Bug 44829 - Docker apps may not work if univention-firewall is disabled
Docker apps may not work if univention-firewall is disabled
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: App Center
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-1-errata
Assigned To: Felix Botner
Dirk Wiesenthal
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-20 14:38 CEST by Felix Botner
Modified: 2017-08-30 16:29 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.046
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2017-06-20 14:38:04 CEST
see https://help.univention.com/t/proxy-error-owncloud-9-1/5960/2, also we add a firewall exception for mysql/postgres in univention-firewall, so without univention-firewall containers may not be able to talk to the database
Comment 1 Felix Botner univentionstaff 2017-07-06 17:37:14 CEST
The firewall can be disabled with 

  -> ucr set security/packetfilter/disabled='yes'

but a

  -> service univention-firewall restart|stop

always purges the iptables rules, regardless of security/packetfilter/disabled

and we added 

  ExecStartPost=-/usr/sbin/service univention-firewall restart

to /lib/systemd/system/docker.service. That means the iptables rules will be removed 
 * during every startup 
 * service  docker  restart
 * ervice univention-firewall restart|stop
if ucr set security/packetfilter/disabled='yes' is set.

Simple solution: check is_ucr_true security/packetfilter/disabled in stop() in /etc/init.d/univention-firewall and don't remove the rules.

Any suggestion?
Comment 2 Felix Botner univentionstaff 2017-07-06 17:38:54 CEST
(In reply to Felix Botner from comment #1)
> 
> Simple solution: check is_ucr_true security/packetfilter/disabled in stop()
> in /etc/init.d/univention-firewall and don't remove the rules.
> 
> Any suggestion?

Or, ExecStartPost=-/usr/sbin/service univention-firewall start in /lib/systemd/system/docker.service.
Comment 3 Philipp Hahn univentionstaff 2017-07-18 10:37:30 CEST
(In reply to Felix Botner from comment #2)
> (In reply to Felix Botner from comment #1)
> > 
> > Simple solution: check is_ucr_true security/packetfilter/disabled in stop()
> > in /etc/init.d/univention-firewall and don't remove the rules.
> > 
> > Any suggestion?
> 
> Or, ExecStartPost=-/usr/sbin/service univention-firewall start in
> /lib/systemd/system/docker.service.

NO: Your *must* *never* user 'service` from a systemd.service unit, as it will recurse back to calling 'systemctl' which will *deadlock*! See Bug #42380 where exactly that happened!

Try [Unit]Requires=univention-firewall.service or 'Requisite=' (`man 5 systemd.unit`)
Comment 4 Dirk Wiesenthal univentionstaff 2017-07-24 11:13:57 CEST
univention-firewall essentially does a run-scripts on a directory (/etc/security/packetfilter.d/).

Maybe we should also use a second directory, say, /etc/security/packetfilter.always.d/ which is run, well, always. Even if the normal packetfilter is disabled by UCR. We can then put docker instructions into it.

The problem here is the ordering. (Formerly, 20_docker.sh ran after 10_univention-firewall_start.sh but before 20_rsyslog.sh)

Maybe one can "merge" files in multiple directories with run-scripts?

Alternatively, one could use one directory again (/etc/security/packetfilter.enabled.d/) , put the really important stuff into it, and - depending on "ucr get security/packetfilter/disabled" - link the scripts of the original directory into it. A UCR module would be required to link or remove the files.
Comment 5 Felix Botner univentionstaff 2017-08-08 14:04:32 CEST
univention-firewall errata4.2-1 9.0.1-3A~4.2.0.201708081325

always run /etc/security/packetfilter.d/20_docker.sh (start, stop) in univention-firewall, regardless of security/packetfilter/disabled (but this can be disabled with security/packetfilter/docker/disabled)
Comment 6 Dirk Wiesenthal univentionstaff 2017-08-30 10:44:00 CEST
OK, DOCKER and DOCKER-ISOLATION Chain is always present
OK, can even be disabled if really required
YAML: OK
Comment 7 Arvid Requate univentionstaff 2017-08-30 16:29:41 CEST
<http://errata.software-univention.de/ucs/4.2/148.html>