Univention Bugzilla – Full Text Bug Listing |
Summary: | Docker apps may not work if univention-firewall is disabled | ||
---|---|---|---|
Product: | UCS | Reporter: | Felix Botner <botner> |
Component: | App Center | Assignee: | Felix Botner <botner> |
Status: | CLOSED FIXED | QA Contact: | Dirk Wiesenthal <wiesenthal> |
Severity: | normal | ||
Priority: | P5 | CC: | hahn, wiesenthal |
Version: | UCS 4.2 | ||
Target Milestone: | UCS 4.2-1-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 2: Improvement: Would be a product improvement |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.046 | Enterprise Customer affected?: | |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 53673 |
Description
Felix Botner
2017-06-20 14:38:04 CEST
The firewall can be disabled with -> ucr set security/packetfilter/disabled='yes' but a -> service univention-firewall restart|stop always purges the iptables rules, regardless of security/packetfilter/disabled and we added ExecStartPost=-/usr/sbin/service univention-firewall restart to /lib/systemd/system/docker.service. That means the iptables rules will be removed * during every startup * service docker restart * ervice univention-firewall restart|stop if ucr set security/packetfilter/disabled='yes' is set. Simple solution: check is_ucr_true security/packetfilter/disabled in stop() in /etc/init.d/univention-firewall and don't remove the rules. Any suggestion? (In reply to Felix Botner from comment #1) > > Simple solution: check is_ucr_true security/packetfilter/disabled in stop() > in /etc/init.d/univention-firewall and don't remove the rules. > > Any suggestion? Or, ExecStartPost=-/usr/sbin/service univention-firewall start in /lib/systemd/system/docker.service. (In reply to Felix Botner from comment #2) > (In reply to Felix Botner from comment #1) > > > > Simple solution: check is_ucr_true security/packetfilter/disabled in stop() > > in /etc/init.d/univention-firewall and don't remove the rules. > > > > Any suggestion? > > Or, ExecStartPost=-/usr/sbin/service univention-firewall start in > /lib/systemd/system/docker.service. NO: Your *must* *never* user 'service` from a systemd.service unit, as it will recurse back to calling 'systemctl' which will *deadlock*! See Bug #42380 where exactly that happened! Try [Unit]Requires=univention-firewall.service or 'Requisite=' (`man 5 systemd.unit`) univention-firewall essentially does a run-scripts on a directory (/etc/security/packetfilter.d/). Maybe we should also use a second directory, say, /etc/security/packetfilter.always.d/ which is run, well, always. Even if the normal packetfilter is disabled by UCR. We can then put docker instructions into it. The problem here is the ordering. (Formerly, 20_docker.sh ran after 10_univention-firewall_start.sh but before 20_rsyslog.sh) Maybe one can "merge" files in multiple directories with run-scripts? Alternatively, one could use one directory again (/etc/security/packetfilter.enabled.d/) , put the really important stuff into it, and - depending on "ucr get security/packetfilter/disabled" - link the scripts of the original directory into it. A UCR module would be required to link or remove the files. univention-firewall errata4.2-1 9.0.1-3A~4.2.0.201708081325 always run /etc/security/packetfilter.d/20_docker.sh (start, stop) in univention-firewall, regardless of security/packetfilter/disabled (but this can be disabled with security/packetfilter/docker/disabled) OK, DOCKER and DOCKER-ISOLATION Chain is always present OK, can even be disabled if really required YAML: OK |