Comments (8)
I found an issue with handling die event instead of kill event, sometime docker is faster than ufw-docker-automated script and the container doesn't exist anymore when calling the docker API to retrieve information on the container.
I need to use data from the event to clean ufw rules instead of calling a second time docker API. More over for die event container ip is not used anymore.
The issue would be the same during a kill event or event a start event, ufw-docker-automated script could be really late in comparison with docker. And it could lead to trying to find a container that doesn't exist anymore (when doing start and stop multiple times). This script must be resilient when the container doesn't exist anymore.
It's not an issue for start event because if the container doesn't exist anymore it means that the script will process a die event just after. So at least for die events it must works without the docker API call on container. If not we could find some ghosts ufw rules remaining sometimes.
I also think the issue #11 is related to this, I tested the same scenario with this fix and I don't have the issue of ghosts rules anymore. So maybe the threading approach is not necessary anymore.
This issue was found on ufw-threads tests, case scenario :
docker-compose.yml
version: '2.4'
services:
nginx1:
image: nginx:alpine
container_name: nginx1
restart: unless-stopped
labels:
- UFW_MANAGED=true
- UFW_ALLOW_FROM=192.168.0.0/24
- UFW_DENY_OUTGOING=true
- UFW_ALLOW_TO=any:53;dl-cdn.alpinelinux.org:80/tcp
ports:
- 8180:80
nginx2:
image: nginx:alpine
container_name: nginx2
restart: unless-stopped
labels:
- UFW_MANAGED=true
- UFW_ALLOW_FROM=192.168.0.0/24
- UFW_DENY_OUTGOING=true
- UFW_ALLOW_TO=any:53;dl-cdn.alpinelinux.org:80/tcp
ports:
- 8280:80
nginx3:
image: nginx:alpine
container_name: nginx3
restart: unless-stopped
labels:
- UFW_MANAGED=true
- UFW_ALLOW_FROM=192.168.0.0/24
- UFW_DENY_OUTGOING=true
- UFW_ALLOW_TO=any:53;dl-cdn.alpinelinux.org:80/tcp
ports:
- 8380:80
nginx4:
image: nginx:alpine
container_name: nginx4
restart: unless-stopped
labels:
- UFW_MANAGED=true
- UFW_ALLOW_FROM=192.168.0.0/24
- UFW_DENY_OUTGOING=true
- UFW_ALLOW_TO=any:53;dl-cdn.alpinelinux.org:80/tcp
ports:
- 8480:80
nginx5:
image: nginx:alpine
container_name: nginx5
restart: unless-stopped
labels:
- UFW_MANAGED=true
- UFW_ALLOW_FROM=192.168.0.0/24
- UFW_DENY_OUTGOING=true
- UFW_ALLOW_TO=any:53;dl-cdn.alpinelinux.org:80/tcp
ports:
- 8580:80
nginx6:
image: nginx:alpine
container_name: nginx6
restart: unless-stopped
labels:
- UFW_MANAGED=true
- UFW_ALLOW_FROM=192.168.0.0/24
- UFW_DENY_OUTGOING=true
- UFW_ALLOW_TO=any:53;dl-cdn.alpinelinux.org:80/tcp
ports:
- 8680:80
nginx7:
image: nginx:alpine
container_name: nginx7
restart: unless-stopped
labels:
- UFW_MANAGED=true
- UFW_ALLOW_FROM=192.168.0.0/24
- UFW_DENY_OUTGOING=true
- UFW_ALLOW_TO=any:53;dl-cdn.alpinelinux.org:80/tcp
ports:
- 8780:80
Step for reproducing the issue :
docker-compose up -d
sed -i 's/192.168.0.0/192.168.1.0/g' docker-compose.yml
docker-compose up -d
- Results : sometimes some rules are not properly cleaned
from ufw-docker-automated.
Rules are not cleared also when rebooting the machine and restart policy is set to 'unless-stopped'.
And at reboot the container is restarted with a new IP address and new rules are not created.
from ufw-docker-automated.
Thanks for reporting, I'll take a deeper look into these issues once I fix my laptop. I'm going to reinstall the OS this weekend so I'll able to back to work.
from ufw-docker-automated.
I have a solution for cleaning ufw rules when restarting or shutdown the machine.
I created an init.d script that calls at boot a start.py and stop.py at shutdown or reboot.
And it works ! It cleans rules and create them at boot when there is a container running :)
I'll make a branch ufw-update-onrestart
The problem is that the user needs to add 3 scripts and do some commands.
I think we should think of an install script that do everything for the user.
Usually I put all my scripts in /usr/lib/ufw-docker and I also tried with a virtualenv. Here the scripts :
- /etc/init.d/ufw-docker
- /lib/systemd/system/ufw-docker-automated.service
- /usr/lib/ufw-docker
- automated.py
- start.py
- stop.py
- venv
As for cleaning the rules when a container dies.
I have no solution for now since the 'die' event doesn't have the ip address of the container.
Without a storage that keeps the association (container_id, container_ip) it is tricky to solve this.
Maybe a global vars could do the job, but when the service restarts it will loose the association.
from ufw-docker-automated.
Indeed, we need some kind of container id, container ip mapping. I think ufw command actually has a feature for comments / description for rules. (which I never used)
So we could store container IDs in their related ufw rules. As soon as container dies, we could lookup ufw rules by their description and find the related container then delete it.
from ufw-docker-automated.
I agree this is the right solution for this mapping, I wasn't sure that ufw could do comments like iptables.
Also this die handler will it replace the kill handler ? Or we should keep kill and die handler, because the die handler won't do anything if rules were deleted before in the kill handler ?
from ufw-docker-automated.
Idea added in branch ufw-comment
I can submit a PR if the implementation is close from what you imagined.
I have also implemented this idea in branch ufw-threads.
But here I added a prefix tag 'container:' to simplify the cleaning of all ufw rules at shutdown.
from ufw-docker-automated.
Fixed in PR #14. In this PR we use die event for cleaning ufw rules and we don't call docker API anymore to retrieve container information when the container dies (explanation here)
from ufw-docker-automated.
Related Issues (20)
- Implement log level
- Avoid duplicate rules HOT 10
- persistent storage HOT 1
- Potential race condition on host startup HOT 1
- Does not run on a Raspberry Pi @ Debian HOT 3
- Docker swarm mode support HOT 2
- UFW init error bad argument filter HOT 1
- When container has multiple networks, it only creates one network rules HOT 5
- ERROR: 'route delete NUM' unsupported. Use 'delete NUM' instead. HOT 8
- support Debian 11 / Ubuntu 22 HOT 1
- automated rules removed and not properly added back on docker service restart HOT 10
- Ubuntu 22.04 with crowdsec firewall bouncer does not add any docker rules. HOT 12
- docker-compose.yml for mempool HOT 1
- UFW Rule for network interface name
- Segmentation fault
- Systemd ufw-docker-automated.service exit 0 HOT 2
- Can this automate ufw limits?
- Publish a new release with latest changes
- Couldn't detect the container IP address. HOT 3
- Double rules in ufw after server restart
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ufw-docker-automated.