ClearFoundation Tracker - ClearOS
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0022071ClearOSapp-docker - Dockerpublic2018-10-30 18:422019-08-19 11:50
Reporteruser2 
Assigned ToNickH 
PrioritynormalSeveritytweakReproducibilityN/A
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version7.5.0 
Target Version7.5.0 UpdatesFixed in Version7.5.0 Updates 
Summary0022071: Always create docker0
DescriptionTo help with the firewall integration, create the docker0 interface even if Docker is not running.
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2018-10-30 18:42user2New Issue
2018-10-30 18:43user2Assigned To => NickH
2018-10-30 18:43user2Statusnew => assigned
2018-10-30 18:43user2Statusassigned => resolved
2018-10-30 18:43user2Fixed in Version => 7.5.0 Updates
2018-10-30 18:43user2Resolutionopen => fixed
2018-11-06 09:44user2Note Added: 0008521
2018-11-06 09:44user2Statusresolved => feedback
2018-11-06 09:44user2Fixed in Version7.5.0 Updates =>
2018-11-06 09:44user2Target Version7.5.0 Updates => 7.6.0
2018-11-14 03:17NickHNote Added: 0008651
2018-12-14 11:48dloperAssigned ToNickH => dloper
2018-12-14 11:48dloperStatusfeedback => assigned
2018-12-14 11:49dloperTarget Version7.6.0 => 7.5.0 Updates
2019-02-01 12:41NickHNote Added: 0008801
2019-02-01 12:41NickHStatusassigned => resolved
2019-02-01 12:41NickHFixed in Version => 7.5.0 Updates
2019-02-01 12:41NickHAssigned Todloper => NickH
2019-08-19 11:50dloperStatusresolved => closed

Notes
(0008521)
user2   
2018-11-06 09:44   
The docker interface might not have an IP address, so we can't recreate all the Docker firewall rules. Notably, this line fails:

        $IPTABLES -t nat -A POSTROUTING -s $IFACE_NETWORK ! -o $IFACE -j MASQUERADE

Where "$IFACE_NETWORK" is the inet address from "ip addr show docker0".
(0008651)
NickH   
2018-11-14 03:17   
Updated with commits:
https://gitlab.com/clearos/clearfoundation/app-docker/commit/63577f4711904fab16e91ac62c22ec15f0fe15a0 [^]
https://gitlab.com/clearos/clearfoundation/app-docker/commit/6c15c0af9aea5663f2635fa7e256fa0573a99e17 [^]

We now need to find a hook to additionally fire the 10-docker firewall rules after docker starts. If you fire it only after the first start of docker, then you cover most cases. The edge case not covered is if you do a network change which uses docker's current subnet you will get an IP clash. If you then restart docker, it **should** change its subnet. This would need 10-docker to be run again or a full firewall restart to pick up the new docker0 subnet.
(0008801)
NickH   
2019-02-01 12:41   
Fixed with:
https://gitlab.com/clearos/clearfoundation/app-docker/commit/63577f4711904fab16e91ac62c22ec15f0fe15a0 [^]
https://gitlab.com/clearos/clearfoundation/app-docker/commit/6c15c0af9aea5663f2635fa7e256fa0573a99e17 [^]