4.7 KiB
Firewall Configuration
Configuration requirements
The Docker Overlay Network technology is a Software Defined Network (SDN) system which allows the arbitrary definition of network between docker containers.
To accomplish this, it maintains a database of hosts on which each network is available, and multiplexes the network traffic of the docker container over a single network connection between these hosts. It also allows encryption of the tunneled (application) data.
All management communication is done through TLS encrypted communications between the hosts of the Docker Swarm (cluster, or federation in the case of the MIP). These certificates are automatically managed, and regenerated every 30 minutes by default.
The following ports and protocols are required to be open for the proper function of the Docker Swarm overlay network technology:
-
On all the Docker hosts which are part of the Swarm (federation):
- TCP: 7946
- UDP: 7946
- UDP: 4789
- Protocol 50 (ESP)
-
Only on the Docker manager hosts of the Swarm (federation) :
- TCP: 2377
UFW Configuration for the MIP
The following command will configure and then enable the firewall on Ubuntu, with the minimum ports required for the federation networks.
Specific public services provided by the MIP to the end-users will require their own configuration to be added.
-
Check the status of UFW
$ sudo ufw status -> Status: inactive -
Allow SSH access
$ sudo ufw allow ssh -> Rules updated -> Rules updated (v6) -
Docker Swarm ports
$ sudo ufw allow 7946/tcp $ sudo ufw allow 7946/udp $ sudo ufw allow 4789/udp $ sudo ufw allow proto esp from any to any -> Rules updated -> Rules updated (v6) -
Docker Swarm ports for Manager nodes
The following is required only on the Docker Swarm manager computers.
$ sudo ufw allow 2377/tcp -> Rules updated -> Rules updated (v6) -
Enable UFW to enforce the rules
$ sudo ufw enable -
Check the status
The example below has been executed on a worker node of the federation.
$ sudo ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 7946/tcp ALLOW Anywhere 7946/udp ALLOW Anywhere 4789/udp ALLOW Anywhere Anywhere/esp ALLOW Anywhere/esp 22 (v6) ALLOW Anywhere (v6) 7946/tcp (v6) ALLOW Anywhere (v6) 7946/udp (v6) ALLOW Anywhere (v6) 4789/udp (v6) ALLOW Anywhere (v6) Anywhere/esp (v6) ALLOW Anywhere/esp (v6)
Firewalld Configuration for the MIP
On RedHat Enterprise Linux, use the Firewalld configuration files docker-swarm-worker.xml and docker-swarm-master.xml available in the same folder as this file. The following command will configure and then enable the firewall on RHEL, with the minimum ports required for the federation networks.
Specific public services provided by the MIP to the end-users will require their own configuration to be added.
-
Check the status of Firewalld
$ sudo firewall-cmd --state running $ sudo firewall-cmd --list-services ssh dhcpv6-client $ sudo firewall-cmd --info-service=ssh ssh ports: 22/tcp protocols: source-ports: modules: destination: -
If needed, start firewalld
$ sudo systemctl enable firewalld.service -
Docker Swarm ports Do one of the following, assuming you are in the folder containing this file. This installs and activate permanently the service profile.
- For worker nodes:
$ sudo cp docker-swarm-worker.xml /etc/firewalld/services/ $ sudo firewall-cmd --permanent --add-service=docker-swarm-worker success- For Manager nodes
$ sudo cp docker-swarm-manager.xml /etc/firewalld/services/ $ sudo firewall-cmd --permanent --add-service=docker-swarm-manager success -
Reload the firewall configuration:
$ sudo firewall-cmd --reload success -
Check the status
- For worker nodes:
$ sudo firewall-cmd --info-service=docker-swarm-worker- For Manager nodes
$ sudo firewall-cmd --info-service=docker-swarm-manager