在Ubuntu下docker + ufw的最佳实践是什么 [英] What is the best practice of docker + ufw under Ubuntu

问题描述

我刚刚试用了Docker.它很棒，但似乎不能与ufw一起很好地工作.默认情况下，docker将对iptables进行一些操作.结果不是错误，但不是我所期望的. 有关更多详细信息，您可以阅读 UFW + Docker的危险

I just tried out Docker. It is awesome but seems not work nicely with ufw. By default, docker will manipulate the iptables a little bit. The outcome is not a bug but not what I expected. For more details you can read The dangers of UFW + Docker

我的目标是建立一个像这样的系统

My goal is to set up a system like

    Host (running ufw) -> docker container 1 - nginx (as a reverse proxy)
                       -> docker container 2 - node web 1
                       -> docker container 3 - node web 2
                       -> .......

我想通过ufw管理传入流量(例如，限制访问)，因此我不希望docker触摸我的iptables.这是我的考试

I want to manage the incoming traffic (e.g. restrict access) through ufw therefore I don't want docker to touch my iptables. Here is my test

环境:

• 新安装的Ubuntu 14.04(内核:3.13.0-53)
• Docker 1.6.2
启用
• ufw转发.(启用UFW转发)
• --iptables=false已添加到Docker守护程序中.

• a newly installed Ubuntu 14.04 (kernel: 3.13.0-53 )
• Docker 1.6.2
• ufw forwarding is enabled.( Enable UFW forwarding )
• --iptables=false was added to the Docker daemon.

首次尝试

docker run --name ghost -v /home/xxxx/ghost_content:/var/lib/ghost -d ghost
docker run --name nginx -p 80:80 -v /home/xxxx/nginx_site_enable:/etc/nginx/conf.d:ro --link ghost:ghost -d nginx

没有运气.第一个命令很好，但是第二个命令会抛出错误

No luck. The first command is fine but the second command will throw an error

Error response from daemon: Cannot start container

第二次尝试

然后我发现了这一点:无法通过--iptables = false#12701链接容器>

Then I found this: unable to link containers with --iptables=false #12701

运行以下命令后，一切看起来都很好.

After running the following command, everything looks OK.

sudo iptables -N DOCKER

但是，我注意到我无法在容器内建立任何出站连接.例如:

However, I noticed that I can not establish any outbound connections inside containers. For example:

xxxxg@ubuntu:~$ sudo docker exec -t -i nginx /bin/bash
root@b0d33f22d3f4:/# ping 74.125.21.147
PING 74.125.21.147 (74.125.21.147): 56 data bytes
^C--- 74.125.21.147 ping statistics ---
35 packets transmitted, 0 packets received, 100% packet loss
root@b0d33f22d3f4:/# 

如果我从Docker守护进程中删除了--iptables=false，则容器的互联网连接将恢复正常，但ufw无法正常"运行(嗯...根据我的定义).

If I remove --iptables=false from the Docker daemon, then the internet connection of containers will be back to normal but the ufw will not work 'properly' (well...by my definition).

那么，docker + ufw的最佳实践是什么?谁能提供帮助?

So, what is the best practice of docker + ufw? Can anyone provide some help?

谢谢.

巴特.

推荐答案

像几个月前一样，我遇到了这样的问题，最近决定在我的博客上描述问题以及解决方案.这是捷径.

I've had such problem like months ago and lately decided to describe the issue along with the solution on my blog. Here's the shortcut.

使用--iptables=false不会对您描述的情况有多大帮助.这根本不够.默认情况下，您的容器都不能进行任何传出连接.

Using --iptables=false won't help you much with the case you described. It's simply not enough here. By default, none of your containers can do any outgoing connection.

您只需要走一小步，就可以在这里将集装箱放置在UFW后面.您可以使用--iptables=false或创建具有以下内容的/etc/docker/daemon.json文件

There's a small step you're omitting on your way to have containers behind UFW here. You can use --iptables=false or create /etc/docker/daemon.json file with content as follows

{
  "iptables": false
}

结果将是相同的，但是后一个选项要求您使用service docker restart重新启动整个docker服务，如果docker在禁用此功能之前有机会添加iptables规则，甚至需要重新启动.

the result will be the same, but the latter option requires you to restart whole docker service with service docker restart or even do a reboot if docker had a chance to add iptables rules before you disabled this function.

完成后，只需再做两件事:

When it's done, just do two more things:

$ sed -i -e 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw
$ ufw reload

因此您可以在UFW中设置默认转发策略以接受并使用:

so you set up default forward policy in UFW for accept, and use:

$ iptables -t nat -A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE

这样，您所实现的就是在iptables规则中禁用docker杂乱的行为，同时为docker提供了必要的路由，因此容器可以进行传出连接.从那时起，UFW规则仍将受到限制.

That way what you're achieving is disabling docker messy behavior in your iptables rules and at the same time docker is provided with necessary routing so containers will do outgoing connections just fine. UFW rules will be still restricted from this point on, though.

希望这可以为您和所有在这里找到问题的人解决问题.

Hope this resolves the issue for you and any that gets here in search of an answer.

我在 查看全文