• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • (Plesk for Windows):
    MySQL Connector/ODBC 3.51, 5.1, and 5.3 are no longer shipped with Plesk because they have reached end of life. MariaDB Connector/ODBC 64-bit 3.2.4 is now used instead.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved Docker outbound traffic gets blocked after 18.0.67 Update #3

Just to be sure: Are we sure this will be fixed in the next docker release? If not, the problem will just reappear.
I can't confirm that yet.

Thank you but this doesn’t sound like a real fix. When will there be an official and reliable fix for this solution as there are many running production stuff in containers.
That's not an official fix, it is just the workaround our engineers suggested for the time being. We understand that is not ideal for production environment, the case is still under active investigation.

Wouldn't we loose our docker containers and configs if we uninstall the current docker engine? Or do I miss something here?
You won't lose the containers, but they will be restarted. Apologies for not clarifying that earlier. If you do not feel confident in performing the task, please disable the firewall rule instead. I will provide more details as soon as possible.
 
Everyone, thank you for your patience. The case was investigated by our engineers and they determined the root cause to be Docker adding new firewall forwarding rules to the end after DROP:



The workaround is:

  1. Connect to the Plesk server via SSH.
  2. Block installation of this version:


    Ubuntu:

    Debian:
  3. Remove installed version:
Afterward, the latest available version 27.5.1 will be installed. I hope that helps!
Let me know if instructions are needed for another OS/version, please.

Thank you for this "better" workaround (compared to disabling the firewall or allowing forwarding).

Running Ubuntu 20.04 (to be upgraded soon) my block-file lockes like this:

Package: docker-ce
Pin: version 5:28.0.0-1~ubuntu.20.04~focal
Pin-Priority: -1

Package: docker-ce-cli
Pin: version 5:28.0.0-1~ubuntu.20.04~focal
Pin-Priority: -1

It works as intended, no containers or data got lost, and now I guess we have to wait until we hear back from the Docker guys'n'girls...
 
To sum up, the issue is caused because both Docker and Firewall append rules to the FORWARD chain and after the last update, Docker added its -i docker0 -j ACCEPT after firewall’s DROP. Moving everything to a dedicated DOCKER-FORWARD chain should fix the issue. @TheColin21 about your question, the next release (patch, 28.0.1) may address that - the discussion in question. We have an open case (EXTPLESK-8001) from our end to research what can be improved Firewall-wise.

Another suggested workaround is to add a custom rule in the firewall, allowing forwarding from the docker0 subnet to anything:

  1. Navigate to Tools & Settings > Firewall
  2. Click on the icon with plus sign to add new custom rule with the following specifications:
  • Name of the rule: Docker allow forwarding (or anything that will help you easily recognize it)
  • Match direction: Forwarding
  • Action: Allow
  • Ports: -
  • Sources: 172.17.0.0/16 or 172.16.0.0/12 depending on the network bridge used:
    docker network ls
    docker network inspect bridge
  • Destinations: -
image-20250221-184756.png
 
Last edited:
I have to correct myself: I would favor it, if it worked it did not for me...
Did not work for me right away either but after checking with docker network ls that I had a different bridge than the default bridge in use for my container in question, then checking what the subnet of that bridge is with docker network inspect your_network_name and setting that subnet as Sources, it worked.
 
Yeah that was my problem too. Didn't check my used network as I thought Plesk would probably configure it the same for all installations if not explicitely changed by the user.
I'd suggest changing the generic workaround to use 172.16.0.0/12 as the source subnet as that's the whole reserved IP range normally used by Docker.
 
Everyone, I just wanted to follow up that Docker introduced a fix for the issue that resulted from Docker appending to the FORWARD chain and causing a conflict with iptables. Our engineers performed tests and we can confirm the issue is resolved in version 28.0.1. If you have Docker installed manually, it is required to restart the Docker service after enabling the Plesk Firewall:

systemctl restart docker

I hope the issue is sorted for everybody.
 
Back
Top