[ale] Speaking of containers: Docker and iptables

James Sumners james.sumners at gmail.com
Tue Oct 31 10:25:12 EDT 2017 

This has nothing to do with the internal communications between running
containers. Those have their own network. This is about Docker exposing
ports specified with `EXPOSE 12345` lines in Dockerfiles to the outside
world. From my Harbor server (VMware's "hub" product):

```
Chain DOCKER (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.2           tcp dpt:514
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.7           tcp dpt:4443
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.7           tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.7           tcp dpt:80
```

On Tue, Oct 31, 2017 at 10:21 AM, Lightner, Jeffrey <
JLightner at dsservices.com> wrote:

> Docker containers insert rules on start of the container and remove them
> on stop of the container to the base system’s iptables to allow for
> internal communications.   I’d be leery of interfering with that process.
>
>
>
>
> Question that just occurred to me:
> Would one classify the base OS (not the individual containers) as a
> hypervisor or is there a better term for it?
>
>
>
> *From:* Ale [mailto:ale-bounces at ale.org] *On Behalf Of *James Sumners
> *Sent:* Tuesday, October 31, 2017 9:59 AM
> *To:* Atlanta Linux Enthusiasts - Yes! We run Linux!
> *Subject:* [ale] Speaking of containers: Docker and iptables
>
>
>
> I need to update my internal Redis servers from RHEL6 to RHEL7. Since
> stupid redis.io doesn't provide a yum repository, and the EPEL packages
> are "old stable," I am looking at deploying them with the `redis:4` image.
> While researching this plan, it has come to my attention that `dockerd`
> defaults to injecting iptables rules automatically. This is not great;
> especially if you limit access to your Redis servers by firewall rules
> (i.e. only from certain clients).
>
>
>
> So, let's say you use the packages from https://download.docker.
> com/linux/centos/7/x86_64/stable/ to run Docker. You will want to do the
> following to prevent this silliness:
>
>
>
> ```
>
> $ echo -e "[Service]\nExecStart=/usr/bin/dockerd --iptables=false" >
> /etc/systemd/system/docker.service
>
> $ systemctl daemon-reload
>
> $ systemctl restart docker.service
>
> ```
>
>
>
> --
>
> James Sumners
> http://james.sumners.info/ (technical profile)
> http://jrfom.com/ (personal site)
> http://haplo.bandcamp.com/ (music)
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
James Sumners
http://james.sumners.info/ (technical profile)
http://jrfom.com/ (personal site)
http://haplo.bandcamp.com/ (music)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20171031/c93aeab2/attachment.html>

More information about the Ale mailing list