ClearFoundation Tracker - ClearCenter |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0021031 | ClearCenter | app-clearglass - ClearGLASS Engine | public | 2018-08-08 15:28 | 2018-10-30 19:47 |
|
| Reporter | NickH | |
| Assigned To | user2 | |
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | |
| Platform | | OS | | OS Version | |
| Product Version | | |
| Target Version | 7.5.0 Updates | Fixed in Version | 7.5.0 Updates | |
|
| Summary | 0021031: Firewall issues |
| Description | /etc/clearos/firewall.d/10-docker largely fails on boot as the interface docker0 does not exist. In this case you need to restart the firewall after docker starts to get the rules (or run the configlet manually). Starting docker does neither of these.
Also in /etc/clearos/firewall.d/10-docker, superfluous rules are generated. The rules:
$IPTABLES -t filter -A FORWARD -i $IFACE ! -o $IFACE -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $IFACE -o $IFACE -j ACCEPT
are covered by:
$IPTABLES -t filter -A FORWARD -i $IFACE -j ACCEPT
and the rule:
$IPTABLES -t filter -A FORWARD -o $IFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
is entirely covered by the default rule which allows all related and established packets in both directions.
$IPTABLES -t filter -A OUTPUT -o $IFACE -j ACCEPT should be unnecessary as all OUTPUT is allowed by default although ClearOS does seem to add OUTPUT rules matching INPUT rules.
Lastly, it is probably a good idea to split out the docker rules from the ClearGLASS rules so, if you run other containers such as Samba AD Domain Controller, you don't pull in the ClearGLASS rules and vice-versa. |
| Steps To Reproduce | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | related to | 0021061 | closed | NickH | ClearOS | Create docker firewall framework |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2018-08-08 15:28 | NickH | New Issue | |
| 2018-08-10 00:31 | user2 | Note Added: 0007751 | |
| 2018-08-10 00:33 | user2 | Note Added: 0007761 | |
| 2018-08-10 00:33 | user2 | Project | ClearOS => ClearCenter |
| 2018-08-10 00:33 | user2 | Category | app-docker - Docker => General |
| 2018-08-10 00:34 | user2 | Status | new => confirmed |
| 2018-08-10 00:34 | user2 | Category | General => app-clearglass - ClearGLASS Engine |
| 2018-08-10 00:34 | user2 | Target Version | => 7.5.0 Updates |
| 2018-08-10 00:35 | user2 | Note Added: 0007771 | |
| 2018-08-10 14:48 | NickH | Note Added: 0007791 | |
| 2018-08-13 07:58 | user2 | Issue cloned: 0021061 | |
| 2018-08-13 07:58 | user2 | Relationship added | related to 0021061 |
| 2018-08-13 08:15 | user2 | Note Added: 0007821 | |
| 2018-08-14 10:53 | user2 | Status | confirmed => resolved |
| 2018-08-14 10:53 | user2 | Fixed in Version | => 7.5.0 Updates |
| 2018-08-14 10:53 | user2 | Resolution | open => fixed |
| 2018-08-14 10:53 | user2 | Assigned To | => user2 |
| 2018-10-30 19:47 | user2 | Status | resolved => closed |
|
Notes |
|
|
(0007751)
|
|
user2
|
|
2018-08-10 00:31
|
|
Ultimately, the 10-docker configlet was designed to mimic the behavior of Docker rules (including rules that may be superfluous in gateway mode). As discussed in tech meetings, this is a complete dead end - Docker + iptables + ClearOS gateway is a non-starter. At this point 10-docker is really just a hack to get ClearGLASS working.
Bottom line: Docker in its current version/state should not be used on a ClearOS gateway. |
|
|
|
(0007761)
|
|
user2
|
|
2018-08-10 00:33
|
|
|
The ClearGLASS containers do not recover well on a reboot. A workaround was added -- a ClearOS "onboot event" handler was added. I'll add the firewall configlet restart to the workaround. |
|
|
|
(0007771)
|
|
user2
|
|
2018-08-10 00:35
|
|
|
Also, let me see if I can get a champion assigned to this app. |
|
|
|
(0007791)
|
|
NickH
|
|
2018-08-10 14:48
|
|
Please can you classify this back to an app-docker bug and include in app-docker package a file /etc/sysconfig/network-scripts/ifcfg-docker0. In it put:
DEVICE=docker0
TYPE="Bridge"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="none"
This creates a stub interface which allows all rules with a docker0 interface to be applied correctly on boot. When docker then starts, it configures the interface as it wants (tested).
Then all the rules specific to ClearGLASS (the ones with the br- interface) can be split into a separate configlet, say 11-clearglass, which will run after 10-docker runs to make sure the DOCKER and DOCKER-ISOLATION chains exist before it applies rules to them.
It is necessary for docker to be able to start correctly from boot if it is to run Samba Domain Controller. |
|
|
|
(0007821)
|
|
user2
|
|
2018-08-13 08:15
|
|
> Please can you classify this back to an app-docker bug
Done! This tracker item is now only about this scope:
/etc/clearos/firewall.d/10-docker largely fails on boot as the interface
docker0 does not exist. In this case you need to restart the firewall after
docker starts to get the rules (or run the configlet manually). Starting docker does neither of these.
The Docker firewall integration has moved to 0021061 under "app-docker" |
|