Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Docker container adds default route via veth?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
SpiderPigLoki
Tux's lil' helper
Tux's lil' helper


Joined: 22 Aug 2008
Posts: 86

PostPosted: Thu Jun 11, 2020 11:43 am    Post subject: Docker container adds default route via veth? Reply with quote

Hello everybody,

whenever I start a docker container, it automatically adds a new default route
Code:
user@Gentoo ~ $ ip r                                                     
default dev veth4877ada scope link
default via 192.168.189.1 dev wlan0
169.254.0.0/16 dev veth4877ada proto kernel scope link src 169.254.70.173
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
192.168.189.0/24 dev wlan0 proto kernel scope link src 192.168.189.34


As a result my system (host and docker containers) cannot use the internet anymore, since both do not use the real default route to my wlan0, but want to use the first line.
The value for veth is different every time, since the container ID is random and both are connected (as far as I understood).

Why does this happen? I remember a time, when this was not the case.

My Docker-containers are started without any --net options. For example running
Code:
docker container run -d -p 8080:80 --name webserver httpd

and just waiting some minutes (maybe one, maybe two) will result in the new default route.

According to docker info, this is my network-setup for docker
Code:
Network: bridge host ipvlan macvlan null overlay


/etc/conf.d/docker does not contain any settings (everything commented out) and my user is member of the docker group.


Code:

[ebuild   R    ] net-misc/iputils-20190709-r1::gentoo  USE="arping filecaps gcrypt ipv6 nls ssl -SECURITY_HAZARD -caps -clockdiff -doc -idn -libressl -nettle -rarpd -rdisc -static -tftpd -tracepath -traceroute6" 422 KiB
[ebuild   R    ] app-emulation/docker-19.03.8::gentoo  USE="btrfs container-init hardened overlay seccomp -apparmor -aufs -device-mapper" 17,069 KiB

Total: 2 packages (2 reinstalls), Size of downloads: 17,490 KiB


Please let me know, if there is anything else missing.

Cheers!
SPL
Back to top
View user's profile Send private message
alamahant
Guru
Guru


Joined: 23 Mar 2019
Posts: 555

PostPosted: Thu Jun 11, 2020 12:39 pm    Post subject: Reply with quote

Hi please have a look at this
https://docs.docker.com/network/bridge/
in the network stanza try to remove the default gateway line and check if there is a way to add a route instead of the gateway
something like this in /etc/docker/daemon.json
Code:

{
  "bip": "192.168.1.5/24",
  "fixed-cidr": "192.168.1.5/25",
  "fixed-cidr-v6": "2001:db8::/64",
  "mtu": 1500,
#  "default-gateway": "10.20.1.1",
#  "default-gateway-v6": "2001:db8:abcd::89",
<enter a route line here but you will have to read the manual how to do this>
  "dns": ["10.20.1.2","10.20.1.3"]
}

However this should not be happening...
Docker heavilly relies on iptables.
Do you have FULLY functional iptables?
you can check also
Code:

grep -i netfilter /usr/src/linux

The more you have the better especially also anything to do with bridges.
Also you need ip forwarding enabled in systcl.
Maybe "ebtables" wouldnt hurt also.
:D
Back to top
View user's profile Send private message
coderanger
Apprentice
Apprentice


Joined: 19 Sep 2018
Posts: 162

PostPosted: Thu Jun 11, 2020 10:21 pm    Post subject: Reply with quote

It is possible that NetworkManager (if you have it installed) wants to take possession of docker interfaces.
Excerpt from my /etc/NetworkManager/NetworkManager.conf :
Quote:

[keyfile]
unmanaged-devices=interface-name:veth*;interface-name:docker*
Back to top
View user's profile Send private message
SpiderPigLoki
Tux's lil' helper
Tux's lil' helper


Joined: 22 Aug 2008
Posts: 86

PostPosted: Fri Jun 12, 2020 8:58 am    Post subject: Reply with quote

Hello everyone,

thanks for the replies.

