ClearFoundation Tracker - ClearOS
View Issue Details
0021061ClearOSapp-docker - Dockerpublic2018-08-13 07:582019-07-11 05:28
user2 
NickH 
normalfeaturealways
closedfixed 
 
 
0021061: Create docker firewall framework
It is probably a good idea to split out the docker rules from the ClearGLASS rules so, if you run other containers such as Samba AD Domain Controller, you don't pull in the ClearGLASS rules and vice-versa.
No tags attached.
related to 0021031closed user2 ClearCenter Firewall issues 
Issue History
2018-08-13 07:58user2New Issue
2018-08-13 07:58user2Issue generated from: 0021031
2018-08-13 07:58user2Relationship addedrelated to 0021031
2018-08-13 08:02user2Note Added: 0007801
2018-08-13 08:11user2Note Added: 0007811
2018-08-13 08:11user2ProjectClearCenter => ClearOS
2018-08-13 08:11user2Categoryapp-clearglass - ClearGLASS Engine => General
2018-08-13 08:11user2Statusnew => acknowledged
2018-08-13 08:11user2CategoryGeneral => app-docker - Docker
2018-08-13 08:12user2Severityminor => feature
2018-10-10 04:10NickHNote Added: 0008151
2018-10-26 06:40NickHNote Added: 0008291
2019-07-11 05:28NickHStatusacknowledged => closed
2019-07-11 05:28NickHAssigned To => NickH
2019-07-11 05:28NickHResolutionopen => fixed

Notes
(0007801)
user2   
2018-08-13 08:02   
This but was split from 0021031. Here's more context from that issue:

in /etc/clearos/firewall.d/10-docker, superfluous rules are generated. The rules:
$IPTABLES -t filter -A FORWARD -i $IFACE ! -o $IFACE -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $IFACE -o $IFACE -j ACCEPT
are covered by:
$IPTABLES -t filter -A FORWARD -i $IFACE -j ACCEPT

and the rule:
$IPTABLES -t filter -A FORWARD -o $IFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
is entirely covered by the default rule which allows all related and established packets in both directions.

$IPTABLES -t filter -A OUTPUT -o $IFACE -j ACCEPT should be unnecessary as all OUTPUT is allowed by default although ClearOS does seem to add OUTPUT rules matching INPUT rules.

// Response
The firewall configlet was designed to mimic the rules generated by Docker (even if not truly needed). In other words, if you were to disable the firewall in ClearOS and start Docker in "iptables-enabled" mode, you should see a very closely matched set of rules.
(0007811)
user2   
2018-08-13 08:11   
The Docker firewall integration is unfinished and arguably a non-starter (at least in ClearOS 7). This issue is now a placeholder for this feature request.

Some thoughts about the scope of this feature request:

- Review other Docker containers and Docker-Compose services. Note: during the ClearGLASS integration, Xibo was used as a simple sanity check.

- Docker networking is non-trivial and system administrators may want to manage it differently. Docs @ https://docs.docker.com/network/ [^]

- It would be unwise to attempt to reverse engineer Docker's firewall management. The hack done for ClearGLASS should be considered a dead end in my opinion.
(0008151)
NickH   
2018-10-10 04:10   
From https://tracker.clearos.com/view.php?id=21031, [^] the following should have been copied over:

Please create a file /etc/sysconfig/network-scripts/ifcfg-docker0. In it put:
DEVICE=docker0
TYPE="Bridge"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="none"

This should be created on installation. If it is not, all the /etc/clearos/firewall.d/10-docker rules don't run as they all need the docker0 interface (and there is currently a check to see if docker exists in the firewall rules due to bug 0020351).

The problem with this is that when docker is then started there is no attempt to run the /etc/clearos/firewall.d/10-docker rules again, meaning docker starts without any firewall rules in place. This currently also affects ClearGLASS as the rules are run from the same /etc/clearos/firewall.d/10-docker file. Currently, the first time ClearGLASS is started there are no docker or ClearGLASS firewall rules and they will not exist until the firewall is restarted.

If a docker0 interface is defined as above, all the docker firewall rules will will succeed (but not necessarily the ClearGLASS rules). Docker will also take control of the interface when it starts giving it an IP address and so on.

If this change is made, the DOCKER and DOCKER-ISOLATION chains will always exist for when any docker app starts and is needed for the samba/docker solution.
(0008291)
NickH   
2018-10-26 06:40   
The requirement to create a docker0 interface on installation can be obsoleted by changing the firewall script 10-docker from:

if [ -z "$IFACE_EXISTS" ]; then
    RUN_HOOK=no
fi

to:
if [ -z "$IFACE_EXISTS" ]; then
    brctl addbr docker0
fi