- Català: Aquesta pàgina no està traduida encara al català.
- Castellano: Esta página no está traducida aún al castellano.
SysAdmins¶
Firewalld with docker in IsardVDI¶
If we come from a previous version with firewalld handling the NAT we had:
- firewalld service
- docker0 interface in public zone
- masquerade activated (NAT)
- docker service
- docker with disabled iptables (/etc/docker/daemon.json)
Now, with the actual src it will continue working but the configuration should be modified as follows:
- firewalld service
firewall-cmd --zone=public --remove-interface docker0 --permanentfirewall-cmd --remove-masquerade --permanent
- docker service
- Remove /etc/docker/daemon.json or modify it to activate iptables:
{ "iptables": true }
- Remove /etc/docker/daemon.json or modify it to activate iptables:
Then we should restart firewalld service: systemctl restart firewalld and restart docker: systemctl restart docker
With this new configuration we will have real client IP inside isard-portal and docker will handle the open/close ports.
In cloud infrastructure configurations (docker-compose.hypervisor.yml) the remote hypervisors should open port 2022 at docker level in isard-hypervisor container (not automated yet, you need to edit the config manually) or forward that port inside the isard-hypervisor container at firewalld level:
firewall-cmd --add-forward-port=port=2022:proto=tcp:toport=22:toaddr=172.18.255.17
NOTE1: 172.18.255 is the envvar DOCKER_NET at isardvdi.conf. Modify accordingly if you modified DOCKER_NET.
Also, if you are in local infrastructure configurations (docker-compose.hypervisor-standalone.yml) you will need to forward port 2022 and also the full video ports (as this configuration will not have the isard-video included):
firewall-cmd --add-forward-port=port=2022:proto=tcp:toport=22:toaddr=172.18.255.17firewall-cmd --add-forward-port=port=5900-6899:proto=tcp:toport=5900-6899:toaddr=172.18.255.17