Ubuntu下docker + ufw的最佳实践是什么 [英] What is the best practice of docker + ufw under Ubuntu
问题描述
我刚刚尝试了 Docker.它很棒,但似乎不适用于 ufw.默认情况下,docker 会稍微操作 iptables.结果不是错误,但不是我所期望的.有关更多详细信息,您可以阅读 UFW + Docker 的危险
I just tried out Docker. It is awesome but seems not work nicely with ufw. By default, docker will manipulate the iptables a little bit. The outcome is not a bug but not what I expected. For more details you can read The dangers of UFW + Docker
我的目标是建立一个类似的系统
My goal is to set up a system like
Host (running ufw) -> docker container 1 - nginx (as a reverse proxy)
-> docker container 2 - node web 1
-> docker container 3 - node web 2
-> .......
我想通过 ufw 管理传入流量(例如限制访问),因此我不希望 docker 接触我的 iptables.这是我的测试
I want to manage the incoming traffic (e.g. restrict access) through ufw therefore I don't want docker to touch my iptables. Here is my test
环境:
- 新安装的 Ubuntu 14.04(内核:3.13.0-53)
- Docker 1.6.2
- ufw 转发已启用.( [启用 UFW 转发] 2 )
--iptables=false
已添加到 Docker 守护进程.
- a newly installed Ubuntu 14.04 (kernel: 3.13.0-53 )
- Docker 1.6.2
- ufw forwarding is enabled.( [Enable UFW forwarding] 2 )
--iptables=false
was added to the Docker daemon.
第一次尝试
docker run --name ghost -v /home/xxxx/ghost_content:/var/lib/ghost -d ghost
docker run --name nginx -p 80:80 -v /home/xxxx/nginx_site_enable:/etc/nginx/conf.d:ro --link ghost:ghost -d nginx
没有运气.第一个命令没问题,但第二个命令会抛出错误
No luck. The first command is fine but the second command will throw an error
Error response from daemon: Cannot start container
第二次尝试
然后我发现了这个:无法使用 --iptables=false 链接容器 #12701
运行以下命令后,一切正常.
After running the following command, everything looks OK.
sudo iptables -N DOCKER
但是,我注意到我无法在容器内建立任何出站连接.例如:
However, I noticed that I can not establish any outbound connections inside containers. For example:
xxxxg@ubuntu:~$ sudo docker exec -t -i nginx /bin/bash
root@b0d33f22d3f4:/# ping 74.125.21.147
PING 74.125.21.147 (74.125.21.147): 56 data bytes
^C--- 74.125.21.147 ping statistics ---
35 packets transmitted, 0 packets received, 100% packet loss
root@b0d33f22d3f4:/#
如果我从 Docker 守护进程中删除 --iptables=false
,那么容器的 Internet 连接将恢复正常,但 ufw 将无法正常"工作(好吧...我的定义).
If I remove --iptables=false
from the Docker daemon, then the internet connection of containers will be back to normal but the ufw will not work 'properly' (well...by my definition).
那么,docker + ufw 的最佳实践是什么?任何人都可以提供一些帮助吗?
So, what is the best practice of docker + ufw? Can anyone provide some help?
推荐答案
几个月前我就遇到过这样的问题,最近决定在我的博客上描述这个问题以及解决方案.这是快捷方式.
I've had such problem like months ago and lately decided to describe the issue along with the solution on my blog. Here's the shortcut.
使用 --iptables=false
对您描述的情况没有多大帮助.光在这里是不够的.默认情况下,您的任何容器都不能进行任何传出连接.
Using --iptables=false
won't help you much with the case you described. It's simply not enough here. By default, none of your containers can do any outgoing connection.
在将容器置于 UFW 后面的过程中,您省略了一小步.您可以使用 --iptables=false
或创建 /etc/docker/daemon.json
文件,内容如下
There's a small step you're omitting on your way to have containers behind UFW here. You can use --iptables=false
or create /etc/docker/daemon.json
file with content as follows
{
"iptables": false
}
结果将是相同的,但后一个选项要求您使用 service docker restart
重新启动整个 docker 服务,或者如果 docker 有机会在您禁用此之前添加 iptables 规则,则甚至重新启动功能.
the result will be the same, but the latter option requires you to restart whole docker service with service docker restart
or even do a reboot if docker had a chance to add iptables rules before you disabled this function.
完成后,再做两件事:
$ sed -i -e 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw
$ ufw reload
因此您在 UFW 中设置默认转发策略以接受并使用:
so you set up default forward policy in UFW for accept, and use:
$ iptables -t nat -A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE
这样你就可以在你的 iptables 规则中禁用 docker 混乱的行为,同时 docker 提供了必要的路由,所以容器可以很好地进行传出连接.不过,从现在开始,UFW 规则仍将受到限制.
That way what you're achieving is disabling docker messy behavior in your iptables rules and at the same time docker is provided with necessary routing so containers will do outgoing connections just fine. UFW rules will be still restricted from this point on, though.
希望这可以为您和任何来到这里寻找答案的人解决问题.
Hope this resolves the issue for you and any that gets here in search of an answer.
我在 https://www.mkubaczyk.com/2017/09/05/force-docker-not-bypass-ufw-rules-ubuntu-16-04/
这篇关于Ubuntu下docker + ufw的最佳实践是什么的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!