Commit graph

30 commits

Author SHA1 Message Date
Jessie Frazelle
88c612a22d Merge pull request #12318 from aarondav/best-effort-iptables-lock
Do our best not to invoke iptables concurrently if --wait is unsupported
2015-05-07 17:00:26 -07:00
Arnaud Porterie
baa5a896a2 Add --userland-proxy daemon flag
The `--userland-proxy` daemon flag makes it possible to rely on hairpin
NAT and additional iptables routes instead of userland proxy for port
publishing and inter-container communication.

Usage of the userland proxy remains the default as hairpin NAT is
unsupported by older kernels.

Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
2015-05-04 16:07:45 -07:00
Gaurav
23db1c36a6 Make use of iptablesPath variable which has the path of iptables, instead of using string iptables directly
Signed-off-by: Gaurav <gaurav.gosec@gmail.com>
2015-04-30 18:22:12 +05:30
Aaron Davidson
81e1cdca21 Do our best not to invoke iptables concurrently if --wait is unsupported
We encountered a situation where concurrent invocations of the docker daemon on a machine with an older version of iptables led to nondeterministic errors related to simultaenous invocations of iptables.

While this is best resolved by upgrading iptables itself, the particular situation would have been avoided if the docker daemon simply took care not to concurrently invoke iptables. Of course, external processes could also cause iptables to fail in this way, but invoking docker in parallel seems like a pretty common case.

Signed-off-by: Aaron Davidson <aaron@databricks.com>
2015-04-29 14:40:25 -07:00
Tibor Vass
1ad5a79e51 Merge pull request #9397 from jpopelka/9395-firewalld
Firewalld support
2015-04-23 16:58:08 -04:00
Jiri Popelka
5e167a6493 Support for Firewalld
Firewalld [1] is a firewall managing daemon with D-Bus interface.

What sort of problem are we trying to solve with this ?

Firewalld internally also executes iptables/ip6tables to change firewall settings.
It might happen on systems where both docker and firewalld are running
concurrently, that both of them try to call iptables at the same time.
The result is that the second one fails because the first one is holding a xtables lock.
One workaround is to use --wait/-w option in both
docker & firewalld when calling iptables.
It's already been done in both upstreams:
b315c380f4
b3b451d6f8
But it'd still be better if docker used firewalld when it's running.

Other problem the firewalld support would solve is that
iptables/firewalld service's restart flushes all firewall rules
previously added by docker.
See next patch for possible solution.

This patch utilizes firewalld's D-Bus interface.
If firewalld is running, we call direct.passthrough() [2] method instead
of executing iptables directly.
direct.passthrough() takes the same arguments as iptables tool itself
and passes them through to iptables tool.
It might be better to use other methods, like direct.addChain and
direct.addRule [3] so it'd be more intergrated with firewalld, but
that'd make the patch much bigger.
If firewalld is not running, everything works as before.

[1] http://www.firewalld.org/
[2] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.passthrough
[3] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.addChain
    https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.addRule

Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
2015-04-20 13:02:03 +02:00
Antonio Murdaca
221acfd266 Add minor stylistic fixes
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-16 21:22:32 +02:00
Brian Goff
9ddebf2114 Merge pull request #11788 from reikani/pchoi
Changed snake case naming to camelCase.
2015-03-26 23:55:50 -07:00
Antonio Murdaca
18180bfabf Replace aliased imports of logrus, fixes #11762
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-03-26 23:22:04 +01:00
Peter Choi
ecbb2a9d58 Changed snake case naming to camelCase
Signed-off-by: Peter Choi <phkchoi89@gmail.com>
2015-03-26 15:05:45 -06:00
Lars Kellogg-Stedman
ef50a94a9c fix various problems with iptables.Exists
This modifies iptables.Exists so that it must be called with an explicit
table and chain.  This allows us (a) to generate an appropriate command
line for "iptables -C", which was not previously possible, and (b) it
allows us to limit our strings.Contains() search to just the table and
chain in question, preventing erroneous matches against unrelated rules.

Resolves #10781

Signed-off-by: Lars Kellogg-Stedman <lars@redhat.com>
2015-03-16 17:14:45 -04:00
Phil Estes
3ffffc0cff Move iptables check out of runtime init() to separate function
Due to the iptables package being `init`ed at start of the docker
runtime, this means the iptables --wait command listing all rules
is run, no matter if the command is simply "docker -h".  It makes
more sense to both locate the iptables command and check for the
wait flag support at the time iptables is actually used, as it
may not be used at all if certain network support is off/configured
differently.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-01-20 21:04:22 -05:00
Ian Bishop
18fe796679 Create tests for pkg/iptables
Docker-DCO-1.1-Signed-off-by: Ian Bishop <ianbishop@pace7.com> (github: porjo)
2014-12-21 12:57:32 +10:00
Porjo
7bcd294c4e Create DOCKER forward chain on driver init
Docker-DCO-1.1-Signed-off-by: Ian Bishop <ianbishop@pace7.com> (github: porjo)
2014-12-21 12:57:32 +10:00
Porjo
79e3a90569 Move per-container forward rules to DOCKER chain
Docker-DCO-1.1-Signed-off-by: Ian Bishop <ianbishop@pace7.com> (github: porjo)
2014-12-21 12:57:32 +10:00
Jessica Frazelle
26f399ddf3 Typed errors for iptables chain raw command output. YAYYYYYY.
Docker-DCO-1.1-Signed-off-by: Jessica Frazelle <jess@docker.com> (github: jfrazelle)
2014-11-20 18:07:11 -08:00
Michael Crosby
869842478e Revert "Support hairpin NAT"
This reverts commit 95a400e6e1a3b5da68431e64f9902a3fac218360.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2014-11-20 14:22:32 -08:00
Patrick Hemmer
21fc078476 Support hairpin NAT
This re-applies commit b39d02b with additional iptables rules to solve the issue with containers routing back into themselves.

