Docker Manager and Dome9 Agent Issues


(Jamie Lormand) #1

While the Dome9 agent is running the Docker Manager never gets beyond the “Checking for new version…” stage. It just sits there. The Dome9 config doesn’t currently block any outgoing ports, just incoming ones. With all of the incoming ports opened to all IP’s it was still stuck. So, I turned the agent off completely and it worked just fine. As soon as the agent was back on it went back to being stuck.

Does anyone know what might be causing this. Do I need to explicitly set permissions on some port Docker Manager may be using or is this possibly a conflict between the two ?
Is there an error log that the Docker Manager writes to that I might be able to check to shed light on this ?


(Sam Saffron) #2

What is this dome9 agent you are talking about, I am not following at all.


(Jamie Lormand) #3

My apologies. It’s an agent that runs on the server and manages ip firewall rules. It’s helpful in that you can use a block all policy for the most part and then grant timed on demand IP specific access to SSH for example with one click in their various apps.

This is their site if your interested Dome9


(Jens Maier) #4

Since the docker manager runs inside the container, the host’s INPUT and OUTPUT firewall chains are irrelevant. Check the nat and mangle tables (i.e. iptables -t nat -L -v) and the filter table’s FORWARD chain (iptables -L FORWARD -v) for additional rules created by this Dome9 agent…


(Jamie Lormand) #5

Thanks for the reply. I got the following from the two commands you referenced.

from iptables -t nat -L -v I get this

Chain PREROUTING (policy ACCEPT 292 packets, 15473 bytes)
 pkts bytes target     prot opt in     out     source               destination
  256 13265 DOCKER     all  --  any    any     anywhere             anywhere             ADDRTYPE match dst-type LOC
AL

Chain INPUT (policy ACCEPT 232 packets, 12020 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2374 packets, 143K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all  --  any    any     anywhere            !loopback/8           ADDRTYPE match dst-type LOC
AL

Chain POSTROUTING (policy ACCEPT 2374 packets, 143K bytes)
 pkts bytes target     prot opt in     out     source               destination
   12   696 MASQUERADE  all  --  any    any     172.17.0.0/16       !172.17.0.0/16

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination

and from this iptables -L FORWARD -v I get this.

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

(Jens Maier) #6

Hm, stab in the dark… try this: with Dome9 running, run:
echo 1 >/proc/sys/net/ipv4/ip_forward ; iptables -P FORWARD ACCEPT


(Jamie Lormand) #7

Sweet that worked. Not sure what you had me do but thanks for having me do it :smiley:


(Jens Maier) #8

Well…

Docker containers are almost, but not quite, entirely unlike virtual machines such as VirtualBox or VMWare. Explaining the differences would be hard without diagrams, but the takeaway is that just like virtual machines, containers have their own virtual network card that the rest of the world doesn’t know or care about.

In order to get data into our out of a container via the network, the host must act as a router and take data packets from the real wire and stuff them into a virtual wire that goes into the container. Routing in linux is controlled by two things: first, the /proc/sys/net/ipv4/ip_forward file which tells the kernel whether any routing is done, and second the firewall, which can filter routed packets on more fine grained criteria.

The command line I gave you is actually two commands: one writes a 1 into the ip_forward file and thus enables routing in general, the second changes the firewall rules and sets the default policy for routed packets to be accepted (i.e. forwarded).

This is a bit of a hack, to be honest. When you reboot the machine, these settings will be gone. Long term, you’ll either have to get rid of Dome9 or configure it to allow routing into the docker containers – but that’s a question you’d better ask their support instead of here. :wink:


(Jamie Lormand) #9

OK I’ll look into a more permanent solution then. I would think there’s a way to set Dome9 to allow for this so I’ll start there. I appreciate the help and the helpful explanation. Now that I have a better idea of what the problem is I should be able to work out how to fix it.