Scénario #33773
Mis à jour par Gilles Grandgérard il y a environ 2 ans
.h1 Objectif:
Fournir la capacité à utiliser des services dockeriser sur EOLE 2
.h1 A faire:
* Créer un paquet eole-podman eole-docker
** install docker-io depuis ubuntu
** crée un dico pour la conf docker
* Gérer l'interaction des régles iptables docker / ERA & bastion
Suite à un reconfigure, docker ne fonctionne plus...
<pre>
root@dc1:~# iptables-save >iptable-save.apres-reconfigure
root@dc1:~# diff ip
iptable-save.apres-docker-install iptable-save.apres-reconfigure
root@dc1:~# diff iptable-save.apres-*
1c1
< # Generated by iptables-save v1.8.4 on Thu Feb 3 12:00:00 2022
---
> # Generated by iptables-save v1.8.4 on Thu Feb 3 12:01:24 2022
3,4c3,4
< :PREROUTING ACCEPT [530021:150489677]
< :INPUT ACCEPT [527308:150284980]
---
> :PREROUTING ACCEPT [2188:1108190]
> :INPUT ACCEPT [2188:1108190]
6,7c6,7
< :OUTPUT ACCEPT [519009:166176250]
< :POSTROUTING ACCEPT [519009:166176250]
---
> :OUTPUT ACCEPT [2188:1136298]
> :POSTROUTING ACCEPT [2188:1136298]
9,10c9,10
< # Completed on Thu Feb 3 12:00:00 2022
< # Generated by iptables-save v1.8.4 on Thu Feb 3 12:00:00 2022
---
> # Completed on Thu Feb 3 12:01:24 2022
> # Generated by iptables-save v1.8.4 on Thu Feb 3 12:01:24 2022
12,20c12,15
< :PREROUTING ACCEPT [12:939]
< :INPUT ACCEPT [11:710]
< :OUTPUT ACCEPT [68:4373]
< :POSTROUTING ACCEPT [68:4373]
< :DOCKER - [0:0]
< -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
< -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
< -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
< -A DOCKER -i docker0 -j RETURN
---
> :PREROUTING ACCEPT [7:419]
> :INPUT ACCEPT [7:419]
> :OUTPUT ACCEPT [196:13723]
> :POSTROUTING ACCEPT [196:13723]
22,23c17,18
< # Completed on Thu Feb 3 12:00:00 2022
< # Generated by iptables-save v1.8.4 on Thu Feb 3 12:00:00 2022
---
> # Completed on Thu Feb 3 12:01:24 2022
> # Generated by iptables-save v1.8.4 on Thu Feb 3 12:01:24 2022
27,31c22
< :OUTPUT ACCEPT [782:108358]
< :DOCKER - [0:0]
< :DOCKER-ISOLATION-STAGE-1 - [0:0]
< :DOCKER-ISOLATION-STAGE-2 - [0:0]
< :DOCKER-USER - [0:0]
---
> :OUTPUT ACCEPT [275:66373]
36,41d26
< -A FORWARD -j DOCKER-USER
< -A FORWARD -j DOCKER-ISOLATION-STAGE-1
< -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
< -A FORWARD -o docker0 -j DOCKER
< -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
< -A FORWARD -i docker0 -o docker0 -j ACCEPT
44,48d28
< -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
< -A DOCKER-ISOLATION-STAGE-1 -j RETURN
< -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
< -A DOCKER-ISOLATION-STAGE-2 -j RETURN
< -A DOCKER-USER -j RETURN
92c72
< # Completed on Thu Feb 3 12:00:00 2022
---
> # Completed on Thu Feb 3 12:01:24 2022
</pre>
.h1 Vérification
* instance reconfigure -> ok
* ajout un service web docker --> disponible
* reconfigure -> ok
* le service est toujours disponible.
Fournir la capacité à utiliser des services dockeriser sur EOLE 2
.h1 A faire:
* Créer un paquet eole-podman eole-docker
** install docker-io depuis ubuntu
** crée un dico pour la conf docker
* Gérer l'interaction des régles iptables docker / ERA & bastion
Suite à un reconfigure, docker ne fonctionne plus...
<pre>
root@dc1:~# iptables-save >iptable-save.apres-reconfigure
root@dc1:~# diff ip
iptable-save.apres-docker-install iptable-save.apres-reconfigure
root@dc1:~# diff iptable-save.apres-*
1c1
< # Generated by iptables-save v1.8.4 on Thu Feb 3 12:00:00 2022
---
> # Generated by iptables-save v1.8.4 on Thu Feb 3 12:01:24 2022
3,4c3,4
< :PREROUTING ACCEPT [530021:150489677]
< :INPUT ACCEPT [527308:150284980]
---
> :PREROUTING ACCEPT [2188:1108190]
> :INPUT ACCEPT [2188:1108190]
6,7c6,7
< :OUTPUT ACCEPT [519009:166176250]
< :POSTROUTING ACCEPT [519009:166176250]
---
> :OUTPUT ACCEPT [2188:1136298]
> :POSTROUTING ACCEPT [2188:1136298]
9,10c9,10
< # Completed on Thu Feb 3 12:00:00 2022
< # Generated by iptables-save v1.8.4 on Thu Feb 3 12:00:00 2022
---
> # Completed on Thu Feb 3 12:01:24 2022
> # Generated by iptables-save v1.8.4 on Thu Feb 3 12:01:24 2022
12,20c12,15
< :PREROUTING ACCEPT [12:939]
< :INPUT ACCEPT [11:710]
< :OUTPUT ACCEPT [68:4373]
< :POSTROUTING ACCEPT [68:4373]
< :DOCKER - [0:0]
< -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
< -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
< -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
< -A DOCKER -i docker0 -j RETURN
---
> :PREROUTING ACCEPT [7:419]
> :INPUT ACCEPT [7:419]
> :OUTPUT ACCEPT [196:13723]
> :POSTROUTING ACCEPT [196:13723]
22,23c17,18
< # Completed on Thu Feb 3 12:00:00 2022
< # Generated by iptables-save v1.8.4 on Thu Feb 3 12:00:00 2022
---
> # Completed on Thu Feb 3 12:01:24 2022
> # Generated by iptables-save v1.8.4 on Thu Feb 3 12:01:24 2022
27,31c22
< :OUTPUT ACCEPT [782:108358]
< :DOCKER - [0:0]
< :DOCKER-ISOLATION-STAGE-1 - [0:0]
< :DOCKER-ISOLATION-STAGE-2 - [0:0]
< :DOCKER-USER - [0:0]
---
> :OUTPUT ACCEPT [275:66373]
36,41d26
< -A FORWARD -j DOCKER-USER
< -A FORWARD -j DOCKER-ISOLATION-STAGE-1
< -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
< -A FORWARD -o docker0 -j DOCKER
< -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
< -A FORWARD -i docker0 -o docker0 -j ACCEPT
44,48d28
< -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
< -A DOCKER-ISOLATION-STAGE-1 -j RETURN
< -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
< -A DOCKER-ISOLATION-STAGE-2 -j RETURN
< -A DOCKER-USER -j RETURN
92c72
< # Completed on Thu Feb 3 12:00:00 2022
---
> # Completed on Thu Feb 3 12:01:24 2022
</pre>
.h1 Vérification
* instance reconfigure -> ok
* ajout un service web docker --> disponible
* reconfigure -> ok
* le service est toujours disponible.