1.) I will first check the kernel - judging by this output it can't hurt ;)
Code:

/usr/share/docker/contrib/check-config.sh |grep missing
- apparmor: enabled, but apparmor_parser missing
- CONFIG_NF_NAT_IPV4: missing
- CONFIG_NETFILTER_XT_MATCH_IPVS: missing
- CONFIG_NF_NAT_NEEDED: missing
- CONFIG_BLK_DEV_THROTTLING: missing
- CONFIG_IOSCHED_CFQ: missing
- CONFIG_CFQ_GROUP_IOSCHED: missing
- CONFIG_CGROUP_PERF: missing
- CONFIG_CGROUP_HUGETLB: missing
- CONFIG_NET_CLS_CGROUP: missing
- CONFIG_CGROUP_NET_PRIO: missing
- CONFIG_CFS_BANDWIDTH: missing
- CONFIG_RT_GROUP_SCHED: missing
- CONFIG_IP_NF_TARGET_REDIRECT: missing
- CONFIG_IP_VS: missing
- CONFIG_IP_VS_NFCT: missing
- CONFIG_IP_VS_PROTO_TCP: missing
- CONFIG_IP_VS_PROTO_UDP: missing
- CONFIG_IP_VS_RR: missing
- CONFIG_EXT3_FS: missing
- CONFIG_EXT3_FS_XATTR: missing
- CONFIG_EXT3_FS_POSIX_ACL: missing
- CONFIG_EXT3_FS_SECURITY: missing
      - CONFIG_INET_XFRM_MODE_TRANSPORT: missing
    - CONFIG_IPVLAN: missing
    - CONFIG_DUMMY: missing
    - CONFIG_NF_NAT_TFTP: missing
    - CONFIG_NF_CONNTRACK_TFTP: missing
    - CONFIG_AUFS_FS: missing
    - CONFIG_DM_THIN_PROVISIONING: missing
    - /dev/zfs: missing
    - zfs command: missing
    - zpool command: missing




2.) NetworkManager is installed (I think because virt-manager is pulling it in - I use WPA-Supplicant / WPA-GUI for Wifi).
I will check the kernel for now and then tackle the issue of NetworkManager.

Cheers!
Back to top
View user's profile Send private message
kfiadeg
n00b
n00b


Joined: 04 May 2006
Posts: 43
Location: Republic of Poland

PostPosted: Mon Jun 22, 2020 11:24 am    Post subject: Reply with quote

Hello there.

I am facing similar issues but more ofter my connection to the Internet is lost when I'm STARTING or STOPPING stack of containers with docker-compose.

It started to happen when I upgraded my kernel from 4.x to 5.x (currently it is 5.4.28).

I have not invented a solution yet. I must always restart my phisical network device completely:

Code:
/etc/init.d/net.enp5s0 restart


It is driving me mad.

@SpiderPigLoki can you (or anybody) point me a way to the fix?

Below I present result of grep -i netfilter /usr/src/linux/.config:

Code:
CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_BRIDGE_NETFILTER=m
# Core Netfilter Configuration
# CONFIG_NETFILTER_INGRESS is not set
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_FAMILY_BRIDGE=y
# CONFIG_NETFILTER_NETLINK_ACCT is not set
# CONFIG_NETFILTER_NETLINK_QUEUE is not set
CONFIG_NETFILTER_NETLINK_LOG=y
# CONFIG_NETFILTER_NETLINK_OSF is not set
# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MARK=m
# CONFIG_NETFILTER_XT_CONNMARK is not set
# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
# CONFIG_NETFILTER_XT_TARGET_CLASSIFY is not set
# CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
# CONFIG_NETFILTER_XT_TARGET_DSCP is not set
# CONFIG_NETFILTER_XT_TARGET_HL is not set
# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
# CONFIG_NETFILTER_XT_TARGET_LED is not set
CONFIG_NETFILTER_XT_TARGET_LOG=m
# CONFIG_NETFILTER_XT_TARGET_MARK is not set
CONFIG_NETFILTER_XT_NAT=m
# CONFIG_NETFILTER_XT_TARGET_NETMAP is not set
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
# CONFIG_NETFILTER_XT_TARGET_NFQUEUE is not set
# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
# CONFIG_NETFILTER_XT_TARGET_REDIRECT is not set
CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m
# CONFIG_NETFILTER_XT_TARGET_TEE is not set
# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
CONFIG_NETFILTER_XT_TARGET_SECMARK=y
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
# CONFIG_NETFILTER_XT_MATCH_BPF is not set
# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set
# CONFIG_NETFILTER_XT_MATCH_CLUSTER is not set
# CONFIG_NETFILTER_XT_MATCH_COMMENT is not set
# CONFIG_NETFILTER_XT_MATCH_CONNBYTES is not set
# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
# CONFIG_NETFILTER_XT_MATCH_CONNLIMIT is not set
# CONFIG_NETFILTER_XT_MATCH_CONNMARK is not set
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
# CONFIG_NETFILTER_XT_MATCH_CPU is not set
# CONFIG_NETFILTER_XT_MATCH_DCCP is not set
# CONFIG_NETFILTER_XT_MATCH_DEVGROUP is not set
# CONFIG_NETFILTER_XT_MATCH_DSCP is not set
# CONFIG_NETFILTER_XT_MATCH_ECN is not set
# CONFIG_NETFILTER_XT_MATCH_ESP is not set
# CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set
# CONFIG_NETFILTER_XT_MATCH_HELPER is not set
# CONFIG_NETFILTER_XT_MATCH_HL is not set
# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
CONFIG_NETFILTER_XT_MATCH_IPVS=m
# CONFIG_NETFILTER_XT_MATCH_L2TP is not set
# CONFIG_NETFILTER_XT_MATCH_LENGTH is not set
# CONFIG_NETFILTER_XT_MATCH_LIMIT is not set
# CONFIG_NETFILTER_XT_MATCH_MAC is not set
# CONFIG_NETFILTER_XT_MATCH_MARK is not set
# CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set
# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
# CONFIG_NETFILTER_XT_MATCH_OSF is not set
# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
CONFIG_NETFILTER_XT_MATCH_POLICY=y
# CONFIG_NETFILTER_XT_MATCH_PHYSDEV is not set
# CONFIG_NETFILTER_XT_MATCH_PKTTYPE is not set
# CONFIG_NETFILTER_XT_MATCH_QUOTA is not set
# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
# CONFIG_NETFILTER_XT_MATCH_REALM is not set
# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
# CONFIG_NETFILTER_XT_MATCH_SCTP is not set
# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
CONFIG_NETFILTER_XT_MATCH_STATE=y
# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set
# CONFIG_NETFILTER_XT_MATCH_STRING is not set
# CONFIG_NETFILTER_XT_MATCH_TCPMSS is not set
# CONFIG_NETFILTER_XT_MATCH_TIME is not set
# CONFIG_NETFILTER_XT_MATCH_U32 is not set
# end of Core Netfilter Configuration
# IP: Netfilter Configuration
# end of IP: Netfilter Configuration
# IPv6: Netfilter Configuration
# end of IPv6: Netfilter Configuration
# iptables trigger is under Netfilter config (LED target)
Back to top
View user's profile Send private message
alamahant
Guru
Guru


Joined: 23 Mar 2019
Posts: 555

PostPosted: Mon Jun 22, 2020 11:28 am    Post subject: Reply with quote

Maybe you should try with these
Code:

CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_BRIDGE_NETFILTER=m
# Core Netfilter Configuration
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_FAMILY_BRIDGE=y
CONFIG_NETFILTER_FAMILY_ARP=y
CONFIG_NETFILTER_NETLINK_ACCT=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_NETLINK_OSF=m
CONFIG_NETFILTER_CONNCOUNT=m
CONFIG_NETFILTER_NETLINK_GLUE_CT=y
CONFIG_NETFILTER_SYNPROXY=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_CONNMARK=m
CONFIG_NETFILTER_XT_SET=m
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_CT=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_HMARK=m
CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
CONFIG_NETFILTER_XT_TARGET_LED=m
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_NETFILTER_XT_TARGET_NETMAP=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m
CONFIG_NETFILTER_XT_TARGET_TEE=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_NETFILTER_XT_MATCH_CGROUP=m
CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_CPU=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ECN=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_IPVS=m
CONFIG_NETFILTER_XT_MATCH_L2TP=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_NFACCT=m
CONFIG_NETFILTER_XT_MATCH_OSF=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_RATEEST=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_RECENT=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
CONFIG_NETFILTER_XT_MATCH_U32=m

Back to top
View user's profile Send private message
kfiadeg
n00b
n00b


Joined: 04 May 2006
Posts: 43
Location: Republic of Poland

PostPosted: Mon Jun 22, 2020 11:36 am    Post subject: Reply with quote

Everything on? Hmm, I will give it a try, but this looks like "bruteforce" solution ;-) Thanks @alamahant.

I forgot to mention that issue I've described happens on two separate machines and - what is especially driving me mad - it does not happen always. but only from time to time.

I found another thread on this forum which might be related: https://forums.gentoo.org/viewtopic-t-1105886.html

Note: No iptables are configured on the host machine(s).
Back to top
View user's profile Send private message
SpiderPigLoki
Tux's lil' helper
Tux's lil' helper


Joined: 22 Aug 2008
Posts: 86

PostPosted: Tue Jun 23, 2020 10:56 am    Post subject: Reply with quote

Hello everybody,

still no success on my end - issue still persists.

