Discussion:
[ale] Speaking of containers: Docker and iptables
James Sumners
2017-10-31 13:59:14 UTC
Permalink
I need to update my internal Redis servers from RHEL6 to RHEL7. Since
stupid redis.io doesn't provide a yum repository, and the EPEL packages are
"old stable," I am looking at deploying them with the `redis:4` image.
While researching this plan, it has come to my attention that `dockerd`
defaults to injecting iptables rules automatically. This is not great;
especially if you limit access to your Redis servers by firewall rules
(i.e. only from certain clients).

So, let's say you use the packages from
https://download.docker.com/linux/centos/7/x86_64/stable/ to run Docker.
You will want to do the following to prevent this silliness:

```
$ echo -e "[Service]\nExecStart=/usr/bin/dockerd --iptables=false" >
/etc/systemd/system/docker.service
$ systemctl daemon-reload
$ systemctl restart docker.service
```
--
James Sumners
http://james.sumners.info/ (technical profile)
http://jrfom.com/ (personal site)
http://haplo.bandcamp.com/ (music)
Lightner, Jeffrey
2017-10-31 14:21:27 UTC
Permalink
Docker containers insert rules on start of the container and remove them on stop of the container to the base system’s iptables to allow for internal communications. I’d be leery of interfering with that process.

Question that just occurred to me:
Would one classify the base OS (not the individual containers) as a hypervisor or is there a better term for it?

From: Ale [mailto:ale-***@ale.org] On Behalf Of James Sumners
Sent: Tuesday, October 31, 2017 9:59 AM
To: Atlanta Linux Enthusiasts - Yes! We run Linux!
Subject: [ale] Speaking of containers: Docker and iptables

I need to update my internal Redis servers from RHEL6 to RHEL7. Since stupid redis.io<http://redis.io> doesn't provide a yum repository, and the EPEL packages are "old stable," I am looking at deploying them with the `redis:4` image. While researching this plan, it has come to my attention that `dockerd` defaults to injecting iptables rules automatically. This is not great; especially if you limit access to your Redis servers by firewall rules (i.e. only from certain clients).

So, let's say you use the packages from https://download.docker.com/linux/centos/7/x86_64/stable/ to run Docker. You will want to do the following to prevent this silliness:

```
$ echo -e "[Service]\nExecStart=/usr/bin/dockerd --iptables=false" > /etc/systemd/system/docker.service
$ systemctl daemon-reload
$ systemctl restart docker.service
```
--
James Sumners
http://james.sumners.info/ (technical profile)
http://jrfom.com/ (personal site)
http://haplo.bandcamp.com/ (music)
James Sumners
2017-10-31 14:25:12 UTC
Permalink
This has nothing to do with the internal communications between running
containers. Those have their own network. This is about Docker exposing
ports specified with `EXPOSE 12345` lines in Dockerfiles to the outside
world. From my Harbor server (VMware's "hub" product):

```
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.18.0.2 tcp dpt:514
ACCEPT tcp -- 0.0.0.0/0 172.18.0.7 tcp dpt:4443
ACCEPT tcp -- 0.0.0.0/0 172.18.0.7 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 172.18.0.7 tcp dpt:80
```

On Tue, Oct 31, 2017 at 10:21 AM, Lightner, Jeffrey <
Post by Lightner, Jeffrey
Docker containers insert rules on start of the container and remove them
on stop of the container to the base system’s iptables to allow for
internal communications. I’d be leery of interfering with that process.
Would one classify the base OS (not the individual containers) as a
hypervisor or is there a better term for it?
*Sent:* Tuesday, October 31, 2017 9:59 AM
*To:* Atlanta Linux Enthusiasts - Yes! We run Linux!
*Subject:* [ale] Speaking of containers: Docker and iptables
I need to update my internal Redis servers from RHEL6 to RHEL7. Since
stupid redis.io doesn't provide a yum repository, and the EPEL packages
are "old stable," I am looking at deploying them with the `redis:4` image.
While researching this plan, it has come to my attention that `dockerd`
defaults to injecting iptables rules automatically. This is not great;
especially if you limit access to your Redis servers by firewall rules
(i.e. only from certain clients).
So, let's say you use the packages from https://download.docker.
com/linux/centos/7/x86_64/stable/ to run Docker. You will want to do the
```
$ echo -e "[Service]\nExecStart=/usr/bin/dockerd --iptables=false" >
/etc/systemd/system/docker.service
$ systemctl daemon-reload
$ systemctl restart docker.service
```
--
James Sumners
http://james.sumners.info/ (technical profile)
http://jrfom.com/ (personal site)
http://haplo.bandcamp.com/ (music)
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
--
James Sumners
http://james.sumners.info/ (technical profile)
http://jrfom.com/ (personal site)
http://haplo.bandcamp.com/ (music)
DJ-Pfulio
2017-10-31 16:51:23 UTC
Permalink
Question that just occurred to me: 
Would one classify the base OS (not the individual containers) as a hypervisor
or is there a better term for it?
No. I wouldn't call it a hypervisor.

