Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Rootless custom bridge fails to bind ports on host. #52933

Open
Bug
Open
Rootless custom bridge fails to bind ports on host.#52933
Bug
Labels
area/networkingNetworkingarea/rootlessRootless Modekind/bugBugs are bugs. The cause may or may not be known at triage time so debugging may be needed.

Description

@luissantosHCIT
luissantosHCIT
opened on Jun 19, 2026

Description

I don't know when it happened and whether it was upgrading to Fedora 44 or an update in the last couple of months but I have not been able to open local apps if ran under the rootless daemon. My containers are built with docker-compose. and they are set up to run in their own network with the main service binding the web port to the "outside".

I spent days trying several things to isolate whether the issue is OS or docker side. I concluded that it might be comming from docker because disabling the firewalld service did not fix the issue and rootless skips interacting with firewalld anyways. I see warnings from libnetwork. Unfortunately, I am having trouble finding the exact source files (bridge driver or libnetwork) that could help propose a patch. The issue was not happening in the past either and does not appear to be associated with missing a dependency.

I experienced the issue with both docker-ce and moby in Fedora 44.

Reproduce

  1. Create a docker yaml config like this one.
services:
  ehr_db:
    container_name: "ehr_db"
    hostname: "ehr_db"
    restart: always
    image: mariadb:11.8
    command: ['mariadbd','--character-set-server=utf8mb4']
    expose:
      - "3306"
    healthcheck:
      test:
      - CMD
      - /usr/local/bin/healthcheck.sh
      - --su-mysql
      - --connect
      - --innodb_initialized
      start_period: 1m
      start_interval: 10s
      interval: 1m
      timeout: 5s
      retries: 3
    networks:
      - ehr

  ehr:
    container_name: "ehr"
    hostname: "ehr"
    restart: always
    image: ehr:latest
    expose:
      - "80"
    ports:
      - "55449:80"
    networks:
      - ehr
    depends_on:
      ehr_db:
        condition: service_healthy

networks:
  ehr:
    name: ehr
    driver: bridge
  1. Run sudo systemctl start docker.
  2. Run sudo docker compose up -d.
  3. Verify that the port is open on 0.0.0.0 with netstat -tulnp.
  4. Run sudo docker compose down.
  5. Run sudo systemctl stop docker.
  6. Run systemctl --user start docker.
  7. Run docker compose up -d.
  8. Verify that the port is no longer bound in 0.0.0.0 with netstat -tulnp.
  9. Obtain logs from journalctl with journalctl --user -xeu docker.service.
  10. Notice issues with opening br-XXX bridge interface which does not exists on the host (ifconfig).
  11. Run docker compose down.
  12. Run systemctl --user stop docker.

Expected behavior

In rootless mode, I expected

Image

But got

Image

docker version

Client:
 Version:           29.5.3
 API version:       1.54
 Go version:        go1.26.4-X:nodwarf5
 Git commit:        1.fc44
 Built:             Wed Jun  3 00:00:00 2026
 OS/Arch:           linux/amd64
 Context:           rootless

Server:
 Engine:
  Version:          29.5.3
  API version:      1.54 (minimum version 1.40)
  Go version:       go1.26.4-X:nodwarf5
  Git commit:       1.fc44
  Built:            Wed Jun  3 00:00:00 2026
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v2.2.4
  GitCommit:        193637f7ee8ae5f5aa5248f49e7baa3e6164966e
 runc:
  Version:          1.3.5
  GitCommit:        v1.3.5-0-g488fc13e
 docker-init:
  Version:          0.19.0
  GitCommit:        
 rootlesskit:
  Version:          3.0.1
  ApiVersion:       1.1.1
  NetworkDriver:    pasta
  StateDir:         /run/user/1000/dockerd-rootless

docker info

Client:
 Version:    29.5.3
 Context:    rootless
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  0.34.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  5.1.4
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 2
  Running: 2
  Paused: 0
  Stopped: 0
 Images: 3
 Server Version: 29.5.3
 Storage Driver: overlayfs
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
  /home/kiseitai2/.config/cdi
  /run/user/1000/cdi
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 193637f7ee8ae5f5aa5248f49e7baa3e6164966e
 runc version: v1.3.5-0-g488fc13e
 init version: 
 Security Options:
  seccomp
   Profile: builtin
  rootless
  cgroupns
 Kernel Version: 7.0.12-201.fc44.x86_64
 Operating System: Fedora Linux 44 (Workstation Edition)
 OSType: linux
 Architecture: x86_64
 CPUs: 16
 Total Memory: 38.09GiB
 Name: fedora
 ID: c62a3f0a-f20e-4ee7-bd68-e812d8dbc1d9
 Docker Root Dir: /home/kiseitai2/.local/share/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false
 Firewall Backend: iptables
  EnableUserlandProxy: true
  UserlandProxyPath: /usr/bin/docker-proxy

WARNING: No cpuset support

``

Additional Info

Image Image Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/networkingNetworkingarea/rootlessRootless Modekind/bugBugs are bugs. The cause may or may not be known at triage time so debugging may be needed.

    Type

    Bug

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions