0

Thanks to some help in a previous thread, I have managed to track down a specific issue, but I am not sure how to approach the potential fix.

To summarize the issue: docker on my server seems to break, to some extent, iptables. This bug/feature has been documented here and there. This manifests in the fact that for the Wireguard instance on that server, it doesn't work when I'm on the same local network as the server. I've been able to narrow this down in the fact that:

  • I have two other servers with the same config (except docker) on the same network, no issue there;
  • When I disable docker on that server, the issue disppears.

This would mean that the issue comes down to the iptables configured in /etc/wireguard/wg0.conf not being applied:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

The issue appeared after I moved the /var/lib/docker/ folder to another drive. To do this, i did:

  • edited /usr/lib/systemd/system/docker.service: change ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sockto ExecStart=/usr/bin/dockerd --data-root [New folder] -H fd:// --containerd=/run/containerd/containerd.sock
  • created a symlink with ln -s [New folder] /var/lib/docker

Intuitively, I would see two options to try to fix my issue:

  1. Use one of the solutions in the two links above. To be fully transparent, I am not sure I fully understood some of the explanation. Moreover, I am not sure one of the proposed solutions (adding an ExecStartPost= to /usr/lib/systemd/system/docker.service) would work, since I'm not sure I can add a %i variable that way.
  2. Try to find an alternative way to account for the moved /var/lib/docker, instead of putting it in /usr/lib/systemd/system/docker.service.

Anyone would have suggestions on this? Am I missing something?

Thanks a lot!

Improve this question

1 Answer 1

Reset to default
1

To change an existing unit file from the OS, better use sudo systemctl edit whatever.service [1]. Editing the original file will mess up your package updates.

But if you created a symlink, why would you need to change the unit file?

Maybe try to copy content from old data dir to the new one. In case something got missing.

For my servers, I prefer installing software from the distro (and not externally from docker.io or whatever), because they might be patched to work better with the rest of the distribution configuration. With my distro of choice only podman comes and it works very well for me. It runs with compatible command line options as docker. But if your distro comes with docker, then that should be fine as well.

[1] https://www.2daygeek.com/linux-modifying-existing-systemd-unit-file/

Improve this answer
2
  • Thanks for the suggestion. I understood that only relying on symlinks for docker was not really good practice, but when I tried it only through a docker.service modification, it didn't seem to work. I'll give it another shot with just the symlink. Maybe a side point: Wireguard is not running in docker. Commented Dec 13, 2023 at 20:25
  • @Anta, I haven't looked at docker. But it may carry some network configuration in that dir as well. And if you wipe it, it may result in issues. If your other drive is only for docker data, then you can also mount it at that location and there would be no symlinks. Commented Dec 13, 2023 at 21:55

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.