I have enabled all of the NETFILTER-options mentioned by alamahant.
Back to top
View user's profile Send private message
SpiderPigLoki
Tux's lil' helper
Tux's lil' helper


Joined: 22 Aug 2008
Posts: 86

PostPosted: Tue Jun 23, 2020 8:54 pm    Post subject: Reply with quote

Okay played around a bit - without success.

- all iptables and docker stuff was removed (e.g. config files and /var/lib/iptables/rules-save)
- emerge -C iptables app-emulation/docker
- following line in package.use/world :
Code:

net-firewall/iptables nftables pcap conntrack

- ebtables was removed because it was blocking use-flag nftables with iptables
- changed /etc/conf.d/iptables to not save on stop
- when running iptables -L docker rules were already present ( more on that later)
- ran flushing commands for iptables (https://serverfault.com/a/200658)
Code:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X


- Result: Bloody thing still shows up!!! :( WITH EMPTY IPTABLES PEOPLE *going
crazy here*
Quote:

And in all cases, I have nothing in place for docker, not even the
DOCKER-ISOLATION chain - docker normally puts that in place when it starts
up. -


Source: https://serverfault.com/a/840098

If iptables really is to blame, then wouldn't that mean that the package is broken or something?
I have done nothing in regards to iptables and still the thing shows up.
Will compare the Gentoo with Ubuntu rules and see if I can spot a difference.


EDIT:
When I start and stop the container /var/log/messages shows the following:
Code:
 Jun 24 00:18:07 Gentoo kernel: [11521.687371] IPv6: ADDRCONF(NETDEV_CHANGE): vethe08cd74: link becomes ready
Jun 24 00:18:07 Gentoo kernel: [11521.687490] IPv6: ADDRCONF(NETDEV_CHANGE): vetha9acbf2: link becomes ready
Jun 24 00:18:07 Gentoo kernel: [11521.688755] docker0: port 1(vethe08cd74) entered blocking state
Jun 24 00:18:07 Gentoo kernel: [11521.688760] docker0: port 1(vethe08cd74) entered disabled state
Jun 24 00:18:07 Gentoo kernel: [11521.689343] device vethe08cd74 entered promiscuous mode
Jun 24 00:18:07 Gentoo kernel: [11521.689591] docker0: port 1(vethe08cd74) entered blocking state
Jun 24 00:18:07 Gentoo kernel: [11521.689596] docker0: port 1(vethe08cd74) entered forwarding state
Jun 24 00:18:07 Gentoo kernel: [11521.861043] docker0: port 1(vethe08cd74) entered disabled state
Jun 24 00:18:07 Gentoo kernel: [11521.861505] eth0: renamed from vetha9acbf2
Jun 24 00:18:07 Gentoo kernel: [11521.868502] IPv6: ADDRCONF(NETDEV_CHANGE): vethe08cd74: link becomes ready
Jun 24 00:18:07 Gentoo kernel: [11521.868527] docker0: port 1(vethe08cd74) entered blocking state
Jun 24 00:18:07 Gentoo kernel: [11521.868528] docker0: port 1(vethe08cd74) entered forwarding state
Jun 24 00:19:04 Gentoo kernel: [11579.503928] vetha9acbf2: renamed from eth0
Jun 24 00:19:04 Gentoo kernel: [11579.526191] docker0: port 1(vethe08cd74) entered disabled state
Jun 24 00:19:04 Gentoo kernel: [11579.526842] IPv6: ADDRCONF(NETDEV_CHANGE): vetha9acbf2: link becomes ready
Jun 24 00:19:04 Gentoo kernel: [11579.526964] docker0: port 1(vethe08cd74) entered blocking state
Jun 24 00:19:04 Gentoo kernel: [11579.526968] docker0: port 1(vethe08cd74) entered forwarding state
Jun 24 00:19:04 Gentoo kernel: [11579.552747] docker0: port 1(vethe08cd74) entered disabled state
Jun 24 00:19:04 Gentoo kernel: [11579.553166] device vethe08cd74 left promiscuous mode
Jun 24 00:19:04 Gentoo kernel: [11579.553170] docker0: port 1(vethe08cd74) entered disabled state


As you can see I left the container running for 57 seconds. In that time the evil veth device (vethe08cd74 is this instance) appears in routing table and messes everything up. This is not reflected in the messages. The only times there is something logged is when I start the container and exit it.

