docker / kubernetes breaks Proxmox QEMU KVM Bridge VMs
It's best not to mix the two technologies. Here is how to fix things but break Docker.
If you do an iptables -L you will notice even if you deleted all the Docker chains that the iptables FORWARD policy is enabled and is set to drop, this causes your VMs to not have networking, at least not outside the host machine.
Chain FORWARD (policy DROP)
target prot opt source destination
target prot opt source destination
Here is how to fix everything:
If your bridge interface is not br0 like below change it (eg. if it's vmbr0 then change it to that).
iptables -A FORWARD -p all -i br0 -j ACCEPT
or for blanket all
iptables --policy FORWARD ACCEPT
Now you'll see it has policy ACCEPT so the VM traffic will work:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Delete the Docker chains
iptables -X DOCKER-ISOLATION-STAGE-1
iptables -X DOCKER-ISOLATION-STAGE-2
iptables -X DOCKER
iptables -X DOCKER-USER
What Docker did to our machine with iptables:
root@nfs01:# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (0 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (0 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-2 (0 references)
target prot opt source destination
Chain DOCKER-USER (0 references)
target prot opt source destination
root@nfs01:# iptables -X DOCKER
root@nfs01:# iptables -X DOCKER-ISOLATION-STAGE-1
root@nfs01:# iptables -L^C
root@nfs01:# ping 192.168.11.240^C
root@nfs01:# iptables -X DOCKER-ISOLATION-STAGE-2
root@nfs01:# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER-USER (0 references)
target prot opt source destination
root@nfs01:# iptables -X DOCKER-USER
root@nfs01:# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Tags:
docker, kubernetes, proxmox, qemu, kvm, vmsit, technologies, iptables, deleted, chains, enabled, vms, networking, prot, opt, destination, interface, br, eg, vmbr, delete, isolation, user, nfs, input, output, references, ping,