Bug 42698 - univention-firewall docker rules not active after system start
univention-firewall docker rules not active after system start
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: App Center
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-3-errata
Assigned To: Felix Botner
Dirk Wiesenthal
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-17 14:57 CEST by Felix Botner
Modified: 2016-11-09 16:47 CET (History)
3 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2016-10-17 14:57:52 CEST
/etc/security/packetfilter.d/20_docker.sh checks "/etc/init.d/docker status" before setting docker iptables rules. But univention-firewall is started before docker in runlevel 2:

/etc/rc2.d/S05univention-firewall
/etc/rc2.d/S40docker

Workaround:

Restart univention-firewall in /etc/init.d/docker after docker is started (but before the containers are started)?
Comment 1 Felix Botner univentionstaff 2016-10-17 15:58:11 CEST
Added a "invoke-rc.d univention-firewall restart || true" to /etc/init.d/docker.

Merged to 4.2

ucs-4.1-3/doc/errata/staging/univention-docker.yaml
Comment 2 Daniel Tröder univentionstaff 2016-10-17 16:17:29 CEST
This introduces a problematic situation: if security/packetfilter/disabled=true the following happens:

1) docker engine starts, creates docker-base rules
2) invoke-rc.d univention-firewall restart
  → univention-firewall stop → purges all iptables rules
  → univention-firewall start → doesn't run because of UCR
3) docker containers are started, but docker-base rules (NATing) have been purged
→ unusable containers
Comment 3 Felix Botner univentionstaff 2016-10-17 17:38:59 CEST
(In reply to Daniel Tröder from comment #2)
> This introduces a problematic situation: if
> security/packetfilter/disabled=true the following happens:
> 
> 1) docker engine starts, creates docker-base rules
> 2) invoke-rc.d univention-firewall restart
>   → univention-firewall stop → purges all iptables rules
>   → univention-firewall start → doesn't run because of UCR
> 3) docker containers are started, but docker-base rules (NATing) have been
> purged
> → unusable containers

Added a check of security/packetfilter/disabled before restarting univention-firewall.
Comment 4 Jürn Brodersen univentionstaff 2016-10-17 18:13:05 CEST
Note:
with security/packetfilter/disabled=true set, docker apps are practical unusable because port forwarding is handled through /etc/security/packetfilter.d/20_docker.sh
See bug: 39686
Comment 5 Dirk Wiesenthal univentionstaff 2016-10-24 11:03:04 CEST
OK, rules are present after a reboot. YAML OK, port OK
Comment 6 Janek Walkenhorst univentionstaff 2016-11-03 11:32:44 CET
<http://errata.software-univention.de/ucs/4.1/324.html>