Univention Bugzilla – Bug 44829
Docker apps may not work if univention-firewall is disabled
Last modified: 2017-08-30 16:29:41 CEST
see https://help.univention.com/t/proxy-error-owncloud-9-1/5960/2, also we add a firewall exception for mysql/postgres in univention-firewall, so without univention-firewall containers may not be able to talk to the database
The firewall can be disabled with
-> ucr set security/packetfilter/disabled='yes'
-> service univention-firewall restart|stop
always purges the iptables rules, regardless of security/packetfilter/disabled
and we added
ExecStartPost=-/usr/sbin/service univention-firewall restart
to /lib/systemd/system/docker.service. That means the iptables rules will be removed
* during every startup
* service docker restart
* ervice univention-firewall restart|stop
if ucr set security/packetfilter/disabled='yes' is set.
Simple solution: check is_ucr_true security/packetfilter/disabled in stop() in /etc/init.d/univention-firewall and don't remove the rules.
(In reply to Felix Botner from comment #1)
> Simple solution: check is_ucr_true security/packetfilter/disabled in stop()
> in /etc/init.d/univention-firewall and don't remove the rules.
> Any suggestion?
Or, ExecStartPost=-/usr/sbin/service univention-firewall start in /lib/systemd/system/docker.service.
(In reply to Felix Botner from comment #2)
> (In reply to Felix Botner from comment #1)
> > Simple solution: check is_ucr_true security/packetfilter/disabled in stop()
> > in /etc/init.d/univention-firewall and don't remove the rules.
> > Any suggestion?
> Or, ExecStartPost=-/usr/sbin/service univention-firewall start in
NO: Your *must* *never* user 'service` from a systemd.service unit, as it will recurse back to calling 'systemctl' which will *deadlock*! See Bug #42380 where exactly that happened!
Try [Unit]Requires=univention-firewall.service or 'Requisite=' (`man 5 systemd.unit`)
univention-firewall essentially does a run-scripts on a directory (/etc/security/packetfilter.d/).
Maybe we should also use a second directory, say, /etc/security/packetfilter.always.d/ which is run, well, always. Even if the normal packetfilter is disabled by UCR. We can then put docker instructions into it.
The problem here is the ordering. (Formerly, 20_docker.sh ran after 10_univention-firewall_start.sh but before 20_rsyslog.sh)
Maybe one can "merge" files in multiple directories with run-scripts?
Alternatively, one could use one directory again (/etc/security/packetfilter.enabled.d/) , put the really important stuff into it, and - depending on "ucr get security/packetfilter/disabled" - link the scripts of the original directory into it. A UCR module would be required to link or remove the files.
univention-firewall errata4.2-1 9.0.1-3A~126.96.36.199708081325
always run /etc/security/packetfilter.d/20_docker.sh (start, stop) in univention-firewall, regardless of security/packetfilter/disabled (but this can be disabled with security/packetfilter/docker/disabled)
OK, DOCKER and DOCKER-ISOLATION Chain is always present
OK, can even be disabled if really required