System Administration

Docker on Fedora 31 and 32

For “Developing inside a Container” with Visual Studio Code, one of the requirements is to use Docker Community Editon as the version of Docker that ships with Fedora is too old and misses certain features. Also the new Docker alternative Podman from Red Hat isn’t supported by Visual Studio Code.

After installing Docker CE on Fedora 31, cgroups version 1 needs to be enabled as Linux switched over to cgroups version 2, but Docker still depends on version 1. With the commands below cgroups version 1 can be enabled again and requires a rebooting of the system.

$ sudo grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=0"
$ sudo systemctl reboot

Now with the upgrade to Fedora 32 something interesting happens as firewalld is switching from iptables to nftables as a new way to do firewalling on Linux. It basically stops all traffic for the docker0 network and made Molecule fail to build container images for the tests. With a simple test as in the example below, the broken situation can be confirmed.

$ docker run busybox nslookup
 ;; connection timed out; no servers could be reached

One of the solutions is to put containers directly into the host network, but this is unwise as it exposes containers to network and directly reachable for others. Another solution that requires fewer changes is to assign docker0 interface to the trusted zone within firewalld.

$ sudo firewall-cmd --permanent --zone=trusted --add-interface=docker0
$ sudo firewall-cmd --reload

Running the test case again, then it gives back the correct result as the container can communicate again via the docker0 interface to the assigned name server.

$ docker run busybox nslookup
 Non-authoritative answer:

While this solves the problems with Docker for now it is good to know that these changes should be temporary as Docker needs to support cgroups version 2 as support for version 1 may be dropped in the future. Secondly firewalld needs to get propper nftables support as the migration from iptables currently isn’t as smooth as it should be.

By Hans Spaans

Unix & security consultant with a passion for Linux, Solaris, PostgreSQL, Perl and network services, but also a strong believer in open and free source, standards and content.

Leave a Reply

Your email address will not be published. Required fields are marked *