I just installed nethserver-docker and portainer and noticed that if I edit the firewall rules from cockpit and apply them, all the containers in aqua (I’m currently using only aqua) become unable to talk to each other until I run signal-event nethserver-docker-update . Have I missed something?
sorry if I’m always late in answering this topic.
created a new network service and linked it to the ports i need:
config set zabbix-server service status enabled TCPPort 10051 UDPPort 10051 access green
/etc/e-smith/db/configuration/defaults# mkdir zabbix-server && cd zabbix-server
echo service > type
echo enabled > status
added the port export from portainer
but now the port is publicly accessible even though I added a local rule Deny from 0.0.0.0/0 to service zabbix-server.
It seems too that I can still reproduce the bug mentioned before: if I have a firewall adjust, containers can’t talk to each other until I have a nethserver-docker-update too.
Yes, I’m using zabbix/zabbix-server-pgsql:ubuntu-5.2-latest and zabbix/zabbix-web-apache-pgsql:ubuntu-latest. When reconfiguring the firewall, Zabbix Web says the server is down even though the container is running. In fact, pinging from web to server won’t produce any effect.
About the port forwarding: should, IMHO, be reproducible with every service running in docker.
Thank you for your effort,
I could reproduce the issue and I think it’s a bug.
One needs to run signal-event nethserver-docker-update after signal-event firewall-adjust to add docker specific rules to let the containers talk to each other:
and reconfigure the firewall and now the web container should still be able to reach the server container.
If something went wrong just remove /etc/e-smith/events/firewall-adjust/S99nethserver-docker-interface-update-restart-docker.
Yes, you’re right. It does not work to port forward to a container with aqua but you may use the docker port redirect/publish instead. Or you use macvlan or aeria networking instead of aqua.
It seems the docker published port overrules the service. I need to check…
we could add it @mrmarkuz, but in fact this is done by the shorewall restart .
The event firewall-adjust does not use systemctl to restart shorewall but the built in command shorewall restart : /etc/e-smith/events/nethserver-firewall-base-save/S89nethserver-shorewall-restart
Someone could restart manually shorewall and we will have the same issue. Either by systemctl or by shorewall binary itself