Univention Bugzilla – Bug 44829
Docker apps may not work if univention-firewall is disabled
Last modified: 2022-05-04 09:53:23 CEST
see https://help.univention.com/t/proxy-error-owncloud-9-1/5960/2, also we add a firewall exception for mysql/postgres in univention-firewall, so without univention-firewall containers may not be able to talk to the database
The firewall can be disabled with -> ucr set security/packetfilter/disabled='yes' but a -> service univention-firewall restart|stop always purges the iptables rules, regardless of security/packetfilter/disabled and we added ExecStartPost=-/usr/sbin/service univention-firewall restart to /lib/systemd/system/docker.service. That means the iptables rules will be removed * during every startup * service docker restart * ervice univention-firewall restart|stop if ucr set security/packetfilter/disabled='yes' is set. Simple solution: check is_ucr_true security/packetfilter/disabled in stop() in /etc/init.d/univention-firewall and don't remove the rules. Any suggestion?
(In reply to Felix Botner from comment #1) > > Simple solution: check is_ucr_true security/packetfilter/disabled in stop() > in /etc/init.d/univention-firewall and don't remove the rules. > > Any suggestion? Or, ExecStartPost=-/usr/sbin/service univention-firewall start in /lib/systemd/system/docker.service.
(In reply to Felix Botner from comment #2) > (In reply to Felix Botner from comment #1) > > > > Simple solution: check is_ucr_true security/packetfilter/disabled in stop() > > in /etc/init.d/univention-firewall and don't remove the rules. > > > > Any suggestion? > > Or, ExecStartPost=-/usr/sbin/service univention-firewall start in > /lib/systemd/system/docker.service. NO: Your *must* *never* user 'service` from a systemd.service unit, as it will recurse back to calling 'systemctl' which will *deadlock*! See Bug #42380 where exactly that happened! Try [Unit]Requires=univention-firewall.service or 'Requisite=' (`man 5 systemd.unit`)
univention-firewall essentially does a run-scripts on a directory (/etc/security/packetfilter.d/). Maybe we should also use a second directory, say, /etc/security/packetfilter.always.d/ which is run, well, always. Even if the normal packetfilter is disabled by UCR. We can then put docker instructions into it. The problem here is the ordering. (Formerly, 20_docker.sh ran after 10_univention-firewall_start.sh but before 20_rsyslog.sh) Maybe one can "merge" files in multiple directories with run-scripts? Alternatively, one could use one directory again (/etc/security/packetfilter.enabled.d/) , put the really important stuff into it, and - depending on "ucr get security/packetfilter/disabled" - link the scripts of the original directory into it. A UCR module would be required to link or remove the files.
univention-firewall errata4.2-1 9.0.1-3A~4.2.0.201708081325 always run /etc/security/packetfilter.d/20_docker.sh (start, stop) in univention-firewall, regardless of security/packetfilter/disabled (but this can be disabled with security/packetfilter/docker/disabled)
OK, DOCKER and DOCKER-ISOLATION Chain is always present OK, can even be disabled if really required YAML: OK
<http://errata.software-univention.de/ucs/4.2/148.html>