Cheers!
SPL
Back to top
View user's profile Send private message
coderanger
Apprentice
Apprentice


Joined: 19 Sep 2018
Posts: 162

PostPosted: Tue Jun 23, 2020 10:44 pm    Post subject: Reply with quote

SpiderPigLoki wrote:
when running iptables -L docker rules were already present ( more on that later)

I don't think iptables can set the default route therefore the problem is not there.

SpiderPigLoki wrote:
In that time the evil veth device (vethe08cd74 is this instance) appears in routing table and messes everything up

This is exactly how network managers work in general: you connected a new "device", the manager thinks it's the most actual network adapter and rebuilds routing table.
Back to top
View user's profile Send private message
SpiderPigLoki
Tux's lil' helper
Tux's lil' helper


Joined: 22 Aug 2008
Posts: 86

PostPosted: Wed Jun 24, 2020 8:02 am    Post subject: Reply with quote

It appears that I have found something along the lines of a workaround (maybe even solution).

It pains me to write this, but it seems that my beloved OpenRC / netifrc is at fault.

After removing net-misc/networkmanager; emerging openrc without netifrc-use-flag and rebooting solved the issue.

It seems that netifrc added the new device again and again and again, just like coderanger suggested.

For the time being I am going to stick with this solution.


Thanks a lot for all the help.
Back to top
View user's profile Send private message
coderanger
Apprentice
Apprentice


Joined: 19 Sep 2018
Posts: 162

PostPosted: Wed Jun 24, 2020 9:48 am    Post subject: Reply with quote

SpiderPigLoki wrote:
After removing net-misc/networkmanager; emerging openrc without netifrc-use-flag and rebooting solved the issue.

Life without network configuration framework can be boring, and it sounds rather like a work around the problem than the actual solution. Only one framework can be run at the same time, either netifrc or NetworkManager. Not both.
I'm sharing here my setup for NetworkManager in hope it will be helpful to find better solution. I did not enable netifrc flag and I do not use it at all. All the network configuration is done by NetworkManager.
Code:
[ebuild   R    ] net-misc/networkmanager-1.18.6::gentoo  USE="bluetooth dhclient (elogind) introspection modemmanager ncurses nss (policykit) wext wifi -audit -connection-sharing (-consolekit) -dhcpcd -gnutls -iwd -json -ofono -ovs -ppp -resolvconf (-selinux) (-systemd) -teamd -test -vala" 0 KiB

And this is how I told NetworkManager to ignore hostname provided by wi-fi access point and to ignore veth* and docker* devices:
Code:
$ cat /etc/NetworkManager/NetworkManager.conf
[main]
plugins=keyfile

[keyfile]
hostname=box
unmanaged-devices=interface-name:veth*;interface-name:docker*
Back to top
View user's profile Send private message
kfiadeg
n00b
n00b


Joined: 04 May 2006
Posts: 43
Location: Republic of Poland

PostPosted: Wed Jun 24, 2020 9:44 pm    Post subject: Reply with quote

Nice talk here. It's motivating :)

So - after what coderanger said - there should be a way also for netifrc subsystem to configure ignored (unmanaged) devices.
So far I have faced only functions preup(), predown(), postup(), postdown(), failup() and faildown() as a possible solution. They might rely on ${IFACE} variable which is set to the interface being brought up/down.

I have not invented the solution yet, though.

I will now dig into https://github.com/gentoo/netifrc/blob/master/doc/net.example.Linux.in
Back to top
View user's profile Send private message
kfiadeg
n00b
n00b


Joined: 04 May 2006
Posts: 43
Location: Republic of Poland

PostPosted: Tue Aug 25, 2020 8:41 am    Post subject: Reply with quote

For whom it may concern:
  1. I have failed trying to set up netifrc so it would ignore setting default router for certain devices
  2. I have noticed that also OpenVPN was setting new default route from time to time upon disconnection
  3. I have used genkernel to generate new kernel - with most (if not all) IP tables features compiled as modules - this helped, overwritting default route stopped to happen
  4. I have finally created brand new config (make defconfig) for kernel 5.4.48, adjusted it little bit, made sure that all options required by docker are compiled in* and - since then (it is just a few days now) - everything works properly


*) I've done it with help of two supplementary simple community scripts:



Both extract informations about kernel requirements from ebuilds of currently installed packages and print them out to the console (the same that show up when installing package). Thank you good people from #gentoo IRC channel on irc.freenode.net !!!

Home it helps.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum