Fedora firewall rules caveat and DNS #2206

dghubble · 2016-02-22T20:24:05Z

The distributions doc metions that Fedora's firewall rules block traffic and recommend flushing the IP tables.

sudo iptables -F
sudo iptables -F -t nat

That works, but maybe that recommendation can be less destructive? Better to trust each rkt net?

sudo firewall-cmd --add-source=172.16.28.0/24 --zone=trusted

Maybe this is something CNI should address or does address?

Original Problem (for people Googling): Some minimal examples with alpine or busybox resolve DNS queries properly when run on a Debian/Ubuntu host, but fail on a Fedora host.

sudo rkt run quay.io/coreos/alpine-sh --interactive --exec=/bin/ash --volume dns,kind=host,source=/etc/resolv.conf --mount volume=dns,target=/etc/resolv.conf
sudo rkt run --dns=192.168.1.1 quay.io/coreos/alpine-sh --interactive --exec=/bin/ash --volume dns,kind=host,source=/etc/resolv.conf --mount volume=dns,target=/etc/resolv.conf

# cat /etc/resolv.conf 
# Generated by NetworkManager
nameserver 192.168.1.1

# ping www.google.com
ping: bad address 'www.google.com'

# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=63 time=4.996 ms
64 bytes from 192.168.1.1: seq=1 ttl=63 time=28.807 ms
64 bytes from 192.168.1.1: seq=2 ttl=63 time=5.100 ms

Ping-able, but not DNS query-able.

Versions:

Fedora 23
rkt Version: 1.0.0
appc Version: 0.7.4
Go Version: go1.5.3
Go OS/Arch: linux/amd64
Features: -TPM

The text was updated successfully, but these errors were encountered:

On distributions using FirewallD like Fedora, we need to register the new IP to FirewallD. Related to: rkt/rkt#2206

alban · 2016-02-26T14:31:50Z

Thanks for the commands! I am using firewall-cmd --add-source=172.16.28.0/24 --zone=trusted and firewall-cmd --remove-source=172.16.28.0/24 --zone=trusted in this CNI pull request:

containernetworking/cni#138

On distributions using FirewallD like Fedora, we need to register the new IP to FirewallD. Related to: rkt/rkt#2206

On distributions using FirewallD like Fedora, we need to register the new IP to FirewallD. See https://fedoraproject.org/wiki/FirewallD Related to: rkt/rkt#2206

On distributions using FirewallD like Fedora, we need to register the new IP to FirewallD. Supported plugins: ptp, bridge. See https://fedoraproject.org/wiki/FirewallD Related to: rkt/rkt#2206

alban · 2016-03-31T16:19:41Z

Pending on the CNI PR. Moving to next milestone.

jonboulle · 2016-04-13T13:32:47Z

still waiting on CNI?

alban · 2016-04-13T14:13:32Z

@jonboulle yes. @steveej added a comment but I didn't have time to follow up.

jonboulle · 2016-05-12T13:15:52Z

Removing from specific milestone until firewall issues are followed up in CNI.

philips · 2016-05-12T14:41:59Z

@rhatdan Is there anyone from the Fedora or RH community who would want to figure out how to integrate rkt and CNI with firewalld?

alban · 2016-05-12T14:43:59Z

@philips there is a PR already (containernetworking/cni#138) but @steveej wanted to refactor it as a CNI plugin.

rhatdan · 2016-05-12T14:50:25Z

Best to open a bugzilla on rkt and then we can point the firewalld team at it. But this pull request looks like someone has been looking at it.

kushaldas · 2016-12-06T09:46:54Z

Do we have any update on this issue?

jonathanunderwood · 2017-11-15T09:03:34Z

Is the situation still the same? If so, would be great to update the docs to refer to current Fedora releases - 26 and 27. The docs refer to Fedora 24 and 25 which are EOL.

dghubble · 2017-11-15T18:52:12Z

Yes, I believe this is still the case.

