one
When running docker on the centos system, it is found that when the firewall status changes, the network communication between dockers will be affected. The host's firewall NAT rules will be automatically configured, but these rules will not be persisted to the firewall configuration file. After restarting the firewall, these rules will disappear, directly resulting in invalid access to running containers.
the easiest solution
It is to restart docker and let the docker rules be loaded again.
However, it is obviously not advisable to restart docker frequently in the production environment, so how to solve this problem? Find information on the Internet and find some solutions.
a way of thinking
1) Do not use the docker run -p parameter to configure NAT, but manually configure the firewall NAT rules.
2) Use the docker run -p parameter to configure NAT, and use iptables-save (centos) to synchronize the firewall rules to the firewall configuration file after the container starts
Here are 2 options:
1.iptables -nL -t nat — Check whether the docker NAT rule exists
2.iptables-save Check if the current IPTable table is empty
3. If the IPtable table is not empty. Back up the IPtable table first
cp /etc/sysconfig/iptables /etc/sysconfig/iptables_bak20180705
4.iptables-save > /etc/sysconfig/iptables save all IPtable rules again
At this time, restarting the firewall will not affect the use of the container.
If you need to restore the fire protection configuration, you can use the command: cp iptables_bak20180705 iptables
Two thoughts
Various configurations of iptables are set in the file /etc/sysconfig/iptables-config, as follows
# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES=""
# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"
# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES=""
# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"
# Save current firewall rules on stop.
# Value: yes|no, default: yes
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"
# Save current firewall rules on restart.
# Value: yes|no, default: yes
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"
# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"
# Numeric status output
# Value: yes|no, default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"
# Verbose status output
# Value: yes|no, default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"
# Status output with numbered lines
# Value: yes|no, default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"
# Reload sysctl settings on start and restart
# Default: -none-
# Space separated list of sysctl items which are to be reloaded on start.
IPTABLES_MODULES="ip_conntrack_netbios_ns"
When the firewall is activated, specify a set of independent space to additionally load the iptables module, the system starts, loads the firewall module, and will print: Loading additional iptables modules: ip_conntrack_netbios_ns[ OK ]
IPTABLES_MODULES_UNLOAD="yes"
Whether to unload this module when restarting and stopping the iptables module.
IPTABLES_SAVE_ON_STOP="no"
When the firewall is stopped, save the current firewall rules to the iptables file, no: (default value) do not save the current rules to the iptables file.
IPTABLES_SAVE_ON_RESTART="no"
When the firewall restarts: service iptables restart, save the current firewall rules to the iptables file, no: (default value) do not save the current rules to the iptables file.
IPTABLES_SAVE_COUNTER="no"
Save and restore packet and byte counters in all chains and rules, yes: save the counter value, no: (default) do not save the counter value.
IPTABLES_STATUS_NUMERIC="yes"
The output IP address is in the form of numbers instead of domain names and host names, yes: (default) include only IP addresses in status output, no: return domain names or host names in status output.
IPTABLES_STATUS_VERBOSE="no"
Whether to include input and output devices when outputting iptables status, yes: include, no: (default value) does not include.
IPTABLES_STATUS_LINENUMBERS="yes"
When outputting the iptables status, whether to output the matching number of each rule at the same time, yes: (default value) output, no: no output.
According to the description, change IPTABLES_SAVE_ON_STOP="no" and IPTABLES_SAVE_ON_RESTART="no" to yes
After modification, restart the firewall to take effect
Actual operation
According to plan one: cp /etc/sysconfig/iptables /etc/sysconfig/iptables_bak20180705. The system prompts that /etc/sysconfig/iptables does not exist.
solution. Execute the next step first. iptables-save > /etc/sysconfig/iptables to create the corresponding file.
In order to prevent accidents, in actual operation, I have used both schemes. The result is that when the firewall is turned on, (
Both systemctl restart firewalld or systemctl stop firewalld+systemctl start firewalld operation) the network communication between dockers will not be affected.
This result ensures that when the firewall is enabled, the docker-related configuration will not be lost in the firewall rules.
When the firewall is closed, the docker configuration is lost and communication is not possible.
Therefore, this method is suitable for the production environment where the firewall is always open.
little legacy
It can be seen that although centos uses the firewalld command. We still achieve our needs by modifying the underlying iptables configuration.
But we only realized that the communication is normal in the open state. And when I test on ubantu, which also uses iptables, whether it is on or off. The docker rules are all standing still in the iptables configuration, which shows that this situation is achievable. It's just limited to too little understanding of this aspect, and it can only temporarily meet production needs and cannot be further optimized. I hope to have the opportunity to study further in the future
Reference documents:
https://www.cnblogs.com/JesseSong/articles/9269408.html
http://www.what21.com/sys/view/liunx_centos_1476930018956.html