ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0021031ClearCenterapp-clearglass - ClearGLASS Enginepublic2018-08-08 15:282018-10-30 19:47
ReporterNickH 
Assigned Touser2 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target Version7.5.0 UpdatesFixed in Version7.5.0 Updates 
Summary0021031: Firewall issues
Description/etc/clearos/firewall.d/10-docker largely fails on boot as the interface docker0 does not exist. In this case you need to restart the firewall after docker starts to get the rules (or run the configlet manually). Starting docker does neither of these.

Also in /etc/clearos/firewall.d/10-docker, superfluous rules are generated. The rules:
$IPTABLES -t filter -A FORWARD -i $IFACE ! -o $IFACE -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $IFACE -o $IFACE -j ACCEPT
are covered by:
$IPTABLES -t filter -A FORWARD -i $IFACE -j ACCEPT

and the rule:
$IPTABLES -t filter -A FORWARD -o $IFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
is entirely covered by the default rule which allows all related and established packets in both directions.

$IPTABLES -t filter -A OUTPUT -o $IFACE -j ACCEPT should be unnecessary as all OUTPUT is allowed by default although ClearOS does seem to add OUTPUT rules matching INPUT rules.

Lastly, it is probably a good idea to split out the docker rules from the ClearGLASS rules so, if you run other containers such as Samba AD Domain Controller, you don't pull in the ClearGLASS rules and vice-versa.
TagsNo tags attached.
Attached Files

- Relationships
related to 0021061acknowledged ClearOS Create docker firewall framework 

-  Notes
(0007751)
user2
2018-08-10 00:31

Ultimately, the 10-docker configlet was designed to mimic the behavior of Docker rules (including rules that may be superfluous in gateway mode). As discussed in tech meetings, this is a complete dead end - Docker + iptables + ClearOS gateway is a non-starter. At this point 10-docker is really just a hack to get ClearGLASS working.

Bottom line: Docker in its current version/state should not be used on a ClearOS gateway.
(0007761)
user2
2018-08-10 00:33

The ClearGLASS containers do not recover well on a reboot. A workaround was added -- a ClearOS "onboot event" handler was added. I'll add the firewall configlet restart to the workaround.
(0007771)
user2
2018-08-10 00:35

Also, let me see if I can get a champion assigned to this app.
(0007791)
NickH (developer)
2018-08-10 14:48

Please can you classify this back to an app-docker bug and include in app-docker package a file /etc/sysconfig/network-scripts/ifcfg-docker0. In it put:
DEVICE=docker0
TYPE="Bridge"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="none"

This creates a stub interface which allows all rules with a docker0 interface to be applied correctly on boot. When docker then starts, it configures the interface as it wants (tested).

Then all the rules specific to ClearGLASS (the ones with the br- interface) can be split into a separate configlet, say 11-clearglass, which will run after 10-docker runs to make sure the DOCKER and DOCKER-ISOLATION chains exist before it applies rules to them.

It is necessary for docker to be able to start correctly from boot if it is to run Samba Domain Controller.
(0007821)
user2
2018-08-13 08:15

> Please can you classify this back to an app-docker bug

Done! This tracker item is now only about this scope:

     /etc/clearos/firewall.d/10-docker largely fails on boot as the interface
    docker0 does not exist. In this case you need to restart the firewall after
    docker starts to get the rules (or run the configlet manually). Starting docker does neither of these.

The Docker firewall integration has moved to 0021061 under "app-docker"

- Issue History
Date Modified Username Field Change
2018-08-08 15:28 NickH New Issue
2018-08-10 00:31 user2 Note Added: 0007751
2018-08-10 00:33 user2 Note Added: 0007761
2018-08-10 00:33 user2 Project ClearOS => ClearCenter
2018-08-10 00:33 user2 Category app-docker - Docker => General
2018-08-10 00:34 user2 Status new => confirmed
2018-08-10 00:34 user2 Category General => app-clearglass - ClearGLASS Engine
2018-08-10 00:34 user2 Target Version => 7.5.0 Updates
2018-08-10 00:35 user2 Note Added: 0007771
2018-08-10 14:48 NickH Note Added: 0007791
2018-08-13 07:58 user2 Issue cloned: 0021061
2018-08-13 07:58 user2 Relationship added related to 0021061
2018-08-13 08:15 user2 Note Added: 0007821
2018-08-14 10:53 user2 Status confirmed => resolved
2018-08-14 10:53 user2 Fixed in Version => 7.5.0 Updates
2018-08-14 10:53 user2 Resolution open => fixed
2018-08-14 10:53 user2 Assigned To => user2
2018-10-30 19:47 user2 Status resolved => closed