Univention Bugzilla – Bug 42698
univention-firewall docker rules not active after system start
Last modified: 2016-11-09 16:47:07 CET
/etc/security/packetfilter.d/20_docker.sh checks "/etc/init.d/docker status" before setting docker iptables rules. But univention-firewall is started before docker in runlevel 2: /etc/rc2.d/S05univention-firewall /etc/rc2.d/S40docker Workaround: Restart univention-firewall in /etc/init.d/docker after docker is started (but before the containers are started)?
Added a "invoke-rc.d univention-firewall restart || true" to /etc/init.d/docker. Merged to 4.2 ucs-4.1-3/doc/errata/staging/univention-docker.yaml
This introduces a problematic situation: if security/packetfilter/disabled=true the following happens: 1) docker engine starts, creates docker-base rules 2) invoke-rc.d univention-firewall restart → univention-firewall stop → purges all iptables rules → univention-firewall start → doesn't run because of UCR 3) docker containers are started, but docker-base rules (NATing) have been purged → unusable containers
(In reply to Daniel Tröder from comment #2) > This introduces a problematic situation: if > security/packetfilter/disabled=true the following happens: > > 1) docker engine starts, creates docker-base rules > 2) invoke-rc.d univention-firewall restart > → univention-firewall stop → purges all iptables rules > → univention-firewall start → doesn't run because of UCR > 3) docker containers are started, but docker-base rules (NATing) have been > purged > → unusable containers Added a check of security/packetfilter/disabled before restarting univention-firewall.
Note: with security/packetfilter/disabled=true set, docker apps are practical unusable because port forwarding is handled through /etc/security/packetfilter.d/20_docker.sh See bug: 39686
OK, rules are present after a reboot. YAML OK, port OK
<http://errata.software-univention.de/ucs/4.1/324.html>