Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] testpoint docker image firewall rules for

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] testpoint docker image firewall rules for


Chronological Thread 
    < Chronological >      < Thread >
  • From: Johann Hugo <>
  • To: Mark Feit <>
  • Cc: "" <>
  • Subject: Re: [perfsonar-user] testpoint docker image firewall rules for
  • Date: Thu, 9 Feb 2023 12:51:04 +0200
Mark Feit writes:

One other option is to piggyback the container directly onto an outside interface with Docker’s macvlan network driver.  The container includes the perfsonar-toolkit-security package, so it’s already properly-firewalled internally.

This is the same as my setup. I'm using Docker’s macvlan network driver on a second 100g interface with it's own IP address

perfsonar-toolkit-security is installed
[root@ps-100-100g /]# yum list installed | grep perfsonar-toolkit-security
perfsonar-toolkit-security.noarch          4.4.6-1.el7                @perfSONAR

But the firewall rules are missing, until I run the configure_firewall install script manually inside the container
Before:
[root@ps-100-100g /]# firewall-cmd --list-ports

[root@ps-100-100g /]# /usr/lib/perfsonar/scripts/configure_firewall install
Adding perfSONAR firewall rules
After:
[root@ps-100-100g /]# firewall-cmd --list-ports
8760-9960/udp 8760-9960/tcp 18760-19960/udp 18760-19960/tcp 5201/tcp 5201/udp 5001/tcp 5001/udp 5000/tcp 5101/tcp 5000/udp 5101/udp 5890-5900/tcp

Sounds like it's supposed to load the rules automatically. Any way to debug it ? What logs should I scan ?

Johann


On Fri, Feb 3, 2023 at 6:58 PM Mark Feit <> wrote:

Johann Hugo writes:

 

I would like to run this script automatically when starting the container (with docker-compose)

/usr/lib/perfsonar/scripts/configure_firewall install

 

Where is the best place to do it ?

 

As far as I know, Docker Compose doesn’t have hooks to run programs on the host when containers are started.  I suspect that has to do with running on multiple OSes prevents them from guaranteeing consistent behavior across all of them.  The only reliable way to achieve that would be to wrap both actions in a script that does both and run that instead of Docker Compose, but that causes logistical problems if you want to keep the host systems free of container-specific code.

 

One other option is to piggyback the container directly onto an outside interface with Docker’s macvlan network driver.  The container includes the perfsonar-toolkit-security package, so it’s already properly-firewalled internally.  We’re doing at Internet2 on our internal 100 Gb/s systems and the drag on performance is essentially zero compared to bare metal on the same hardware.

 

--Mark

 



--
SANReN Engineer
South African National Research Network (SANReN)
National Integrated Cyber Infrastructure System (NICIS)
CSIR NextGen Enterprises and Institutions Cluster

Office: 012 841 2066Email: Website: www.sanren.ac.za / www.csir.co.za


Archive powered by MHonArc 2.6.24.

Top of Page