Solving docker networking container issues by turning iptables back on but using ufw after.rules that allow ufw to retain blocking ability. Works on Redis, now to move to mongo.

2025-04-13 09:42:01 +00:00 · 2021-12-15 13:33:55 -05:00 · 2021-12-15 13:33:55 -05:00 · 089161b20f
commit 089161b20f
parent d2100e02f9
5 changed files with 52 additions and 5 deletions
--- a/ansible/roles/docker/templates/daemon.json
+++ b/ansible/roles/docker/templates/daemon.json
@ -1,3 +1,3 @@
 {
-    "iptables": false
+    
 }
--- a/ansible/roles/mongo/templates/consul_service.analytics.json
+++ b/ansible/roles/mongo/templates/consul_service.analytics.json
@ -8,7 +8,7 @@
        "port": 27017,
        "checks": [{
            "id": "mongo-analytics-ping",
-            "http": "http://{{ ansible_ssh_host }}:5579/db_check/mongo_analytics?consul=1,
+            "http": "http://{{ ansible_ssh_host }}:5579/db_check/mongo_analytics?consul=1",
            "interval": "15s"
        }]
    }
--- a/ansible/roles/redis/tasks/main.yml
+++ b/ansible/roles/redis/tasks/main.yml
@ -1,4 +1,8 @@
 ---
+- name: Add a vm.overcommit_memory setting at the end of the sysctl.conf
+  become: yes
+  sysctl: name=vm.overcommit_memory value=1 state=present reload=yes
+
 - name: Template redis_replica.conf file
  template:
    src: /srv/newsblur/docker/redis/redis_replica.conf.j2
@ -8,15 +12,14 @@

 - name: Turning off secondary for redis by deleting redis_replica.conf
  copy:
-    path: /srv/newsblur/docker/redis/redis_replica.conf
+    dest: /srv/newsblur/docker/redis/redis_replica.conf
    content: ""
  tags:
    # - never
    - replicaofnoone

 - name: Setting Redis REPLICAOF NO ONE
-  shell:
-    command: docker exec redis redis-cli REPLICAOF NO ONE
+  shell: docker exec redis redis-cli REPLICAOF NO ONE
  tags:
    # - never
    - replicaofnoone
--- a/ansible/roles/ufw/handlers/main.yml
+++ b/ansible/roles/ufw/handlers/main.yml
@ -0,0 +1,6 @@
+---
+- name: restart ufw
+  become: yes
+  service:
+    name: ufw
+    state: restarted
--- a/ansible/roles/ufw/tasks/main.yml
+++ b/ansible/roles/ufw/tasks/main.yml
@ -50,6 +50,7 @@
  become: yes
  ufw:
    rule: allow
+    route: yes
    src: '{{ item }}'
  with_items: "{{ groups['NewsBlur_Docker'] | map('extract', hostvars, ['ansible_host']) }}"
  when: "'oldandnew' not in groups"
@ -57,6 +58,43 @@
    - firewall
    - ufw

+# Code from https://stackoverflow.com/a/51741599/8717: "What is the best practice of docker + ufw under Ubuntu"
+- name: Solving UFW and Docker issues by adding ufw after.rules
+  become: yes
+  blockinfile:
+    dest: /etc/ufw/after.rules
+    state: present
+    block: |
+      # BEGIN UFW AND DOCKER
+      *filter
+      :ufw-user-forward - [0:0]
+      :ufw-docker-logging-deny - [0:0]
+      :DOCKER-USER - [0:0]
+      -A DOCKER-USER -j ufw-user-forward
+
+      -A DOCKER-USER -j RETURN -s 10.0.0.0/8
+      -A DOCKER-USER -j RETURN -s 172.16.0.0/12
+      -A DOCKER-USER -j RETURN -s 192.168.0.0/16
+
+      -A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
+
+      -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
+      -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
+      -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
+      -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
+      -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
+      -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12
+
+      -A DOCKER-USER -j RETURN
+
+      -A ufw-docker-logging-deny -j LOG --log-prefix "[UFW DOCKER BLOCK] "
+      -A ufw-docker-logging-deny -j DROP
+
+      COMMIT
+      # END UFW AND DOCKER
+  tags: docker
+  notify: restart ufw
+
 - name: Start ufw
  become: yes
  ufw: state=enabled