diefans / ferment Goto Github PK

please provide support for python3 using docker api instead of docker-py

ferment's default cidr is 172.18.0.0/16, which is incorrect in my case.

Rather than hard-coding this default, why not base it on the actual config for the docker network interface?

Hi,

Ferment works really well, however it is unblocking the ports from the container, whereas
i have mapped them to different ports on the server.

ie, 5000:1234
1234 is in iptables when it should be 5000

Any way to change this?

Hello,

I use an ansible ferm role in which I include @include '/usr/local/bin/ferment docker --cidr 172.17.0.0/16 config|';.

When I start a docker container with the --net=host parameter and try to generate the iptables rules, I get the following error :

failed: [test.dev] => {"changed": false, "cmd": ["ferm", "--lines", "--slow", "/etc/ferm/ferm.conf"], "delta": "0:00:01.059659", "end": "2015-10-13 13:50:53.916170", "rc": 1, "start": "2015-10-13 13:50:52.856511", "warnings": []} stderr: iptables v1.4.21: host/network `' not found

If I exit the docker container with --net=host, I can run the role again without problem.
If I remove the @include '/usr/local/bin/ferment docker --cidr 172.17.0.0/16 config|'; line, it is working too.

Any idea on how to solve this ?

Thanks

Hello,

My iptables are generated with ferm, I use ferment to get docker iptables and run docker with --iptables=false.

I noticed I could not build image anymore, getting the following errors :

E: Failed to fetch http://archive.ubuntu.com/ubuntu/pool/universe/p/python-pip/python-pip_1.5.4-1ubuntu3_all.deb  Could not resolve 'archive.ubuntu.com'
    Could not resolve 'archive.ubuntu.com'

I noticed that when removeing --iptables=false and restarting docker, my iptables rules had

-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

while when I was generating them with ferm + ferment, I got :

-A POSTROUTING -s 172.18.0.0/16 ! -o docker0 -j MASQUERADE

Do you know if there is a way to automatically get the correct cidr ? For now I just add in my ferm.conf file the following :

domain $domains table nat {
  chain POSTROUTING {
    saddr 172.17.0.0/16 outerface !docker0 MASQUERADE;
  }
}

Is there a way to set the cidr value on the line :

@include '/usr/local/bin/ferment docker config|';

?

Thank you and thanks for sharing ferment !

ferment doesn't appear to generate any rules for IPv6. Should I be concerned?

Part of the Docker iptables configuration is static and can be configured in the ferm itself. This allows to wrap Docker-related firewall rules in other rules. The part of the output I'm talking about is:

    table nat {
        chain DOCKER;
        chain PREROUTING {
            policy ACCEPT;
            mod addrtype dst-type LOCAL jump DOCKER;
        }
        chain OUTPUT {
            policy ACCEPT;
            daddr ! 127.0.0.0/8 mod addrtype dst-type LOCAL jump DOCKER;
        }
        chain POSTROUTING {
            policy ACCEPT;
            saddr 172.18.0.0/16 outerface ! docker0 MASQUERADE;
        }
    }
    table filter {
        chain DOCKER;
        chain FORWARD {
            outerface docker0 {
                jump DOCKER;
                mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
            }
            interface docker0 {
                outerface ! docker0 ACCEPT;
                outerface docker0 ACCEPT;
            }
        }
    }

It would be great if ferment had an option to only output the dynamic, container-related rules. That way I can configure the static rules in ferm directory, and add Docker rules afterwards.

ferm was restarted with the ferment invocation included.

Trying to start a docker container results in error message:

ERROR: unable to insert jump to DOCKER-ISOLATION rule in FORWARD chain:  (iptables failed: iptables --wait -I FORWARD -j DOCKER-ISOLATION: iptables v1.6.0: Couldn't load target `DOCKER-ISOLATION':No such file or directory

Docker has to be restarted to let it set up the firewall rules anew -
but the extra issue that some ports aren't reachable from the outside isn't fixed by this.

System:

• ferm 2.2
• Ubuntu 16.04.2 LTS
• Docker version 17.03.0-ce, build 60ccb22

In order to make ferm happy with the @include line, I needed to add a terminal ;. This appears to be a documentation bug.