Univention Bugzilla – Full Text Bug Listing |
Summary: | univention-firewall docker rules not active after system start | ||
---|---|---|---|
Product: | UCS | Reporter: | Felix Botner <botner> |
Component: | App Center | Assignee: | Felix Botner <botner> |
Status: | CLOSED FIXED | QA Contact: | Dirk Wiesenthal <wiesenthal> |
Severity: | normal | ||
Priority: | P5 | CC: | best, brodersen, troeder |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-3-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=39686 | ||
What kind of report is it?: | Development Internal | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Felix Botner
2016-10-17 14:57:52 CEST
Added a "invoke-rc.d univention-firewall restart || true" to /etc/init.d/docker. Merged to 4.2 ucs-4.1-3/doc/errata/staging/univention-docker.yaml This introduces a problematic situation: if security/packetfilter/disabled=true the following happens: 1) docker engine starts, creates docker-base rules 2) invoke-rc.d univention-firewall restart → univention-firewall stop → purges all iptables rules → univention-firewall start → doesn't run because of UCR 3) docker containers are started, but docker-base rules (NATing) have been purged → unusable containers (In reply to Daniel Tröder from comment #2) > This introduces a problematic situation: if > security/packetfilter/disabled=true the following happens: > > 1) docker engine starts, creates docker-base rules > 2) invoke-rc.d univention-firewall restart > → univention-firewall stop → purges all iptables rules > → univention-firewall start → doesn't run because of UCR > 3) docker containers are started, but docker-base rules (NATing) have been > purged > → unusable containers Added a check of security/packetfilter/disabled before restarting univention-firewall. Note: with security/packetfilter/disabled=true set, docker apps are practical unusable because port forwarding is handled through /etc/security/packetfilter.d/20_docker.sh See bug: 39686 OK, rules are present after a reboot. YAML OK, port OK |