Bug 49055 - Multicontainer apps use arbitrary network, database access issue, possible address conflicts
Multicontainer apps use arbitrary network, database access issue, possible ad...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: App Center
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-1-errata
Assigned To: Dirk Wiesenthal
Jannik Ahlers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-21 17:35 CET by Erik Damrose
Modified: 2019-08-14 16:35 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.286
Enterprise Customer affected?:
School Customer affected?:
ISV affected?: Yes
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2019-03-21 17:35:21 CET
Single container apps are started via the docker cli. The network that daemon uses is configured by UCRv docker/daemon/default/opts/bip, our default is 172.17.42.1/16.

With this, we also configure a default firewall rule when an app uses a UCS database, e.g. for mysql:

# iptables --list
Chain INPUT (policy DROP)
...
ACCEPT     tcp  --  172.17.0.0/16        anywhere             tcp dpt:mysql
...

All singlecontainer apps connect to the default docker bridge, see # docker network ls

Multicontainer apps are started via docker-compose, which does not take this network configuration into account. Starting such an app creates a new docker network with a completely different network. In my test, 172.18.0.0/16 was used for first app that was started, another app will create a new network bridge with a different network.

There are two issues:
* Multicontainer app cannot access a UCS database by default, because the firewall forbids connections with our default settings configured by the app center.
* There are possible IP address conflicts, which we currently do not avoid, because the UCRv (and thus the ip address range) is not considered by docker-compose

Possible solution: Use the already present docker bridge interface. In my tests i found that the app center would have to alter the docker compose yaml in the following way to achieve this:
* Add 'network_mode: bridge' to every service definition
* Add an array to every service definition, in order to reactivate service name resolution in the docker container, e.g. 'links: ['redis:redis']' if there is a service entry named redis.

One drawback is, that multicontainer apps now run in the same network segment, so we have to take care to avoid service name conflicts: I have not tested what happens when two apps use the same service name because both configure a service named 'redis'.

Example for a modified docker-compose.yaml:
version: '2'
services:
  myapp:
    image: myapp:1
    network_mode: bridge
    restart: always
    links:
      - "redis:redis"
    environment:
      REDIS_HOST: redis

  redis:
    image: redis:latest
    network_mode: bridge
    restart: always
Comment 1 Nico Gulden univentionstaff 2019-07-10 10:18:04 CEST
(In reply to Erik Damrose from comment #0)
[...]
> One drawback is, that multicontainer apps now run in the same network
> segment, so we have to take care to avoid service name conflicts: I have not
> tested what happens when two apps use the same service name because both
> configure a service named 'redis'.

Maybe it would a solution to prefix the service name with the appid and thus introduce a namespace based on the appid.
Comment 2 Dirk Wiesenthal univentionstaff 2019-08-13 10:15:34 CEST
Fixed in
  univention-appcenter 8.0.11-49A~4.4.0.201908131007
  univention-firewall 11.0.1-3A~4.4.0.201908131011

Details follow.
Comment 3 Jannik Ahlers univentionstaff 2019-08-14 12:31:10 CEST
- Docker compose apps get assigned individual networks OK
- reinstalling an app works OK
- App upgrades work OK
I fixed a typo in the univention-firewall.yaml