ClearFoundation Tracker - ClearOS |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0021061 | ClearOS | app-docker - Docker | public | 2018-08-13 07:58 | 2019-07-11 05:28 |
|
| Reporter | user2 | |
| Assigned To | NickH | |
| Priority | normal | Severity | feature | Reproducibility | always |
| Status | closed | Resolution | fixed | |
| Platform | | OS | | OS Version | |
| Product Version | | |
| Target Version | | Fixed in Version | | |
|
| Summary | 0021061: Create docker firewall framework |
| Description | It is probably a good idea to split out the docker rules from the ClearGLASS rules so, if you run other containers such as Samba AD Domain Controller, you don't pull in the ClearGLASS rules and vice-versa. |
| Steps To Reproduce | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | related to | 0021031 | closed | user2 | ClearCenter | Firewall issues |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2018-08-13 07:58 | user2 | New Issue | |
| 2018-08-13 07:58 | user2 | Issue generated from: 0021031 | |
| 2018-08-13 07:58 | user2 | Relationship added | related to 0021031 |
| 2018-08-13 08:02 | user2 | Note Added: 0007801 | |
| 2018-08-13 08:11 | user2 | Note Added: 0007811 | |
| 2018-08-13 08:11 | user2 | Project | ClearCenter => ClearOS |
| 2018-08-13 08:11 | user2 | Category | app-clearglass - ClearGLASS Engine => General |
| 2018-08-13 08:11 | user2 | Status | new => acknowledged |
| 2018-08-13 08:11 | user2 | Category | General => app-docker - Docker |
| 2018-08-13 08:12 | user2 | Severity | minor => feature |
| 2018-10-10 04:10 | NickH | Note Added: 0008151 | |
| 2018-10-26 06:40 | NickH | Note Added: 0008291 | |
| 2019-07-11 05:28 | NickH | Status | acknowledged => closed |
| 2019-07-11 05:28 | NickH | Assigned To | => NickH |
| 2019-07-11 05:28 | NickH | Resolution | open => fixed |
|
Notes |
|
|
(0007801)
|
|
user2
|
|
2018-08-13 08:02
|
|
This but was split from 0021031. Here's more context from that issue:
in /etc/clearos/firewall.d/10-docker, superfluous rules are generated. The rules:
$IPTABLES -t filter -A FORWARD -i $IFACE ! -o $IFACE -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $IFACE -o $IFACE -j ACCEPT
are covered by:
$IPTABLES -t filter -A FORWARD -i $IFACE -j ACCEPT
and the rule:
$IPTABLES -t filter -A FORWARD -o $IFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
is entirely covered by the default rule which allows all related and established packets in both directions.
$IPTABLES -t filter -A OUTPUT -o $IFACE -j ACCEPT should be unnecessary as all OUTPUT is allowed by default although ClearOS does seem to add OUTPUT rules matching INPUT rules.
// Response
The firewall configlet was designed to mimic the rules generated by Docker (even if not truly needed). In other words, if you were to disable the firewall in ClearOS and start Docker in "iptables-enabled" mode, you should see a very closely matched set of rules. |
|
|
|
(0007811)
|
|
user2
|
|
2018-08-13 08:11
|
|
The Docker firewall integration is unfinished and arguably a non-starter (at least in ClearOS 7). This issue is now a placeholder for this feature request.
Some thoughts about the scope of this feature request:
- Review other Docker containers and Docker-Compose services. Note: during the ClearGLASS integration, Xibo was used as a simple sanity check.
- Docker networking is non-trivial and system administrators may want to manage it differently. Docs @ https://docs.docker.com/network/ [^]
- It would be unwise to attempt to reverse engineer Docker's firewall management. The hack done for ClearGLASS should be considered a dead end in my opinion. |
|
|
|
(0008151)
|
|
NickH
|
|
2018-10-10 04:10
|
|
From https://tracker.clearos.com/view.php?id=21031, [^] the following should have been copied over:
Please create a file /etc/sysconfig/network-scripts/ifcfg-docker0. In it put:
DEVICE=docker0
TYPE="Bridge"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="none"
This should be created on installation. If it is not, all the /etc/clearos/firewall.d/10-docker rules don't run as they all need the docker0 interface (and there is currently a check to see if docker exists in the firewall rules due to bug 0020351).
The problem with this is that when docker is then started there is no attempt to run the /etc/clearos/firewall.d/10-docker rules again, meaning docker starts without any firewall rules in place. This currently also affects ClearGLASS as the rules are run from the same /etc/clearos/firewall.d/10-docker file. Currently, the first time ClearGLASS is started there are no docker or ClearGLASS firewall rules and they will not exist until the firewall is restarted.
If a docker0 interface is defined as above, all the docker firewall rules will will succeed (but not necessarily the ClearGLASS rules). Docker will also take control of the interface when it starts giving it an IP address and so on.
If this change is made, the DOCKER and DOCKER-ISOLATION chains will always exist for when any docker app starts and is needed for the samba/docker solution. |
|
|
|
(0008291)
|
|
NickH
|
|
2018-10-26 06:40
|
|
The requirement to create a docker0 interface on installation can be obsoleted by changing the firewall script 10-docker from:
if [ -z "$IFACE_EXISTS" ]; then
RUN_HOOK=no
fi
to:
if [ -z "$IFACE_EXISTS" ]; then
brctl addbr docker0
fi |
|