3

I'm having trouble debugging a docker issue. On my machine as host, every apt/apt-get/apt-cache command in the debian:jessie image hangs and I can't figure out why.

On other machines with docker, when I run (for example)

docker run --rm debian:jessie apt list

it takes a few seconds but then the list pops up. On my machine, it just hangs forever (> 30 minutes) and uses a full CPU core.

Any ideas on how to debug this problem?

I'm on a fedora 35 (x86_64) with recent and decent hardware. I've already

  • tried to run different commands - all take a CPU core and freeze. I tried at least apt update, apt upgrade, apt list, apt show apt, apt-cache showpkg apt and certainly a few more I can't remember
  • tried to disable selinux via setenforce 0 on the host, to no effect
  • tried to take the network away via the --network none arguments to docker, to no effect
  • updated my fedora host system, to no effect
  • checked that the docker-ce version is the latest stable - it is
  • tried it with docker run --rm debian:latest apt list (i.e. the latest debian) - this works, but I need the old one (jessie, not latest)
  • tried to stop the fedora firewall via systemctl stop firewalld.service and restart the docker daemon via systemctl restart docker (thanks @rubynorails), to no effect

Any ideas on how to go from here?

Improve this question

2 Answers 2

Reset to default
6

After hours of more trial and error, another image which worked on a different host brought me on the right track. There seems to be a problem with the default ulimits on fedora [1][2].

The following works fine:

docker run --rm --ulimit nofile=10000:10000 -ti debian:jessie apt list

I just added the --ulimit parameter to every container/docker build and so far everything works like a charm.

[1] https://github.com/coreos/fedora-coreos-docs/issues/103

[2] https://bugzilla.redhat.com/show_bug.cgi?id=1715254

Improve this answer
2

Edited based on @jsbillings's comment below -- please note that based on @felher's feedback, this particular answer did not solve their issue, but it can be applied to users having the same issue description who are running Docker versions less than v20.0.

Original Answer:

If I recall, Docker doesn't play nice with firewalld, which is enabled by default on RHEL-based systems. If you want to want it to behave more like an Ubuntu system, where ufw is disabled by default, then just stop firewalld:

sudo systemctl stop firewalld

...and [optionally] disable it so this doesn't happen in the future:

sudo systemctl disable firewalld

You may also need to restart the docker daemon for good measure:

sudo systemctl restart docker or systemctl restart docker-ce

Note that I'm not saying this is the best security practice, but personally, coming from an enterprise environment, we always had our instances disable firewalld as soon as they were built, because it's much easier to control access policy via network-based firewall rules than host-based rules.

Improve this answer
2
  • Nice idea, but sadly, it did not work. (tried to do +1, but I have too little reputation ... :( ) I added it to things I've tried above. Commented May 5, 2022 at 17:12
  • 1
    Docker has native firewalld support, so this suggestion only applies to versions less than v20.0 iirc github.com/moby/libnetwork/pull/2548 Commented May 5, 2022 at 21:47

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.