42

I'm using Fedora release 33 (Thirty Three) Docker version is Docker version 20.10.0, build 7287ab3

First I ran docker system prune and since then docker daemon failed to start.

I ran systemctl start docker command and got

Job for docker.service failed because the control process exited with error code.
See "systemctl status docker.service" and "journalctl -xe" for details.

and then systemctl status docker.service I got

● docker.service - Docker Application Container Engine
     Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor pr>
     Active: failed (Result: exit-code) since Wed 2020-12-09 11:10:58 IST; 15s >
TriggeredBy: ● docker.socket
       Docs: https://docs.docker.com
    Process: 10391 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/contai>
   Main PID: 10391 (code=exited, status=1/FAILURE)

Dec 09 11:10:58 barad-laptop systemd[1]: docker.service: Scheduled restart job,>
Dec 09 11:10:58 barad-laptop systemd[1]: Stopped Docker Application Container E>
Dec 09 11:10:58 barad-laptop systemd[1]: docker.service: Start request repeated>
Dec 09 11:10:58 barad-laptop systemd[1]: docker.service: Failed with result 'ex>
Dec 09 11:10:58 barad-laptop systemd[1]: Failed to start Docker Application Con>

Then sudo dockerd --debug and got

failed to start daemon: Error initializing network controller: Error creating default "bridge" network: Failed to program NAT chain: ZONE_CONFLICT: 'docker0' already bound to a zone

Related to this Github issue

Alon Barad
  • 1,491
  • 1
  • 13
  • 26

3 Answers3

88

Found out that

$ firewall-cmd --get-active-zones
FedoraWorkstation
  interfaces: ens4u1u2 wlp59s0
docker
  interfaces: br-48d7d996793a
libvirt
  interfaces: virbr0
trusted
  interfaces: docker0

the interface docker0 seems to be in the trusted zone. But there's another zone called docker.

So I decided to give it a shot and add it to the docker zone instead.

$ sudo firewall-cmd --permanent --zone=docker --change-interface=docker0
$ sudo firewall-cmd --reload

Looks like this afterwards:

$ firewall-cmd --get-active-zones
FedoraWorkstation
  interfaces: ens4u1u2 wlp59s0
docker
  interfaces: br-48d7d996793a docker0
libvirt
  interfaces: virbr0

Seems to work.
Maybe someone can shed more light on this.

Edit: added firewall-cmd --reload as pointed out in the comments

Franz Ebner
  • 4,951
  • 3
  • 39
  • 57
23

I got this error after upgrading docker-ce on my Fedora 32. It looks like the new docker conflicts with the manual firewall configuration mentioned in the article you linked in your answer. I had the rules on my machine to enable container-to-container communication.

Docker started successfully after I reverted the firewall rules:

sudo firewall-cmd --permanent --zone=trusted --remove-interface=docker0
sudo firewall-cmd --permanent --zone=FedoraWorkstation --remove-masquerade
sudo firewall-cmd --reload
sudo systemctl restart docker

The changes don't seem to affect the ability of containers to talk to each other.

vempo
  • 3,093
  • 1
  • 14
  • 16
  • 2
    Just had the same problem after upgrading to Fedora 33 and this solution worked. I did have to re-apply the rules afterwards for the docker containers to have network access again. – Quintesse Dec 15 '20 at 10:07
  • 1
    @Quintesse thanks for the info. Does the docker service start successfully after a reboot? It won't start on my Fedora 32 with either of these rules in place. Also, what do you mean by network access? – vempo Dec 15 '20 at 19:23
  • 1
    I used `firewall-cmd --permanent --zone=trusted --remove-interface=docker0` and it fixed my problem – Saleh Rahimzadeh Feb 11 '21 at 09:48
2

With a similar problem, I removed docker0 from the trusted zone, reload the firewall, and also removed daemon.json from /etc/docker

sudo firewall-cmd --get-active-zones

sudo firewall-cmd --permanent --zone=trusted --remove-interface=docker0
sudo firewall-cmd --reload

sudo rm -rf /etc/docker/daemon.json # or mv to another location

Then restart docker service with sudo systemctl restart docker.

Saverus Snape
  • 21
  • 3