Containers are NOT virtual machines. They are more like BSD-Jails.
Lightner, Jeffrey
2017-10-31 16:58:43 UTC
Permalink
Right. So is there another term that makes sense?

Container master? Containervisor?


-----Original Message-----
From: Ale [mailto:ale-***@ale.org] On Behalf Of DJ-Pfulio
Sent: Tuesday, October 31, 2017 12:51 PM
To: ***@ale.org
Subject: Re: [ale] Speaking of containers: Docker and iptables
Post by Lightner, Jeffrey
Would one classify the base OS (not the individual containers) as a
hypervisor or is there a better term for it?
No. I wouldn't call it a hypervisor.

Containers are NOT virtual machines. They are more like BSD-Jails.
_______________________________________________
Ale mailing list
***@ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
***@ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Jim Kinney
2017-10-31 17:04:02 UTC
Permalink
Containers are like a chroot jail with widely spaced bars and doors locked with chewing gum.

A process running in a vm is not visible in the host process table. It is for a container.
Post by Lightner, Jeffrey
Question that just occurred to me: 
Would one classify the base OS (not the individual containers) as a
hypervisor
or is there a better term for it?
No. I wouldn't call it a hypervisor.
Containers are NOT virtual machines. They are more like BSD-Jails.
_______________________________________________
Ale mailing list
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
--
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.
James Taylor
2017-10-31 16:15:06 UTC
Permalink
Speaking of Redis....
I have Redis configured for indexing on my Nextcloud server, but that's the only exposure I have of it.
What are typical applications for its use?
-jt



James Taylor
678-697-9420
I need to update my internal Redis servers from RHEL6 to RHEL7. Since
stupid redis.io doesn't provide a yum repository, and the EPEL packages are
"old stable," I am looking at deploying them with the `redis:4` image.
While researching this plan, it has come to my attention that `dockerd`
defaults to injecting iptables rules automatically. This is not great;
especially if you limit access to your Redis servers by firewall rules
(i.e. only from certain clients).

So, let's say you use the packages from
https://download.docker.com/linux/centos/7/x86_64/stable/ to run Docker.
You will want to do the following to prevent this silliness:

```
$ echo -e "[Service]\nExecStart=/usr/bin/dockerd --iptables=false" >
/etc/systemd/system/docker.service
$ systemctl daemon-reload
$ systemctl restart docker.service
```
--
James Sumners
http://james.sumners.info/ (technical profile)
http://jrfom.com/ (personal site)
http://haplo.bandcamp.com/ (music)


_______________________________________________
Ale mailing list
***@ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
James Sumners
2017-10-31 16:17:49 UTC
Permalink
On Tue, Oct 31, 2017 at 12:15 PM, James Taylor <
Post by James Taylor
Speaking of Redis....
I have Redis configured for indexing on my Nextcloud server, but that's
the only exposure I have of it.
What are typical applications for its use?
-jt
Our applications use it as ephemeral storage for things like web sessions.
And I believe that is its primary purpose.
--
James Sumners
http://james.sumners.info/ (technical profile)
http://jrfom.com/ (personal site)
http://haplo.bandcamp.com/ (music)
Scott Plante
2017-10-31 17:08:20 UTC
Permalink
Isn't that true for chroot jails too though? That is a process in a chroot jail is visible in the host process table, right? Anyway, the point is that the host processes aren't visible in the container, not the other way around.



----- Original Message -----

From: "Jim Kinney" <***@gmail.com>
To: "Atlanta Linux Enthusiasts" <***@ale.org>, "DJ-Pfulio" <***@jdpfu.com>, ***@ale.org
Sent: Tuesday, October 31, 2017 1:04:02 PM
Subject: Re: [ale] Speaking of containers: Docker and iptables

Containers are like a chroot jail with widely spaced bars and doors locked with chewing gum.

A process running in a vm is not visible in the host process table. It is for a container.


On October 31, 2017 12:51:23 PM EDT, DJ-Pfulio <***@jdpfu.com> wrote:

On 10/31/2017 10:21 AM, Lightner, Jeffrey wrote:

<blockquote>
Question that just occurred to me:
Would one classify the base OS (not the individual containers) as a hypervisor
or is there a better term for it?



No. I wouldn't call it a hypervisor.

Containers are NOT virtual machines. They are more like BSD-Jails.


Ale mailing list
***@ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

</blockquote>
--
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.
_______________________________________________
Ale mailing list
***@ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Loading...