External networking is not working in docker rootless mode in Fedora 42 #49883

Henriquemcc · 2025-04-26T19:41:21Z

Description

After I had performed a clean install of Fedora 42 and installed Docker, I started having issues related to external networking connectivity in Docker.

As it has been previously reported, Docker was having external connectivity issues related to iptables on Fedora 42 and other Linux distributions:

External networking not working with user-defined networks (since Fedora 42 upgrade)

28.0.1: network unavailable with iptables 1.8.11 and userland proxy disabled

Bug 2360423 - iptables 1.8.11 -C returns 0 exit status for non existent rules

Recently, Fedora developed a patch to iptables, that fixed this issue:

iptables-1.8.11-5.fc42

With that patch installed, the external connectivity issues are not happening anymore in the root mode, but it is still present in rootless mode.

Reproduce

Run a Docker container as root and try to access the external network (it will work):

sudo docker run -i ubuntu apt update

Run a Docker container in rootless mode and try to access the external network (it will fail):

docker run -i ubuntu apt update

Expected behavior

Both commands are supposed to correctly connect to the external network and obtain the list of packages through Ubuntu’s APT.

docker version

Client: Docker Engine - Community
 Version:           28.1.1
 API version:       1.49
 Go version:        go1.23.8
 Git commit:        4eba377
 Built:             Fri Apr 18 09:53:32 2025
 OS/Arch:           linux/amd64
 Context:           rootless

Server: Docker Engine - Community
 Engine:
  Version:          28.1.1
  API version:      1.49 (minimum version 1.24)
  Go version:       go1.23.8
  Git commit:       01f442b
  Built:            Fri Apr 18 09:51:47 2025
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.7.27
  GitCommit:        05044ec0a9a75232cad458027ca83437aae3f4da
 runc:
  Version:          1.2.5
  GitCommit:        v1.2.5-0-g59923ef
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
 rootlesskit:
  Version:          2.3.4
  ApiVersion:       1.1.1
  NetworkDriver:    slirp4netns
  PortDriver:       builtin
  StateDir:         /run/user/1000/dockerd-rootless
 slirp4netns:
  Version:          1.3.1
  GitCommit:        e5e368c4f5db6ae75c2fce786e31eef9da6bf236

docker info

Client: Docker Engine - Community
 Version:    28.1.1
 Context:    rootless
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.23.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.35.1
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 2
  Running: 0
  Paused: 0
  Stopped: 2
 Images: 7
 Server Version: 28.1.1
 Storage Driver: fuse-overlayfs
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 05044ec0a9a75232cad458027ca83437aae3f4da
 runc version: v1.2.5-0-g59923ef
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  rootless
  cgroupns
 Kernel Version: 6.14.3-300.fc42.x86_64
 Operating System: Fedora Linux 42 (Workstation Edition)
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 15.38GiB
 Name: henrique-pc
 ID: 836eda1a-c141-4add-ac26-4ba7232b1e00
 Docker Root Dir: /home/henrique/.local/share/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No cpuset support

Additional Info

No response

The text was updated successfully, but these errors were encountered:

robmry · 2025-04-28T10:27:44Z

There are reports that iptables has broken again in Fedora's -6 patch ... possibly unrelated to this issue with rootless, but it might help to know about it when investigating. (Unfortunately I'm still struggling to get a working Fedora 42 to experiment with.)

robmry · 2025-04-28T13:27:01Z

I'm unable to repro this, or the other issue I linked to (on Fedora 42 with rootless moby 28.1.1 and iptables 1.8.11-6). Perhaps the difference is that I'm using fresh installs rather than upgraded hosts.

@AkihiroSuda ... have you had any (bad) luck with it? Let me know if you want me to try to dig in further.

Henriquemcc added kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. status/0-triage labels Apr 26, 2025

thaJeztah added area/networking version/28.1 labels Apr 26, 2025

AkihiroSuda added the area/rootless Rootless mode label Apr 28, 2025

AkihiroSuda self-assigned this Apr 28, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

External networking is not working in docker rootless mode in Fedora 42 #49883

External networking is not working in docker rootless mode in Fedora 42 #49883

External networking is not working in docker rootless mode in Fedora 42 #49883

External networking is not working in docker rootless mode in Fedora 42 #49883

Comments

Description

Reproduce

Expected behavior

docker version

docker info

Additional Info