Docker doesn't start

Hey there,!
After that I’ve upgraded to Fedora 34, I’ve already some containers running, but the docker.service is not starting anymore.

I’ve already did the reinstall of the docker-ce packages and also get it for the correct Fedora Version from the repository.
(Sending also the image about the systemctl status and journalctl -xeu)

Please if you guys have some idea… I really appreciate it.

Thanks in advance,
Bruno Moraes
Screenshot from 2021-05-04 13-25-50|690x332

1 Like

I’ve encountered the issue on beta and this fix worked. The problem had came with firewalld and bad interface for docker zone. In this case, it’s needed to sudo firewall-cmd --zone=docker --change-interface=docker0.

If I remember correctly, I had started dockerd from command-line to get more information about the issue and then found the solution on docker issue tracker.

PS : note that I use Docker repository, not moby-engine from Fedora.

2 Likes

Hey friend thanks for your help, but it unfortunately doesn’t worked.

Follow the step that I found using your idea:
sudo firewall-cmd --permanent --zone=trusted --add-interface=docker0
Warning: ALREADY_ENABLED: docker0
success
[brunobva@lnx001bva ~]$ sudo firewall-cmd --reload
Error: COMMAND_FAILED: ‘python-nftables’ failed:
JSON blob:
{“nftables”: [{“metainfo”: {“json_schema_version”: 1}}, {“add”: {“table”: {“family”: “inet”, “name”: “firewalld_policy_drop”}}}, {“add”: {“chain”: {“family”: “inet”, “table”: “firewalld_policy_drop”, “name”: “filter_input”, “type”: “filter”, “hook”: “input”, “prio”: 9, “policy”: “drop”}}}, {“add”: {“chain”: {“family”: “inet”, “table”: “firewalld_policy_drop”, “name”: “filter_forward”, “type”: “filter”, “hook”: “forward”, “prio”: 9, “policy”: “drop”}}}, {“add”: {“chain”: {“family”: “inet”, “table”: “firewalld_policy_drop”, “name”: “filter_output”, “type”: “filter”, “hook”: “output”, “prio”: 9, “policy”: “drop”}}}, {“add”: {“rule”: {“family”: “inet”, “table”: “firewalld_policy_drop”, “chain”: “filter_input”, “expr”: [{“match”: {“left”: {“ct”: {“key”: “state”}}, “op”: “in”, “right”: {“set”: [“established”, “related”]}}}, {“accept”: null}]}}}, {“add”: {“rule”: {“family”: “inet”, “table”: “firewalld_policy_drop”, “chain”: “filter_forward”, “expr”: [{“match”: {“left”: {“ct”: {“key”: “state”}}, “op”: “in”, “right”: {“set”: [“established”, “related”]}}}, {“accept”: null}]}}}, {“add”: {“rule”: {“family”: “inet”, “table”: “firewalld_policy_drop”, “chain”: “filter_output”, “expr”: [{“match”: {“left”: {“ct”: {“key”: “state”}}, “op”: “in”, “right”: {“set”: [“established”, “related”]}}}, {“accept”: null}]}}}]}

Sorry about that. Have you tried to start docker from command line to get more information ?

I had the same issue (F33->F34)

Starting dockerd manually I got:

failed to start daemon: Error initializing network controller: Error creating default "bridge" network: Failed to program NAT chain: ZONE_CONFLICT: 'docker0' already bound to a zone
WARN[2021-05-05T11:53:12.330322857-04:00] grpc: addrConn.createTransport failed to connect to {unix:///var/run/docker/containerd/containerd.sock  <nil> 0 <nil>}. Err :connection error: desc = "transport: Error while dialing dial unix:///var/run/docker/containerd/containerd.sock: timeout". Reconnecting...  module=grpc

A step on docker - failed to start daemon: Error initializing network controller: Error creating default "bridge" network - Stack Overflow worked for me (revert changes)

sudo firewall-cmd --permanent --zone=trusted --remove-interface=docker0
sudo firewall-cmd --reload
sudo systemctl restart docker

After that docker worked as expected.

5 Likes

I am having the same issue and after much googling, I have not been able to solve it.
Some solutions I stumbled across ranged from removing invalid services from your firewalld zones templates to ensuring your ipset rules do not have overlapping CIDR blocks.

I have tried my best to freshly reinstall firewalld, iptables / nftables and ipset with default settings, but I must be missing something some where. Unfortunately, the python-nftables error you posted above does not shed much light and neither does the firewalld error logs.

Unless firewalld can successfully start, I don’t believe the docker daemon can start either.

1 Like

Hey Joseph,
Man I cant solve the nftables issue but the docker is running now.

I saw a entry on a file in /etc/firewalld/zones that was duplicated (even at .old one).
I don’t know if it makes sense to you. But, If there is a duplicated entry on these files it will not let Docker starts.

Please let me know if It helps you and if not we can do try another things.

Kind Regards,
Bruno Moraes

Hi Bruno,

Thanks for the reply!
I had actually done the same thing before posting (I also found some config files in /usr/lib/firewalld/zones and cleaned them out too), but the error persisted until the next time I performed a clean reboot.

This also appears to have fixed my nftables issue and now docker is working for me again.

Thanks again!

1 Like

Nice Joseph.
I will try to do that here!

Thanks friend!

2 Likes

Thanks for the hints guys, I can confirm that in my case, the problem was actually with firewalld, not Docker. Docker being broken was just a symptom of firewalld being broken. I had previously added a port rule to the FedoraWorkstation zone, and this caused the upgrade to leave the old zone file in a FedoraWorkstation.xml.old file. But it just sat alongside a FedoraWorkstation.xml, which didn’t have the port rule.

And apparently adding this port rule leads to an error in F34, as it overlapped with another rule. I can only assume it wasn’t an error in F33, but it is now in F34.

For any future readers, check your journalctl for firewalld unit and see if you see any errors. Look through your /etc/firewalld/zones as suggested above and see if there are any .old files. Reconcile the differences to fix the errors. This got Docker working again for me.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.