#6317 Figure out how to get base iptables roles and docker to play nice
Closed: Fixed 6 years ago Opened 6 years ago by tflink.

With the current base role, iptables is reconfigured on every ansible run which stomps on the iptables config bits that the docker daemon sets up to let port forwarding work with containers.

for now, the solution is to set "baseiptables: false" for the machine(s) in question but a better solution would be appreciated


@puiterwijk asked to be cc'd on this ticket

I added a rule to the iptables configuration on the host in question (upstreamfirst.fedorainfracloud.org) so that the docker container can access the postgres db on the host:

-A INPUT -p tcp -m tcp --dport 5432 -i docker0 -j ACCEPT

I don't think we really have any better answer here...

If you do set baseiptables false, you can still use the ansible iptables module to insert rules as needed.

I wonder: Can we/should we restart docker after we reload iptables? I'm not sure if that causes a service outage, or just does the right thing. Anyone know?

@kevin Normally, restarting the docker daemon kills all containers. But since 1.12, you can disable that behavior by putting in a json file: https://docs.docker.com/engine/admin/live-restore/.
I'd say, let's put in that json file, and just do docker condrestart.

Done. I pushed this to our proxies.

:floppy_disk:

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Login to comment on this ticket.

Metadata