Dear all,
I just installed nethserver-docker and portainer and noticed that if I edit the firewall rules from cockpit and apply them, all the containers in aqua (I’m currently using only aqua) become unable to talk to each other until I run signal-event nethserver-docker-update . Have I missed something?
Thanks,
I’m even unable to expose a port of a container in aqua: if I create a Port forward it seems not to be working and if I create it via Docker I am unable to manage firewall rules on that port.
For docker the Neth firewall UI does not work. You need to set it on command line, see Documentation.
A docker port redirect in combination with a Neth port forward or reverse proxy should work.
Hi @mrmarkuz,
i might not have fully understood what you’re telling me to do.
Should I
Thanks,
Use the docker published port to get a local port.
Then you may port forward/reverse proxy to the published local port.
You may need to open the port, see services chapter in devel docs.
Hi Mark,
sorry if I’m always late in answering this topic.
Now I:
config set zabbix-server service status enabled TCPPort 10051 UDPPort 10051 access green
/etc/e-smith/db/configuration/defaults# mkdir zabbix-server && cd zabbix-server
echo service > type
echo enabled > status
but now the port is publicly accessible even though I added a local rule Deny from 0.0.0.0/0 to service zabbix-server.
It seems too that I can still reproduce the bug mentioned before: if I have a firewall adjust, containers can’t talk to each other until I have a nethserver-docker-update too.
Thanks,
Just tried port-forwarding via NethServer firewall to the acqua’s container IP and didn’t get any result.
Just to recap:
You are running zabbix as docker container and want to open its port 10051 to the green network?
Do you use following docker image?
I’ll try to reproduce asap.
Yes, I’m using zabbix/zabbix-server-pgsql:ubuntu-5.2-latest and zabbix/zabbix-web-apache-pgsql:ubuntu-latest. When reconfiguring the firewall, Zabbix Web says the server is down even though the container is running. In fact, pinging from web to server won’t produce any effect.
About the port forwarding: should, IMHO, be reproducible with every service running in docker.
Thank you for your effort,
I could reproduce the issue and I think it’s a bug.
One needs to run signal-event nethserver-docker-update after signal-event firewall-adjust to add docker specific rules to let the containers talk to each other:
[root@testserver ~]# diff shorewall_show_before_firewall_adjust shorewall_show_after_firewall_adjust
54c48
< Chain DOCKER (3 references)
---
> Chain DOCKER (2 references)
56,69c50,51
< 293 79888 ACCEPT tcp -- !aqua0 aqua0 0.0.0.0/0 172.28.0.2 tcp dpt:8080
< 15 981 ACCEPT tcp -- !aqua0 aqua0 0.0.0.0/0 172.28.0.3 tcp dpt:10051
<
< Chain DOCKER-ISOLATION-STAGE-1 (1 references)
< pkts bytes target prot opt in out source destination
< 14 1393 DOCKER-ISOLATION-STAGE-2 all -- aqua0 !aqua0 0.0.0.0/0 0.0.0.0/0
< 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
< 96 14549 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
<
< Chain DOCKER-ISOLATION-STAGE-2 (2 references)
< pkts bytes target prot opt in out source destination
< 0 0 DROP all -- * aqua0 0.0.0.0/0 0.0.0.0/0
< 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
< 14 1393 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
I think the firewall-adjust event should run the nethserver-docker-interface-update-restart-docker action like it is done in the interface-update event. @stephdl, what do you think?
You may test it with
ln -s /etc/e-smith/events/actions/nethserver-docker-interface-update-restart-docker /etc/e-smith/events/firewall-adjust/S99nethserver-docker-interface-update-restart-docker
and reconfigure the firewall and now the web container should still be able to reach the server container.
If something went wrong just remove /etc/e-smith/events/firewall-adjust/S99nethserver-docker-interface-update-restart-docker.
Yes, you’re right. It does not work to port forward to a container with aqua but you may use the docker port redirect/publish instead. Or you use macvlan or aeria networking instead of aqua.
It seems the docker published port overrules the service. I need to check…
let me check
true bug, once the firewall-adjust event is triggered the docker cannot ping each other on the aqua network
docker run -dit --name nginx-test-02 --net=aqua --ip=172.28.0.10 --restart=unless-stopped nginx:alpine nginx-debug -g 'daemon off;'
docker run -dit --name nginx-test-03 --net=aqua --ip=172.28.0.11 --restart=unless-stopped nginx:alpine nginx-debug -g 'daemon off;'
then start a shell in a container
docker exec -ti nginx-test-02 /bin/sh
and ping the container nginx-test-03
ping 172.28.0.11
if your trigger the firewall-adjust the container stops to ping the other container until you restart docker
Right the shorewall restart remove all rules in iptables relative to docker, this is the same behavior
we could add it @mrmarkuz, but in fact this is done by the shorewall restart .
My concerns
The event firewall-adjust does not use systemctl to restart shorewall but the built in command shorewall restart : /etc/e-smith/events/nethserver-firewall-base-save/S89nethserver-shorewall-restart
Someone could restart manually shorewall and we will have the same issue. Either by systemctl or by shorewall binary itself
in docker service, if systemd restarts shorewall, then we restart docker
[Unit]
...
+PartOf=shorewall.servicereleased as nethserver-docker-1.0.9-1