ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0021031ClearCenterapp-clearglass - ClearGLASS Enginepublic2018-08-08 15:282018-10-30 19:47
ReporterNickH 
Assigned Topbaldwin 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target Version7.5.0 UpdatesFixed in Version7.5.0 Updates 
Summary0021031: Firewall issues
Description/etc/clearos/firewall.d/10-docker largely fails on boot as the interface docker0 does not exist. In this case you need to restart the firewall after docker starts to get the rules (or run the configlet manually). Starting docker does neither of these.

Also in /etc/clearos/firewall.d/10-docker, superfluous rules are generated. The rules:
$IPTABLES -t filter -A FORWARD -i $IFACE ! -o $IFACE -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $IFACE -o $IFACE -j ACCEPT
are covered by:
$IPTABLES -t filter -A FORWARD -i $IFACE -j ACCEPT

and the rule:
$IPTABLES -t filter -A FORWARD -o $IFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
is entirely covered by the default rule which allows all related and established packets in both directions.

$IPTABLES -t filter -A OUTPUT -o $IFACE -j ACCEPT should be unnecessary as all OUTPUT is allowed by default although ClearOS does seem to add OUTPUT rules matching INPUT rules.

Lastly, it is probably a good idea to split out the docker rules from the ClearGLASS rules so, if you run other containers such as Samba AD Domain Controller, you don't pull in the ClearGLASS rules and vice-versa.
TagsNo tags attached.
Attached Files

- Relationships
related to 0021061acknowledged ClearOS Create docker firewall framework 

-  Notes
(0007751)
pbaldwin (administrator)
2018-08-10 00:31

Ultimately, the 10-docker configlet was designed to mimic the behavior of Docker rules (including rules that may be superfluous in gateway mode). As discussed in tech meetings, this is a complete dead end - Docker + iptables + ClearOS gateway is a non-starter. At this point 10-docker is really just a hack to get ClearGLASS working.

Bottom line: Docker in its current version/state should not be used on a ClearOS gateway.
(0007761)
pbaldwin (administrator)
2018-08-10 00:33

The ClearGLASS containers do not recover well on a reboot. A workaround was added -- a ClearOS "onboot event" handler was added. I'll add the firewall configlet restart to the workaround.
(0007771)
pbaldwin (administrator)
2018-08-10 00:35

Also, let me see if I can get a champion assigned to this app.
(0007791)
NickH (developer)
2018-08-10 14:48

Please can you classify this back to an app-docker bug and include in app-docker package a file /etc/sysconfig/network-scripts/ifcfg-docker0. In it put:
DEVICE=docker0
TYPE="Bridge"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="none"

This creates a stub interface which allows all rules with a docker0 interface to be applied correctly on boot. When docker then starts, it configures the interface as it wants (tested).

Then all the rules specific to ClearGLASS (the ones with the br- interface) can be split into a separate configlet, say 11-clearglass, which will run after 10-docker runs to make sure the DOCKER and DOCKER-ISOLATION chains exist before it applies rules to them.

It is necessary for docker to be able to start correctly from boot if it is to run Samba Domain Controller.
(0007821)
pbaldwin (administrator)
2018-08-13 08:15

> Please can you classify this back to an app-docker bug

Done! This tracker item is now only about this scope:

     /etc/clearos/firewall.d/10-docker largely fails on boot as the interface
    docker0 does not exist. In this case you need to restart the firewall after
    docker starts to get the rules (or run the configlet manually). Starting docker does neither of these.

The Docker firewall integration has moved to 0021061 under "app-docker"

- Issue History
Date Modified Username Field Change
2018-08-08 15:28 NickH New Issue
2018-08-10 00:31 pbaldwin Note Added: 0007751
2018-08-10 00:33 pbaldwin Note Added: 0007761
2018-08-10 00:33 pbaldwin Project ClearOS => ClearCenter
2018-08-10 00:33 pbaldwin Category app-docker - Docker => General
2018-08-10 00:34 pbaldwin Status new => confirmed
2018-08-10 00:34 pbaldwin Category General => app-clearglass - ClearGLASS Engine
2018-08-10 00:34 pbaldwin Target Version => 7.5.0 Updates
2018-08-10 00:35 pbaldwin Note Added: 0007771
2018-08-10 14:48 NickH Note Added: 0007791
2018-08-13 07:58 pbaldwin Issue cloned: 0021061
2018-08-13 07:58 pbaldwin Relationship added related to 0021061
2018-08-13 08:15 pbaldwin Note Added: 0007821
2018-08-14 10:53 pbaldwin Status confirmed => resolved
2018-08-14 10:53 pbaldwin Fixed in Version => 7.5.0 Updates
2018-08-14 10:53 pbaldwin Resolution open => fixed
2018-08-14 10:53 pbaldwin Assigned To => pbaldwin
2018-10-30 19:47 pbaldwin Status resolved => closed