dghubble changed the title ~~Fedora DNS caveat and firewall rules~~ Fedora firewall rules caveat and DNS Feb 22, 2016

dghubble added kind/documentation area/distribution labels Feb 22, 2016

joshix mentioned this issue Feb 23, 2016

documentation: more distro-specific instructions #2202

Closed

6 tasks

alban added this to the v1.2.0 milestone Feb 23, 2016

alban mentioned this issue Feb 23, 2016

*: package rkt for Fedora #1304

Open

3 tasks

alban added the area/networking label Feb 26, 2016

alban added a commit to kinvolk-archives/appc-cni that referenced this issue Feb 26, 2016

firewalld: integration

874d83c

On distributions using FirewallD like Fedora, we need to register the new IP to FirewallD. Related to: rkt/rkt#2206

alban mentioned this issue Feb 26, 2016

firewalld: integration containernetworking/cni#138

Closed

alban added a commit to kinvolk-archives/appc-cni that referenced this issue Mar 3, 2016

firewalld: integration

4e1e045

On distributions using FirewallD like Fedora, we need to register the new IP to FirewallD. Related to: rkt/rkt#2206

alban added a commit to kinvolk-archives/appc-cni that referenced this issue Mar 7, 2016

firewalld: integration

dc63019

On distributions using FirewallD like Fedora, we need to register the new IP to FirewallD. Related to: rkt/rkt#2206

alban added a commit to kinvolk-archives/appc-cni that referenced this issue Mar 7, 2016

firewalld: integration

1d0d0af

On distributions using FirewallD like Fedora, we need to register the new IP to FirewallD. Related to: rkt/rkt#2206

alban modified the milestones: v1.3.0, v1.2.0 Mar 18, 2016

alban added a commit to kinvolk-archives/appc-cni that referenced this issue Mar 21, 2016

firewalld: integration

ae2cfbf

On distributions using FirewallD like Fedora, we need to register the new IP to FirewallD. Related to: rkt/rkt#2206

alban added a commit to kinvolk-archives/appc-cni that referenced this issue Mar 21, 2016

firewalld: integration

28b2cac

On distributions using FirewallD like Fedora, we need to register the new IP to FirewallD. See https://fedoraproject.org/wiki/FirewallD Related to: rkt/rkt#2206

alban modified the milestones: v1.4.0, v1.3.0 Mar 31, 2016

iaguis added the priority/P1 label Apr 12, 2016

jonboulle added the depends-on/cni label Apr 13, 2016

alban modified the milestones: v1.5.0, v1.4.0 Apr 13, 2016

s-urbaniak modified the milestones: v1.6.0, v1.5.0 Apr 28, 2016

jonboulle modified the milestones: v1+, v1.6.0 May 12, 2016

vadorovsky mentioned this issue Feb 6, 2018

Add firewalld chained plugin containernetworking/plugins#114

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fedora firewall rules caveat and DNS #2206

Fedora firewall rules caveat and DNS #2206

dghubble commented Feb 22, 2016

alban commented Feb 26, 2016

alban commented Mar 31, 2016

jonboulle commented Apr 13, 2016

alban commented Apr 13, 2016

jonboulle commented May 12, 2016

philips commented May 12, 2016

alban commented May 12, 2016

rhatdan commented May 12, 2016

kushaldas commented Dec 6, 2016

jonathanunderwood commented Nov 15, 2017

dghubble commented Nov 15, 2017

Fedora firewall rules caveat and DNS #2206

Fedora firewall rules caveat and DNS #2206

Comments

dghubble commented Feb 22, 2016

alban commented Feb 26, 2016

alban commented Mar 31, 2016

jonboulle commented Apr 13, 2016

alban commented Apr 13, 2016

jonboulle commented May 12, 2016

philips commented May 12, 2016

alban commented May 12, 2016

rhatdan commented May 12, 2016

kushaldas commented Dec 6, 2016

jonathanunderwood commented Nov 15, 2017

dghubble commented Nov 15, 2017