Page 1 of 1
Could CSF be causing problems with Docker?
Posted: 30 Jun 2015, 22:56
by Brook
I'm having problems with a Docker container on my server which loses connection to the internet intermittently (it seems to be ok for a day to a few days, then loses connection to the internet). I've posted an issue with Docker, and they think it might be CSF:
The problem is most likely caused by your custom firewall which runs a script periodically and breaks the firewall. Please check if that's the case.
Does anyone know if CSF might be running some sort of script that could do this?
Re: Could CSF be causing problems with Docker?
Posted: 14 Jul 2015, 20:59
by giuga
Hi Brook,
I've had the same problem and discovered it was from the CSF auto update functionality.
When CSF is updated it also reloads the IP tables rules which break the forwarding done by docker.
You can reproduce this by starting a docker container and then doing csf -r, the docker container will no longer be available. The only solution (which I found until now) is to restart the docker daemon and start up the container.
Hope this helps.
Cheers
Re: Could CSF be causing problems with Docker?
Posted: 11 Aug 2015, 19:17
by dclark
This issue affects any iptables reloads as the docker rules are lost.
To resolve this create the following in /etc/csf/csfpre.sh
iptables -t nat -N DOCKER
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
iptables -t filter -N DOCKER
iptables -t filter -A FORWARD -o docker0 -j DOCKER
iptables -t filter -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
iptables -t filter -A FORWARD -i docker0 -o docker0 -j ACCEPT
A csf -r will now reload the docker rules and networking inside the container should continue.
Re: Could CSF be causing problems with Docker?
Posted: 20 Jul 2017, 12:49
by marcele
We were also having problems with docker and CSF where we couldn't connect to ports inside the container. After trying many different methods outlined it turns out that CSF the config had this set:
ETH_DEVICE="eth0"
Removing eth0 from ETH_DEVICE so CSF could apply rules to all NICS fixed all our issues. Hopefully this will help anyone else having problems.
Re: Could CSF be causing problems with Docker?
Posted: 27 May 2020, 14:53
by Brook
marcele wrote: ↑20 Jul 2017, 12:49
We were also having problems with docker and CSF where we couldn't connect to ports inside the container. After trying many different methods outlined it turns out that CSF the config had this set:
ETH_DEVICE="eth0"
Removing eth0 from ETH_DEVICE so CSF could apply rules to all NICS fixed all our issues. Hopefully this will help anyone else having problems.
Thanks for that Marcele. Did you have to add any further iptables rules for specific ports? (If so do you have an example please?) Or did simply removing eth0 from ETH_DEVICE do the trick for you?
//
Side note: adding
https://jsherz.com/docker/configserver/ ... ocker.html and
https://github.com/sensson/puppet-csf/b ... _docker.sh for future reference.
//