Mageia forum

When I use a Docker environment, then I finally get this message.

Your project can be reached at https://umgebung1.ddev.site:8443 https://127.0.0.1:32773

However this url cannot be reached in the browser.

It only works if I stop the shorewall.

Code: Select all

sudo systemctl stop shorewall.service


I have had already changed a thing in /etc/shorewall/shorewall.conf:

Code: Select all

DOCKER=Yes
#DOCKER=No


I have seen that there is also a file /etc/shorewall6/shorewall6.conf.
Even if I add the "DOCKER=Yes" also here, then this has no effect.

I have added these lines to /etc/shorewall/policy:

Code: Select all

fw      loc     ACCEPT
loc     fw      ACCEPT


This must allow a local access to the firewall.

I have added this zone into /etc/shorewall/zones:

Code: Select all

loc     local


I have added this line into /etc/shorewall/rules:

Code: Select all

INCLUDE /etc/shorewall/rules.docker


I have generated the file etc/shorewall/rules.docker:

Code: Select all

ACCEPT   loc    loc       tcp   8080     -      -
ACCEPT   loc    loc       tcp   8443     -      -


Then I have restarted the shorewall:

Code: Select all

shorewall safe-restart


see the attached file for the output.

There seems to be a problem:

Determining Hosts in Zones...
WARNING: *** loc is an EMPTY ZONE *** /etc/shorewall/hosts (EOF)

What is needed to enable Docker when shorewall is running?

To fix this bug I have added a line 13 to the file /etc/shorewall/interfaces

Code: Select all

loc     eth0            127.0.0.1    # Das ist das lokale Netz.


But then another error forbids this:

WARNING: Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available /etc/shorewall/interfaces (line 13)

The error of the shorewall can be fixed. Line 13 of the file /etc/shorewall/interfaces :

Code: Select all

loc     eth0            -    # Das ist das lokale Netz.


However the documentation says:

You may NOT specify the name of a "virtual" interface (e.g., eth0:0) here;

So I have removed line 13 again.

You may want to have a look at viewtopic.php?f=7&t=14022

This is a Mageia 7 GNOME desktop and Docker version 18.09.0-dev.

I have now reverted almost all those changes for shorewall from above. Only the "DOCKER=Yes" is still active in the file "/etc/shorewall/shorewall.conf" and "/etc/shorewall6/shorewall6.conf".

I have used this kernel option to start:

Code: Select all

systemd.unified_cgroup_hierarchy=0


see

Code: Select all

cat /proc/cmdline


BOOT_IMAGE=/boot/vmlinuz-desktop root=UUID=6c1a3aba-19e1-4484-b4ae-0cd1e320caac ro splash quiet noiswmd resume=UUID=3dd9e875-7532-46cc-8454-1e88958fef77 audit=0 vga=788 systemd.unified_cgroup_hierarchy=0

The user franz is member of the docker group.

And still the url "https://umgebung1.ddev.site:8443/typo3" cannot be reached in the browser.

Can you actually resolve umgebung1.ddev.site locally - is it contained in your /etc/hosts ?
And what about https://127.0.0.1:32773 ?

Code: Select all

[root@franz-820 shorewall]# cat /etc/hosts
127.0.0.1 localhost umgebung1.ddev.site
::1         localhost


Restarted Umgebung1
Your project can be reached at https://umgebung1.ddev.site:8443 https://127.0.0.1:32769

Your given url https://127.0.0.1:32773 is outdated after the docker restart.
It does not matter which I take. All of them are showing:

This site can’t be reached127.0.0.1 unexpectedly closed the connection.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_CLOSED

And the shorewall is the reason for this behaviour.

The steps recommended by the shorewall official homepage on the Docker page do not work.

Docker Support
Tom Eastep
J Cliff Armstrong

Code: Select all

[franz@franz-820 Umgebung1]$ docker network ls


NETWORK ID NAME DRIVER SCOPE
3e541a9ed513 bridge bridge local
81fbb014aa75 ddev_default bridge local
80b0a3020a99 host host local
60d2aba6e5c7 none null local

Here is the solution:


Docker(-compose) with shorewall


/etc/shorewall/interfaces :

Code: Select all

?FORMAT 2
net     wlp2s0
net     wlp0s20f0u1
net     enp0s31f6
# dock    docker0         bridge
dock    docker0         physical=docker+,routeback=1
dock    br                   physical=br-+,routeback=1


/etc/shorewall/policy:

Code: Select all

$FW     net     ACCEPT

dock    $FW     REJECT
dock    all     ACCEPT

$FW     dock    ACCEPT
#net    all     DROP    info
all     all     REJECT  info



/etc/shorewall/zones:

Code: Select all

net     ipv4
fw      firewall
dock    ipv4        #'dock' is just an example -- call it anything you like


/etc/shorewall.conf:

Code: Select all

...
DOCKER=Yes
...


Restart the computer.