2016-02-27 00:30:39 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
|
|
<article>
|
|
|
|
<!--$Id$-->
|
|
|
|
|
|
|
|
<articleinfo>
|
|
|
|
<title>Docker Support</title>
|
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
<author>
|
|
|
|
<firstname>Tom</firstname>
|
|
|
|
|
|
|
|
<surname>Eastep</surname>
|
|
|
|
</author>
|
2020-03-06 00:32:03 +01:00
|
|
|
|
|
|
|
<author>
|
|
|
|
<surname>J Cliff Armstrong</surname>
|
|
|
|
</author>
|
2016-02-27 00:30:39 +01:00
|
|
|
</authorgroup>
|
|
|
|
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
|
|
|
|
<copyright>
|
|
|
|
<year>2016</year>
|
|
|
|
|
2020-03-06 00:32:03 +01:00
|
|
|
<year>2020</year>
|
|
|
|
|
2016-02-27 00:30:39 +01:00
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
|
|
</copyright>
|
|
|
|
|
|
|
|
<legalnotice>
|
|
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
|
|
Texts. A copy of the license is included in the section entitled
|
|
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
|
|
License</ulink></quote>.</para>
|
|
|
|
</legalnotice>
|
|
|
|
</articleinfo>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Shorewall 5.0.5 and Earlier</title>
|
|
|
|
|
|
|
|
<para>Both Docker and Shorewall assume that they 'own' the iptables
|
|
|
|
configuration. This leads to problems when Shorewall is restarted or
|
|
|
|
reloaded, because it drops all of the rules added by Docker. Fortunately,
|
|
|
|
the extensibility features in Shorewall allow users to <ulink
|
|
|
|
url="https://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/#">create
|
|
|
|
their own solution</ulink> for saving the Docker-generated rules before
|
|
|
|
these operations and restoring them afterwards.</para>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Shorewall 5.0.6 and Later</title>
|
|
|
|
|
|
|
|
<para>Beginning with Shorewall 5.0.6, Shorewall has native support for
|
2016-02-27 22:36:47 +01:00
|
|
|
simple Docker configurations. This support is enabled by setting
|
|
|
|
DOCKER=Yes in shorewall.conf. With this setting, the generated script
|
|
|
|
saves the Docker-created ruleset before executing a
|
|
|
|
<command>stop</command>, <command>start</command>,
|
2016-02-27 00:30:39 +01:00
|
|
|
<command>restart</command> or <command>reload</command> operation and
|
|
|
|
restores those rules along with the Shorewall-generated ruleset.</para>
|
|
|
|
|
2020-03-06 00:32:03 +01:00
|
|
|
<important>
|
|
|
|
<para>Shorewall currently doesn't support Docker Swarm mode.</para>
|
|
|
|
</important>
|
|
|
|
|
|
|
|
<warning>
|
|
|
|
<para>On Debian and Debian-derived systems, <command>systemctl restart
|
|
|
|
shorewall</command> will lose Docker rules. You can work around this
|
|
|
|
issue using a method provided by J Cliff Armstrong:</para>
|
|
|
|
|
|
|
|
<para>Type as root:</para>
|
|
|
|
|
|
|
|
<programlisting><command>systemctl edit shorewall.service</command></programlisting>
|
|
|
|
|
|
|
|
<para>This will open the default terminal editor to a blank file in
|
|
|
|
which you can paste the following:</para>
|
|
|
|
|
|
|
|
<programlisting>[Service]
|
|
|
|
# reset ExecStop
|
|
|
|
ExecStop=
|
|
|
|
# set ExecStop to "stop" instead of "clear"
|
|
|
|
ExecStop=/sbin/shorewall $OPTIONS stop
|
|
|
|
</programlisting>
|
|
|
|
|
|
|
|
<para> Then type <command>systemctl daemon-reload </command>to activate
|
|
|
|
the changes. This change will survive future updates of the shorewall
|
|
|
|
package from apt repositories. The override file itself will be saved to
|
|
|
|
`/etc/systemd/system/shorewall.service.d/`. </para>
|
|
|
|
</warning>
|
|
|
|
|
2016-02-27 00:30:39 +01:00
|
|
|
<para>This support assumes that the default Docker bridge (docker0) is
|
|
|
|
being used. It is recommended that this bridge be defined to Shorewall in
|
|
|
|
<ulink
|
|
|
|
url="manpages/shorewall-interfaces.html">shorewall-interfaces(8)</ulink>.
|
|
|
|
As shown below, you can control inter-container communication using the
|
|
|
|
<option>bridge</option> and <option>routeback</option> options. If docker0
|
2016-02-27 23:09:29 +01:00
|
|
|
is not defined to Shorewall, then Shorewall will save and restore the
|
|
|
|
FORWARD chain rules involving that interface.</para>
|
2016-02-27 00:30:39 +01:00
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/shorewall.conf</filename>:</para>
|
|
|
|
|
|
|
|
<programlisting>DOCKER=Yes</programlisting>
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/zones</filename>:</para>
|
|
|
|
|
|
|
|
<programlisting>#ZONE TYPE OPTIONS
|
|
|
|
dock ipv4 #'dock' is just an example -- call it anything you like</programlisting>
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/policy</filename>:</para>
|
|
|
|
|
|
|
|
<programlisting>#SOURCE DEST POLICY LEVEL
|
|
|
|
dock $FW REJECT
|
|
|
|
dock all ACCEPT</programlisting>
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
|
|
|
|
|
|
|
<programlisting>#ZONE INTERFACE OPTIONS
|
|
|
|
dock docker0 bridge #Allow ICC (bridge implies routeback=1)</programlisting>
|
|
|
|
|
|
|
|
<para>or</para>
|
|
|
|
|
|
|
|
<programlisting>#ZONE INTERFACE OPTIONS
|
|
|
|
dock docker0 bridge,routeback=0 #Disallow ICC</programlisting>
|
|
|
|
</section>
|
|
|
|
</article>
|