The previous issue with this attempt was that the DNAT rule would send traffic back into the container it came from. When this happens you have 2 issues.
1) reverse path filtering. The container is going to see the traffic coming in from the outside and it's going to have a source address of itself. So reverse path filtering will kick in and drop the packet.
2) direct return mismatch. Assuming you turned reverse path filtering off, when the packet comes back in, it's goign to have a source address of itself, thus when the reply traffic is sent, it's going to have a source address of itself. But the original packet was sent to the host IP address, so the traffic will be dropped because it's coming from an address which the original traffic was not sent to (and likely with an incorrect port as well).

The solution to this is to masquerade the traffic when it gets routed back into the origin container. However for this to work you need to enable hairpin mode on the bridge port, otherwise the kernel will just drop the traffic.
The hairpin mode set is part of libcontainer, while the MASQ change is part of docker.

This reverts commit 63c303eecdbaf4dc7967fd51b82cd447c778cecc.

Docker-DCO-1.1-Signed-off-by: Patrick Hemmer <patrick.hemmer@gmail.com> (github: phemmer)
2014-11-03 23:09:08 -05:00
Alexandr Morozov
712a6554ce Use logrus everywhere for logging
Fixed #8761

Signed-off-by: Alexandr Morozov <lk4d4@docker.com>
2014-10-24 15:03:06 -07:00
Vincent Batts
d53bedb1b7 daemon logging: unifying output and timestamps
A little refactor of the ./pkg/log so engine can have a logger instance

Signed-off-by: Vincent Batts <vbatts@redhat.com>
2014-09-26 14:44:46 -04:00
Jessica Frazelle
3ed103c543 Fix duplicate iptables rules
If iptables version is < 1.4.11, try to delete the rule vs. checking if it exists. Fixes #6831.

Docker-DCO-1.1-Signed-off-by: Jessica Frazelle <jfrazelle@users.noreply.github.com> (github: jfrazelle)
2014-09-07 15:12:19 -07:00
Victor Vieux
6d70b5e210 use stderr to debug iptables
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-05-30 19:39:42 +00:00
Giuseppe Mazzotta
d68100ec34 * do not consider iptables' output an error in case of xtables lock
Docker-DCO-1.1-Signed-off-by: Giuseppe Mazzotta <gdm85@users.noreply.github.com> (github: gdm85)
2014-05-29 15:57:29 +02:00
Michael Crosby
1c07f75e6f Add check for iptables xlock support
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-23 14:18:50 -07:00
Michael Crosby
cc706701b0 Add wait flag to iptables
Fixes #1573
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-23 01:24:58 +00:00
Michael Crosby
1df38475cd Revert "Support hairpin NAT without going through docker server"
This reverts commit b39d02b611f1cc0af283f417b73bf0d36f26277a.

Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-09 11:55:08 +00:00
Darren Shepherd
3d2d4a0624 Support hairpin NAT without going through docker server
Hairpin NAT is currently done by passing through the docker server.  If
two containers on the same box try to access each other through exposed
ports and using the host IP the current iptables rules will not match the
DNAT and thus the traffic goes to 'docker -d'

This change drops the restriction that DNAT traffic must not originate
from docker0.  It should be safe to drop this restriction because the
DOCKER chain is already gated by jumps that check for the destination
address to be a local address.

Docker-DCO-1.1-Signed-off-by: Darren Shepherd <darren.s.shepherd@gmail.com> (github: ibuildthecloud)
2014-03-03 21:53:57 -07:00
Josh Poimboeuf
a298bd3b63 iptables: use dest_addr and dest_port for public port FORWARD rule
Docker-DCO-1.1-Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> (github: jpoimboe)
2014-02-04 11:32:50 -06:00
Josh Poimboeuf
c6b78b9d31 network: add publicly mapped ports to FORWARD table
Allow publicly mapped ports to be made public beyond the host.  This is
needed for distros like Fedora and RHEL which have a reject all rule at
the end of their FORWARD table.

Docker-DCO-1.1-Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> (github: jpoimboe)
2014-01-28 13:11:49 -06:00
Solomon Hykes
fe61edbb36 Move utility package 'iptables' to pkg/iptables 2014-01-06 15:41:24 -08:00