I just installed the latest release of docker-ce
on CentOS, but I can't reach published ports from a neighboring server and can't reach the outside from the container itself.
Running a plain vanilla CentOS 8 with NetworkManager and FirewallD enabled. Default firewall zone is public
.
Versions:
docker-ce
19.03.3 (official Docker RPM)containerd.io
1.2.6 (official Docker RPM for CentOS 7 – not available for CentOS 8 yet)- CentOS 8.0.1905 (minimal install)
Best Answer
After spending a couple of days looking at logs and configurations for the involved components, I was about to throw in the towel and revert back to Fedora 30, where this seems to work straight out of the box.
Focusing on firewalling, I realized that disabling
firewalld
seemed to do the trick, but I would prefer not to do that. While inspecting network rules withiptables
, I realized that the switch tonftables
means thatiptables
is now an abstraction layer that only shows a small part of thenftables
rules. That means most - if not all - of thefirewalld
configuration will be applied outside the scope ofiptables
.I was used to be able to find the whole truth in
iptables
, so this will take some getting used to.Long story short - for this to work, I had to enable masquerading. It looked like
dockerd
already did this throughiptables
, but apparently this needs to be specifically enabled for the firewall zone foriptables
masquerading to work:Reboot or restart
dockerd
, and both ingress and egress should work.