (Ubuntu):
status: New → Confirmed
Revision history for this message
Igor Lidin (guard1an) wrote :

Abosultely true, docker snap creates iptables rules in iptables-legacy space. It took me several hours to realize why my fw configuration doesn't work as expected.

Revision history for this message
Ted (tedder) wrote :

To work around this, I used `update-alternatives` to change iptables and ip6tables from iptables-nft to iptables-legacy. At least things function now. (I'm using docker.io and putting RKE's Kubernetes on top of it).

It appears that workaround allows the networking to properly work, and also implies that Docker is manipulating the tables using some other method than /usr/sbin/iptables (confirmed in the moby ticket below).

I tried starting dockerd with iptables=false, but Kubernetes really needs thorough networking to function.

Related tickets:
https://github.com/moby/moby/issues/26824
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921600
https://github.com/kubernetes/kubernetes/issues/71305#issuecomment-457573867
https://github.com/kubernetes/kubernetes/pull/82966

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.