Issue Docker outbound traffic gets blocked after 18.0.67 Update #3

[Sebahat.hadzhi]

Just to be sure: Are we sure this will be fixed in the next docker release? If not, the problem will just reappear.

I can't confirm that yet.

Thank you but this doesn’t sound like a real fix. When will there be an official and reliable fix for this solution as there are many running production stuff in containers.

That's not an official fix, it is just the workaround our engineers suggested for the time being. We understand that is not ideal for production environment, the case is still under active investigation.

Wouldn't we loose our docker containers and configs if we uninstall the current docker engine? Or do I miss something here?

You won't lose the containers, but they will be restarted. Apologies for not clarifying that earlier. If you do not feel confident in performing the task, please disable the firewall rule instead. I will provide more details as soon as possible.

 

[KaiE]

Everyone, thank you for your patience. The case was investigated by our engineers and they determined the root cause to be Docker adding new firewall forwarding rules to the end after DROP:



The workaround is:

1. Connect to the Plesk server via SSH.
2. Block installation of this version:
   
   
   Ubuntu:
   
   Debian:
3. Remove installed version:

Afterward, the latest available version 27.5.1 will be installed. I hope that helps!
Let me know if instructions are needed for another OS/version, please.

Thank you for this "better" workaround (compared to disabling the firewall or allowing forwarding).

Running Ubuntu 20.04 (to be upgraded soon) my block-file lockes like this:

Package: docker-ce
Pin: version 5:28.0.0-1~ubuntu.20.04~focal
Pin-Priority: -1

Package: docker-ce-cli
Pin: version 5:28.0.0-1~ubuntu.20.04~focal
Pin-Priority: -1

It works as intended, no containers or data got lost, and now I guess we have to wait until we hear back from the Docker guys'n'girls...

 

[Sebahat.hadzhi]

To sum up, the issue is caused because both Docker and Firewall append rules to the FORWARD chain and after the last update, Docker added its -i docker0 -j ACCEPT after firewall’s DROP. Moving everything to a dedicated DOCKER-FORWARD chain should fix the issue. @TheColin21 about your question, the next release (patch, 28.0.1) may address that - the discussion in question. We have an open case (EXTPLESK-8001) from our end to research what can be improved Firewall-wise.

Another suggested workaround is to add a custom rule in the firewall, allowing forwarding from the docker0 subnet to anything:

1. Navigate to Tools & Settings > Firewall
2. Click on the icon with plus sign to add new custom rule with the following specifications:

• Name of the rule: Docker allow forwarding (or anything that will help you easily recognize it)
• Match direction: Forwarding
• Action: Allow
• Ports: -
• Sources: 172.17.0.0/16
• Destinations: -

 

[TheColin21]

This workaround seems favourable to me.

 

[TheColin21]

I have to correct myself: I would favor it, if it worked it did not for me...