ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0021061ClearOSapp-docker - Dockerpublic2018-08-13 07:582018-10-10 04:10
Reporterpbaldwin 
Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
StatusacknowledgedResolutionopen 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0021061: Create docker firewall framework
DescriptionIt is probably a good idea to split out the docker rules from the ClearGLASS rules so, if you run other containers such as Samba AD Domain Controller, you don't pull in the ClearGLASS rules and vice-versa.
TagsNo tags attached.
Attached Files

- Relationships
related to 0021031resolvedpbaldwin ClearCenter Firewall issues 

-  Notes
(0007801)
pbaldwin (administrator)
2018-08-13 08:02

This but was split from 0021031. Here's more context from that issue:

in /etc/clearos/firewall.d/10-docker, superfluous rules are generated. The rules:
$IPTABLES -t filter -A FORWARD -i $IFACE ! -o $IFACE -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $IFACE -o $IFACE -j ACCEPT
are covered by:
$IPTABLES -t filter -A FORWARD -i $IFACE -j ACCEPT

and the rule:
$IPTABLES -t filter -A FORWARD -o $IFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
is entirely covered by the default rule which allows all related and established packets in both directions.

$IPTABLES -t filter -A OUTPUT -o $IFACE -j ACCEPT should be unnecessary as all OUTPUT is allowed by default although ClearOS does seem to add OUTPUT rules matching INPUT rules.

// Response
The firewall configlet was designed to mimic the rules generated by Docker (even if not truly needed). In other words, if you were to disable the firewall in ClearOS and start Docker in "iptables-enabled" mode, you should see a very closely matched set of rules.
(0007811)
pbaldwin (administrator)
2018-08-13 08:11

The Docker firewall integration is unfinished and arguably a non-starter (at least in ClearOS 7). This issue is now a placeholder for this feature request.

Some thoughts about the scope of this feature request:

- Review other Docker containers and Docker-Compose services. Note: during the ClearGLASS integration, Xibo was used as a simple sanity check.

- Docker networking is non-trivial and system administrators may want to manage it differently. Docs @ https://docs.docker.com/network/ [^]

- It would be unwise to attempt to reverse engineer Docker's firewall management. The hack done for ClearGLASS should be considered a dead end in my opinion.
(0008151)
NickH (developer)
2018-10-10 04:10

From https://tracker.clearos.com/view.php?id=21031, [^] the following should have been copied over:

Please create a file /etc/sysconfig/network-scripts/ifcfg-docker0. In it put:
DEVICE=docker0
TYPE="Bridge"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="none"

This should be created on installation. If it is not, all the /etc/clearos/firewall.d/10-docker rules don't run as they all need the docker0 interface (and there is currently a check to see if docker exists in the firewall rules due to bug 0020351).

The problem with this is that when docker is then started there is no attempt to run the /etc/clearos/firewall.d/10-docker rules again, meaning docker starts without any firewall rules in place. This currently also affects ClearGLASS as the rules are run from the same /etc/clearos/firewall.d/10-docker file. Currently, the first time ClearGLASS is started there are no docker or ClearGLASS firewall rules and they will not exist until the firewall is restarted.

If a docker0 interface is defined as above, all the docker firewall rules will will succeed (but not necessarily the ClearGLASS rules). Docker will also take control of the interface when it starts giving it an IP address and so on.

If this change is made, the DOCKER and DOCKER-ISOLATION chains will always exist for when any docker app starts and is needed for the samba/docker solution.

- Issue History
Date Modified Username Field Change
2018-08-13 07:58 pbaldwin New Issue
2018-08-13 07:58 pbaldwin Issue generated from: 0021031
2018-08-13 07:58 pbaldwin Relationship added related to 0021031
2018-08-13 08:02 pbaldwin Note Added: 0007801
2018-08-13 08:11 pbaldwin Note Added: 0007811
2018-08-13 08:11 pbaldwin Project ClearCenter => ClearOS
2018-08-13 08:11 pbaldwin Category app-clearglass - ClearGLASS Engine => General
2018-08-13 08:11 pbaldwin Status new => acknowledged
2018-08-13 08:11 pbaldwin Category General => app-docker - Docker
2018-08-13 08:12 pbaldwin Severity minor => feature
2018-10-10 04:10 NickH Note Added: 0008151