Docker behind firewalld

Running Docker containers behind a firewalld can be a routing nightmare. I had to use CentOS 7 docker images on a customised CentOS 7 host, and the situation turned into an incompatibility fest pretty soon after I figured out the followng:

  • CentOS host came with no firewall, and systemctl listed dbus-org.fedoraproject.FirewallD1.service,
  • Dockerised CentOS containers have no systemd,
  • Docker’s internal routing isn’t exactly the shiniest piece of documentation on Docker,
  • IPTables-services and firewalld shouldn’t work simultaneously, and usage of IPTables-services is strongly discouraged on new hats, in favour of new the interface – firewalld,
  • Docker’s daemon uses own interface to write to Netfilter, that can be clearly visible by an “iptables -L” inspection,
  • Docker (apparently) creates random RFC1918 addresses for new containers,
  • Docker assigns two IPs for each container regardless of the third IP you might call for on the command line during “docker run…”.

Fun, eh?

After a trillion of attempts, here is the most sane and simple solution I have come by for now:

  • add an alias to an existing interface (IPADDR[N] in hat’s newspeak)  that is far away from docker’s choice, e.g: 10/8; a note here on new CentOS net-tools, that won’t show the alias, so you need to use “ip addr show” to assure yourself on this one,
  • use firewalld on the host for the routing then, it works as expected, with a caveat – if you restart the firewalld, you’re stuck with existing docker’s connection, and to run another IP, you have to restart the docker deamon. Thus, restarting is a no-no, and you should use “–permanent” switch for any rule you want to keep.
  • finally, in the trusted zone, add docker’s source net (e.g: 172.17/16) or everything will work except your “docker build” that will not be able to connect to net from within the container you’re trying to build.

I guess those two – docker and new CentOS’ firewall – will start playing together a bit more tightly in the future, but for the time being, it is not a breeze to explore them.

There, I hope it will save you a few hours.

 

Leave a Reply

Your email address will not be published. Required fields are marked *