ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0021061ClearOSapp-docker - Dockerpublic2018-08-13 07:582019-07-11 05:28
Reporteruser2 
Assigned ToNickH 
PrioritynormalSeverityfeatureReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0021061: Create docker firewall framework
DescriptionIt is probably a good idea to split out the docker rules from the ClearGLASS rules so, if you run other containers such as Samba AD Domain Controller, you don't pull in the ClearGLASS rules and vice-versa.
TagsNo tags attached.
Attached Files

- Relationships
related to 0021031closeduser2 ClearCenter Firewall issues 

-  Notes
(0007801)
user2
2018-08-13 08:02

This but was split from 0021031. Here's more context from that issue:

in /etc/clearos/firewall.d/10-docker, superfluous rules are generated. The rules:
$IPTABLES -t filter -A FORWARD -i $IFACE ! -o $IFACE -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $IFACE -o $IFACE -j ACCEPT
are covered by:
$IPTABLES -t filter -A FORWARD -i $IFACE -j ACCEPT

and the rule:
$IPTABLES -t filter -A FORWARD -o $IFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
is entirely covered by the default rule which allows all related and established packets in both directions.

$IPTABLES -t filter -A OUTPUT -o $IFACE -j ACCEPT should be unnecessary as all OUTPUT is allowed by default although ClearOS does seem to add OUTPUT rules matching INPUT rules.

// Response
The firewall configlet was designed to mimic the rules generated by Docker (even if not truly needed). In other words, if you were to disable the firewall in ClearOS and start Docker in "iptables-enabled" mode, you should see a very closely matched set of rules.
(0007811)
user2
2018-08-13 08:11

The Docker firewall integration is unfinished and arguably a non-starter (at least in ClearOS 7). This issue is now a placeholder for this feature request.

Some thoughts about the scope of this feature request:

- Review other Docker containers and Docker-Compose services. Note: during the ClearGLASS integration, Xibo was used as a simple sanity check.

- Docker networking is non-trivial and system administrators may want to manage it differently. Docs @ https://docs.docker.com/network/ [^]

- It would be unwise to attempt to reverse engineer Docker's firewall management. The hack done for ClearGLASS should be considered a dead end in my opinion.
(0008151)
NickH (developer)
2018-10-10 04:10

From https://tracker.clearos.com/view.php?id=21031, [^] the following should have been copied over:

Please create a file /etc/sysconfig/network-scripts/ifcfg-docker0. In it put:
DEVICE=docker0
TYPE="Bridge"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="none"

This should be created on installation. If it is not, all the /etc/clearos/firewall.d/10-docker rules don't run as they all need the docker0 interface (and there is currently a check to see if docker exists in the firewall rules due to bug 0020351).

The problem with this is that when docker is then started there is no attempt to run the /etc/clearos/firewall.d/10-docker rules again, meaning docker starts without any firewall rules in place. This currently also affects ClearGLASS as the rules are run from the same /etc/clearos/firewall.d/10-docker file. Currently, the first time ClearGLASS is started there are no docker or ClearGLASS firewall rules and they will not exist until the firewall is restarted.

If a docker0 interface is defined as above, all the docker firewall rules will will succeed (but not necessarily the ClearGLASS rules). Docker will also take control of the interface when it starts giving it an IP address and so on.

If this change is made, the DOCKER and DOCKER-ISOLATION chains will always exist for when any docker app starts and is needed for the samba/docker solution.
(0008291)
NickH (developer)
2018-10-26 06:40

The requirement to create a docker0 interface on installation can be obsoleted by changing the firewall script 10-docker from:

if [ -z "$IFACE_EXISTS" ]; then
    RUN_HOOK=no
fi

to:
if [ -z "$IFACE_EXISTS" ]; then
    brctl addbr docker0
fi

- Issue History
Date Modified Username Field Change
2018-08-13 07:58 user2 New Issue
2018-08-13 07:58 user2 Issue generated from: 0021031
2018-08-13 07:58 user2 Relationship added related to 0021031
2018-08-13 08:02 user2 Note Added: 0007801
2018-08-13 08:11 user2 Note Added: 0007811
2018-08-13 08:11 user2 Project ClearCenter => ClearOS
2018-08-13 08:11 user2 Category app-clearglass - ClearGLASS Engine => General
2018-08-13 08:11 user2 Status new => acknowledged
2018-08-13 08:11 user2 Category General => app-docker - Docker
2018-08-13 08:12 user2 Severity minor => feature
2018-10-10 04:10 NickH Note Added: 0008151
2018-10-26 06:40 NickH Note Added: 0008291
2019-07-11 05:28 NickH Status acknowledged => closed
2019-07-11 05:28 NickH Assigned To => NickH
2019-07-11 05:28 NickH Resolution open => fixed