I've installed docker-ce on RHEL 8 and everything seems to work fine, except that docker containers do not have any network access. I have firewalld service disabled and selinux in permissive mode. Example, I create a container running Alpine with the following command:
docker run -it alpine /bin/sh
Inside the container ifconfig
returns:
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:25 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2101 (2.0 KiB) TX bytes:0 (0.0 B)
But I not able to execute ping, apk or anything that replies on egress. I can establish ingress access by specifying which port to bind with host. For example this works:
docker run --name docker-nginx -p 80:80 nginx
But no egress works in that example either. Using docker in RHEL 7, ingress and egress works fine. How do I enable egress network on RHEL 8 with docker-ce.
With firewalld enabled, I noticed this message in systemctl stats firewalld
WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-ab206699df7f -o br-ab206699df7f -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Although as mentioned, even with firewalld service disabled, egress does not work.
As pointed out by @larsks, the problem was that I needed to restart docker-ce service after stoping firewall.
systemctl restart docker