Univention Bugzilla – Bug 49055
Multicontainer apps use arbitrary network, database access issue, possible address conflicts
Last modified: 2019-08-14 16:35:24 CEST
Single container apps are started via the docker cli. The network that daemon uses is configured by UCRv docker/daemon/default/opts/bip, our default is 172.17.42.1/16. With this, we also configure a default firewall rule when an app uses a UCS database, e.g. for mysql: # iptables --list Chain INPUT (policy DROP) ... ACCEPT tcp -- 172.17.0.0/16 anywhere tcp dpt:mysql ... All singlecontainer apps connect to the default docker bridge, see # docker network ls Multicontainer apps are started via docker-compose, which does not take this network configuration into account. Starting such an app creates a new docker network with a completely different network. In my test, 172.18.0.0/16 was used for first app that was started, another app will create a new network bridge with a different network. There are two issues: * Multicontainer app cannot access a UCS database by default, because the firewall forbids connections with our default settings configured by the app center. * There are possible IP address conflicts, which we currently do not avoid, because the UCRv (and thus the ip address range) is not considered by docker-compose Possible solution: Use the already present docker bridge interface. In my tests i found that the app center would have to alter the docker compose yaml in the following way to achieve this: * Add 'network_mode: bridge' to every service definition * Add an array to every service definition, in order to reactivate service name resolution in the docker container, e.g. 'links: ['redis:redis']' if there is a service entry named redis. One drawback is, that multicontainer apps now run in the same network segment, so we have to take care to avoid service name conflicts: I have not tested what happens when two apps use the same service name because both configure a service named 'redis'. Example for a modified docker-compose.yaml: version: '2' services: myapp: image: myapp:1 network_mode: bridge restart: always links: - "redis:redis" environment: REDIS_HOST: redis redis: image: redis:latest network_mode: bridge restart: always
(In reply to Erik Damrose from comment #0) [...] > One drawback is, that multicontainer apps now run in the same network > segment, so we have to take care to avoid service name conflicts: I have not > tested what happens when two apps use the same service name because both > configure a service named 'redis'. Maybe it would a solution to prefix the service name with the appid and thus introduce a namespace based on the appid.
Fixed in univention-appcenter 8.0.11-49A~4.4.0.201908131007 univention-firewall 11.0.1-3A~4.4.0.201908131011 Details follow.
- Docker compose apps get assigned individual networks OK - reinstalling an app works OK - App upgrades work OK I fixed a typo in the univention-firewall.yaml
<http://errata.software-univention.de/ucs/4.4/233.html> <http://errata.software-univention.de/ucs/4.4/234.html>