[SOLVED] use Docker and shorewall

This forum is dedicated to advanced help and support :

Ask here your questions about advanced usage of Mageia. For example you may post here all your questions about network and automated installs, complex server configurations, kernel tuning, creating your own Mageia mirrors, and all tasks likely to be touchy even for skilled users.

[SOLVED] use Docker and shorewall

Postby flink » Aug 25th, '21, 10:17

When I use a Docker environment, then I finally get this message.



However this url cannot be reached in the browser. :cry:

It only works if I stop the shorewall.

Code: Select all
sudo systemctl stop shorewall.service


I have had already changed a thing in /etc/shorewall/shorewall.conf:
Code: Select all
DOCKER=Yes
#DOCKER=No


I have seen that there is also a file /etc/shorewall6/shorewall6.conf.
Even if I add the "DOCKER=Yes" also here, then this has no effect.

I have added these lines to /etc/shorewall/policy:
Code: Select all
fw      loc     ACCEPT
loc     fw      ACCEPT


This must allow a local access to the firewall.

I have added this zone into /etc/shorewall/zones:
Code: Select all
loc     local


I have added this line into /etc/shorewall/rules:
Code: Select all
INCLUDE /etc/shorewall/rules.docker


I have generated the file etc/shorewall/rules.docker:
Code: Select all
ACCEPT   loc    loc       tcp   8080     -      -
ACCEPT   loc    loc       tcp   8443     -      -


Then I have restarted the shorewall:

Code: Select all
shorewall safe-restart


see the attached file for the output.

There seems to be a problem:

Determining Hosts in Zones...
WARNING: *** loc is an EMPTY ZONE *** /etc/shorewall/hosts (EOF)




What is needed to enable Docker when shorewall is running? :?:
Attachments
shorewall-start.txt
(1.57 KiB) Downloaded 85 times
Last edited by flink on Sep 7th, '21, 11:04, edited 1 time in total.
flink
 
Posts: 186
Joined: Mar 3rd, '12, 19:23

Re: use Docker and shorewall

Postby flink » Aug 26th, '21, 11:44

To fix this bug I have added a line 13 to the file /etc/shorewall/interfaces

Code: Select all
loc     eth0            127.0.0.1    # Das ist das lokale Netz.


But then another error forbids this:


WARNING: Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available /etc/shorewall/interfaces (line 13)


The error of the shorewall can be fixed. Line 13 of the file /etc/shorewall/interfaces :

Code: Select all
loc     eth0            -    # Das ist das lokale Netz.


However the documentation says:
You may NOT specify the name of a "virtual" interface (e.g., eth0:0) here;


So I have removed line 13 again.
flink
 
Posts: 186
Joined: Mar 3rd, '12, 19:23

Re: use Docker and shorewall

Postby doktor5000 » Aug 26th, '21, 16:54

You may want to have a look at viewtopic.php?f=7&t=14022
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17630
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: use Docker and shorewall

Postby flink » Aug 26th, '21, 20:50

This is a Mageia 7 GNOME desktop and Docker version 18.09.0-dev.

I have now reverted almost all those changes for shorewall from above. Only the "DOCKER=Yes" is still active in the file "/etc/shorewall/shorewall.conf" and "/etc/shorewall6/shorewall6.conf".

I have used this kernel option to start:

Code: Select all
systemd.unified_cgroup_hierarchy=0


see

Code: Select all
cat /proc/cmdline



BOOT_IMAGE=/boot/vmlinuz-desktop root=UUID=6c1a3aba-19e1-4484-b4ae-0cd1e320caac ro splash quiet noiswmd resume=UUID=3dd9e875-7532-46cc-8454-1e88958fef77 audit=0 vga=788 systemd.unified_cgroup_hierarchy=0


The user franz is member of the docker group.

And still the url "https://umgebung1.ddev.site:8443/typo3" cannot be reached in the browser.
flink
 
Posts: 186
Joined: Mar 3rd, '12, 19:23

Re: use Docker and shorewall

Postby doktor5000 » Aug 26th, '21, 22:33

Can you actually resolve umgebung1.ddev.site locally - is it contained in your /etc/hosts ?
And what about https://127.0.0.1:32773 ?
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17630
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: use Docker and shorewall

Postby flink » Aug 26th, '21, 22:46

Code: Select all
[root@franz-820 shorewall]# cat /etc/hosts
127.0.0.1 localhost umgebung1.ddev.site
::1         localhost


Restarted Umgebung1
Your project can be reached at https://umgebung1.ddev.site:8443 https://127.0.0.1:32769


Your given url https://127.0.0.1:32773 is outdated after the docker restart.
It does not matter which I take. All of them are showing:

This site can’t be reached127.0.0.1 unexpectedly closed the connection.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_CLOSED


And the shorewall is the reason for this behaviour.
flink
 
Posts: 186
Joined: Mar 3rd, '12, 19:23

Re: use Docker and shorewall

Postby flink » Aug 27th, '21, 18:31

The steps recommended by the shorewall official homepage on the Docker page do not work.

Docker Support
Tom Eastep
J Cliff Armstrong



Code: Select all
[franz@franz-820 Umgebung1]$ docker network ls

NETWORK ID NAME DRIVER SCOPE
3e541a9ed513 bridge bridge local
81fbb014aa75 ddev_default bridge local
80b0a3020a99 host host local
60d2aba6e5c7 none null local
flink
 
Posts: 186
Joined: Mar 3rd, '12, 19:23

Re: use Docker and shorewall

Postby flink » Sep 7th, '21, 11:03

Here is the solution:


Docker(-compose) with shorewall


/etc/shorewall/interfaces :

Code: Select all
?FORMAT 2
net     wlp2s0
net     wlp0s20f0u1
net     enp0s31f6
# dock    docker0         bridge
dock    docker0         physical=docker+,routeback=1
dock    br                   physical=br-+,routeback=1


/etc/shorewall/policy:

Code: Select all
$FW     net     ACCEPT

dock    $FW     REJECT
dock    all     ACCEPT

$FW     dock    ACCEPT
#net    all     DROP    info
all     all     REJECT  info



/etc/shorewall/zones:

Code: Select all
net     ipv4
fw      firewall
dock    ipv4        #'dock' is just an example -- call it anything you like


/etc/shorewall.conf:

Code: Select all
...
DOCKER=Yes
...


Restart the computer.
flink
 
Posts: 186
Joined: Mar 3rd, '12, 19:23


Return to Advanced support

Who is online

Users browsing this forum: No registered users and 1 guest

cron