Need $docker::manage_firewall option #129
Comments
|
UPDATE: I have implemented this as weave::firewall::docker on the hesco/weave project, but feel that code really belongs here on the garethr/docker project instead. See: https://github.com/hesco/hesco-weave/blob/master/manifests/firewall/docker.pp At version v0.7.45 of the weave module I have been working on, this code has provided me with a stable cross-docker-host weave network for the past two days now where it is being used to host production services. I am close to tagging a new release for the forge to make this code more publicly available. My question to you is this: Would you be open to merging a pull request which moves this functionality out of the weave module and into the docker module where it really belongs? I would continue to maintain the weave::firewall::weave class and the weave::firewall::listen_to_peer type on the hesco/weave project. -- Hugh |
|
Hi @hesco, I'd certainly be open to including this in the docker module, assuming it's something that people explicitly include. I think the trick will be testing it with the supported operating systems, although I'm happy for that to start with partial support and warnings if that's easier. |
|
What I intend is a straight port of the existing https://github.com/hesco/hesco-weave/blob/master/manifests/firewall/docker.pp The other piece which belongs in the garethr/docker module is a defined https://github.com/hesco/hesco-weave/blob/master/manifests/firewall/dnat_published_port.pp I'm still swamped by a few other tasks before I can get to this, but if Ahead of it in line though it a PR adding debian support to -- Hugh On Sun, 16 Nov 2014 10:52:14 -0800
Hugh Esco [email protected] |
|
This looks like a great addition, and is definitely something we're running into as a blocking issue. In the short term, since our hosts are behind a VPC, we can probably just open the firewall up ... but in the long run, we definitely want That said, I agree that it generally needs to be able to handle all containers that are running, even if they aren't run through puppet. We're experimenting with ECS now and obviously that means that Puppet won't be involved in most of the docker container execution. |
|
@hesco: I've manually added your firewall patch to my test setup and it seems to be triggering a bit of a chicken&egg problem. Applying the firewall rules using Puppet works flawlessly. However when restarting the Docker service it complains that it can't insert a forward rule because it already exists. When removing those firewall rules from the manifest they are purged from the Docker host as well. After restarting the Docker service all is well again. Any thoughts about how to get around this problem? |
|
Hey Tom: Thanks for pointing this out. I too have been seeing this in my Every docker host restart, or even a docker daemon restart requires My plan has been to port the weave::firewall::docker over to the When I do that, it would make sense to add perhaps: and create a dependency on the latter for the Service['docker.io'] Feel free to create a bug report on the hesco-weave project to that Thanks again for pointing this out. Although I had seen this same -- Hugh On Wed, 07 Jan 2015 01:47:46 -0800
Hugh Esco [email protected] |
|
Any update on merging the firewall code into this puppet module? |
|
@diranged: Nothing yet. Completed one project last night, starting another today. This and other work on the hesco-weave project remain on my to-do list. In the mean time, you can install hesco-weave and use the weave::firewall::docker and weave::firewall::dnat_published_port defined types it makes available. If your docker installation spans multiple physical hosts, you might also find useful the weave SDN router functionality in that module. But it is not necessary to implement weave to use the docker specific defined types which hesco-weave (https://forge.puppetlabs.com/hesco/weave | https://github.com/hesco/hesco-weave) exposes. My own production services have been offered on a stable docker cluster running on this code now since mid-November. |
|
Please see this link for solution if using puppet labs firewall: and from there this link: Solution for this is to remove if you have it anywhere Ignore docker dynamic rulesfirewallchain { 'DOCKER:nat:IPv4': inside my_firewall::pre class my_firewall::pre { Ignore docker dynamic rulesfirewallchain { 'DOCKER:nat:IPv4': .... |
|
any update on this ? |
|
check out: Afraid a new job has further delayed my recrafting this work as a PR for the garethr-docker module, but with an: Good luck and feel free to ping me again if you have any trouble implementing that. -- Hugh |
|
+1 to this. We use puppetlabs-firewall so the docker defaults are overwritten with a subsequent puppet run. |
|
for the short answer, see my comment above: |
* removing obsolete code * fixing acceptance tests * incorporating updates from markw/puppetlabs-docker * fixing params * putting in systemd default for run on redhat * removing old variable * removing archilunx template * updating last of the spec tests
Hey Gareth:
It seems that while docker is managing the creation of rules in the FORWARD chain, that it leaves the policies on every chain set to ACCEPT and the docker host particularly vulnerable, with all ports wide open. I want to use the puppetlabs/firewall module to lock things down and to manage the ports I need to open to the world for my haproxy, db servers and other services. But I want to do that without messing up what is happening with the docker rule set.
This evening I had a short exchange on the #docker channel on this subject. I'm imagining a new defined type
docker::firewallwhich would be invoked by docker::run, and perhaps as well by a newdocker::firewall::legacy_containers(might not be the right name there) which would handle managing the firewall for already running containers or containers which were run directly with the docker client, and in a way not otherwise managed by puppet.23:50:12 hesco | I'm nearly ready to bring the iptables rule set run on my docker hosts under puppet management with the puppetlabs-firewall module. But the first thing the firewall module will do is flush whatever is already there. My question is this? What will it take to make docker rebuild its own rule set on top of what I'm doing with puppet? And how long would that take? Can't really afford to break things at this hour, when I'm hoping to go to bed soon. Can anyone advise me on how docker manages its iptables rule set and what might be expected if I run this test?
00:03:20 akerl | hesco: In my experience, if you're doing other things with iptables, it quickly becomes saner to have $other_thing manage all the rules and tell Docker to leave iptables alone
00:07:35 hesco | akerl: ok, I'll buy that. So it sounds like I need some sort of new defined type which will harvest the published ports out of
docker psand convert those into rules for the FORWARD chain, perhaps.00:08:06 akerl | That would be snazzy
00:10:48 hesco | sounds like a patch for the garethr/docker module.
So, is this something which seems germane to your module, as I imagine? Would you consider such a patch? Or should I develop it under a distinct namespace?
-- Hugh
The text was updated successfully, but these errors were encountered: