[ale] Speaking of containers: Docker and iptables

Tue Oct 31 10:21:27 EDT 2017

Docker containers insert rules on start of the container and remove them on stop of the container to the base system’s iptables to allow for internal communications.   I’d be leery of interfering with that process.

Question that just occurred to me:
Would one classify the base OS (not the individual containers) as a hypervisor or is there a better term for it?

From: Ale [mailto:ale-bounces at ale.org] On Behalf Of James Sumners
Sent: Tuesday, October 31, 2017 9:59 AM
To: Atlanta Linux Enthusiasts - Yes! We run Linux!
Subject: [ale] Speaking of containers: Docker and iptables

I need to update my internal Redis servers from RHEL6 to RHEL7. Since stupid redis.io<http://redis.io> doesn't provide a yum repository, and the EPEL packages are "old stable," I am looking at deploying them with the `redis:4` image. While researching this plan, it has come to my attention that `dockerd` defaults to injecting iptables rules automatically. This is not great; especially if you limit access to your Redis servers by firewall rules (i.e. only from certain clients).

So, let's say you use the packages from https://download.docker.com/linux/centos/7/x86_64/stable/ to run Docker. You will want to do the following to prevent this silliness:

```
$ echo -e "[Service]\nExecStart=/usr/bin/dockerd --iptables=false" > /etc/systemd/system/docker.service
$ systemctl daemon-reload
$ systemctl restart docker.service
```

--
James Sumners
http://james.sumners.info/ (technical profile)
http://jrfom.com/ (personal site)
http://haplo.bandcamp.com/ (music)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20171031/89fd054c/attachment.html>