reproducing docker issue https://github.com/docker/docker/issues/14396

docker-issue-14396-docker-package.sh

#!/bin/sh

set -e
set -x

dnf install -y fail2ban

curl -O https://get.docker.com/rpm/1.7.1/fedora-22/RPMS/x86_64/docker-engine-1.7.1-1.fc22.x86_64.rpm
rpm -i ./docker-engine-1.7.1-1.fc22.x86_64.rpm

chkconfig fail2ban on
chkconfig docker on 

systemctl restart fail2ban.service
sleep 2
systemctl restart docker.service 

# note that fail2ban installs firewalld
# but that starting fail2ban does not starts firewalld
# however, firewalld is planned to start at system boot

DOCKER_COMPOSE_VERSION=1.3.3
curl --fail -v -o /usr/local/bin/docker-compose-${DOCKER_COMPOSE_VERSION} -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m`
chmod +x /usr/local/bin/docker-compose-${DOCKER_COMPOSE_VERSION}
ln -sf /usr/local/bin/docker-compose-${DOCKER_COMPOSE_VERSION} /usr/local/bin/docker-compose
curl -o /etc/bash_completion.d/docker-compose -L https://raw.githubusercontent.com/docker/compose/${DOCKER_COMPOSE_VERSION}/contrib/completion/bash/docker-compose

dnf install -y git

git clone https://github.com/YannRobert/docker_link_issue_demonstration
cd docker_link_issue_demonstration
sudo chcon -Rt svirt_sandbox_file_t $(pwd)

# run the test with docker-compose linking 2 docker containers
docker-compose kill && docker-compose rm --force && docker-compose up -d

set +e

# when firewalld is stopped, it will work
curl --fail http://localhost:8888

# force start firewalld
systemctl start firewalld.service
sleep 2
systemctl restart docker.service
sleep 2

docker-compose kill && docker-compose rm --force && docker-compose up -d
sleep 2

# print iptables rules
iptables -L -n > iptables_dump_docker_package.txt

# now firewalld is started, it will fail
curl --fail http://localhost:8888

# now add a iptables rule to make it work
iptables -t filter -A DOCKER -d 172.17.0.0/16 -i docker0 -j ACCEPT
curl --fail http://localhost:8888

echo "Finished"

docker-issue-14396-fedora-package.sh

#!/bin/sh

set -e
set -x

dnf install -y fail2ban
dnf install -y docker-io

chkconfig fail2ban on
chkconfig docker on 

systemctl restart fail2ban.service
sleep 2
systemctl restart docker.service 

# note that fail2ban installs firewalld
# but that starting fail2ban does not starts firewalld
# however, firewalld is planned to start at system boot

DOCKER_COMPOSE_VERSION=1.3.3
curl --fail -v -o /usr/local/bin/docker-compose-${DOCKER_COMPOSE_VERSION} -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m`
chmod +x /usr/local/bin/docker-compose-${DOCKER_COMPOSE_VERSION}
ln -sf /usr/local/bin/docker-compose-${DOCKER_COMPOSE_VERSION} /usr/local/bin/docker-compose
curl -o /etc/bash_completion.d/docker-compose -L https://raw.githubusercontent.com/docker/compose/${DOCKER_COMPOSE_VERSION}/contrib/completion/bash/docker-compose

dnf install -y git

git clone https://github.com/YannRobert/docker_link_issue_demonstration
cd docker_link_issue_demonstration
sudo chcon -Rt svirt_sandbox_file_t $(pwd)

# run the test with docker-compose linking 2 docker containers
docker-compose kill && docker-compose rm --force && docker-compose up -d

set +e

# when firewalld is stopped, it will work
curl --fail http://localhost:8888

# force start firewalld
systemctl start firewalld.service
sleep 2
systemctl restart docker.service
sleep 2

docker-compose kill && docker-compose rm --force && docker-compose up -d
sleep 2

# print iptables rules
iptables -L -n > iptables_dump_docker_package.txt

# now firewalld is started, it will fail
curl --fail http://localhost:8888

# now add a iptables rule to make it work
iptables -t filter -A DOCKER -d 172.17.0.0/16 -i docker0 -j ACCEPT
curl --fail http://localhost:8888

echo "Finished"