Firewall and custom bridge network

General Discussions
1

Hello, i have a problem: one container can’t networking with other in one lan segment (in one network bridge interface).

I think it’s the firewall-it blocks the network connections of containers to each other, I ask for help with configuring the system for docker-compose to work correctly.

If i add the created custom interfaces to the trusted ones for the firewall, then when you turn it off, turn it on (docker-compose up/down) new interfaces will appear with a new NETWORK ID and i want to configure the firewall so that it does not block the network inside docker and in custom bridge interfaces.

@centos8 premiererp]$ sudo firewall-cmd --get-active-zones

public
interfaces: eth0

trusted
interfaces: docker0

@centos8]$ sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2020-08-26 11:06:06 MSK; 30min ago
Docs: man:firewalld(1)
Main PID: 55391 (firewalld)
Tasks: 3 (limit: 10702)
Memory: 28.7M
CGroup: /system.slice/firewalld.service
└─55391 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

авг 26 11:08:01 centos8.localdomain firewalld[55391]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-749e03>
авг 26 11:08:02 centos8.localdomain firewalld[55391]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-0550de>
авг 26 11:08:02 centos8.localdomain firewalld[55391]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-160f9b>
авг 26 11:08:02 centos8.localdomain firewalld[55391]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-17954d>
авг 26 11:08:02 centos8.localdomain firewalld[55391]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-b16ec0>
авг 26 11:08:02 centos8.localdomain firewalld[55391]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-18f89b>
авг 26 11:08:02 centos8.localdomain firewalld[55391]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-2075f5>
авг 26 11:08:02 centos8.localdomain firewalld[55391]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-28fdea>
авг 26 11:26:29 centos8.localdomain firewalld[55391]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-ffbcbf>
авг 26 11:26:30 centos8.localdomain firewalld[55391]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-8a6973>
lines 1-20/20 (END)

docker network ls

NETWORK ID NAME DRIVER SCOPE
269d57ac0558 bridge bridge local
2591712e9906 host host local
19eeb3d6aeae none null local
ffbcbf0aad7b backend bridge local
8a6973abb890 frontend bridge local

CentOS 8 (minimal)

docker 19.03.12

From docker Hub:
PostgresSQL 12.4-alpine
hasura/graphql-engine v1.3.1

     After docker-compose up:

hasura | {“internal”:“could not connect to server: No route to host\n\tIs the server running on host “postgres” (192.168.16.2) and accepting\n\tTCP/IP connections on port 5432?\n”,“path”:"$",“error”:“connection error”,“code”:“postgres-error”}

hasura exited with code 1

I can connect from other computer to postgres DB over pgAdmin4 using outside ip, port 5432, user and pwd from docker-compose.yml file. I inspect docker network backend and see ip postgres and hasura on one bridge interface in one lan segment. I get images by docker pull.

Docker-compose.yml:

version: “3.8”

services:
postgres:
container_name: postgres
restart: unless-stopped
image: postgres:12.4-alpine
ports:

  • 5432:5432
    networks:
  • backend
    volumes:
  • db-data:/docker/db/data
    environment:
  • POSTGRES_USER=myuser
  • POSTGRES_PASSWORD=mypwd
  • POSTGRES_DB=mydb

hasura:
container_name: hasura
restart: always
image: hasura/graphql-engine:v1.3.1
ports:

  • 8080:8080
    networks:
  • backend
    depends_on:
  • postgres
    environment:
    HASURA_GRAPHQL_DATABASE_URL: postgres://myuser:mypwd@postgres:5432/mydb
    HASURA_GRAPHQL_ENABLE_CONSOLE: “true” # set to “false” to disable console

uncomment next line to set an admin secret

HASURA_GRAPHQL_ADMIN_SECRET: myadminsecretkey

nodejs:

container_name: nodejs

restart: unless-stopped

image: node:14.8.0-alpine3.12

ports:

- “3000:3000”

networks:

- frontend

volumes:

- ./docker/app/mydb:/app

nginx:
container_name: nginx
image: nginx:1.19.2-alpine
restart: unless-stopped
ports:

  • “80:80”
  • “443:443”

networks:

  • frontend

depends_on:

- nodejs

volumes:

  • /docker/nginx:/nginx

networks:
frontend:
backend:

volumes:
db-data:

Full log from console: (i change my user name/pwd; i verified username, pwd, dbname and others variables)

[adm@centos8 myapp]$ docker-compose up

Creating network “backend” with the default driver

Creating network “frontend” with the default driver

WARNING: Found orphan containers (nodejs) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.

Creating nginx … done

Creating postgres … done

Creating hasura … done

Attaching to nginx, postgres, hasura

nginx | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration

nginx | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/

nginx | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh

nginx | 10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf

nginx | 10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf

nginx | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh

nginx | /docker-entrypoint.sh: Configuration complete; ready for start up

postgres | The files belonging to this database system will be owned by user “postgres”.

postgres | This user must also own the server process.

postgres |

postgres | The database cluster will be initialized with locale “en_US.utf8”.

postgres | The default database encoding has accordingly been set to “UTF8”.

postgres | The default text search configuration will be set to “english”.

postgres |

postgres | Data page checksums are disabled.

postgres |

postgres | fixing permissions on existing directory /var/lib/postgresql/data … ok

postgres | creating subdirectories … ok

postgres | selecting dynamic shared memory implementation … posix

postgres | selecting default max_connections … 100

postgres | selecting default shared_buffers … 128MB

postgres | selecting default time zone … UTC

postgres | creating configuration files … ok

postgres | running bootstrap script … ok

postgres | performing post-bootstrap initialization … sh: locale: not found

postgres | 2020-08-25 14:24:46.778 UTC [29] WARNING: no usable system locales were found

postgres | ok

hasura | {“type”:“startup”,“timestamp”:“2020-08-25T14:24:50.182+0000”,“level”:“info”,“detail”:{“kind”:“server_configuration”,“info”:{“live_query_options”:{“batch_size”:100,“refetch_delay”:1},“transaction_isolation”:“ISOLATION LEVEL READ COMMITTED”,“plan_cache_options”:{“plan_cache_size”:4000},“enabled_log_types”:[“http-log”,“websocket-log”,“startup”,“webhook-log”],“server_host”:“HostAny”,“enable_allowlist”:false,“log_level”:“info”,“auth_hook_mode”:null,“use_prepared_statements”:true,“unauth_role”:null,“stringify_numeric_types”:false,“enabled_apis”:[“metadata”,“graphql”,“config”,“pgdump”],“enable_telemetry”:true,“enable_console”:true,“auth_hook”:null,“jwt_secret”:null,“cors_config”:{“allowed_origins”:"*",“disabled”:false,“ws_read_cookie”:null},“console_assets_dir”:null,“admin_secret_set”:false,“port”:8080}}}

hasura | {“type”:“startup”,“timestamp”:“2020-08-25T14:24:50.182+0000”,“level”:“info”,“detail”:{“kind”:“postgres_connection”,“info”:{“retries”:1,“database_url”:“postgres://myuser:…@postgres:5432/mydb”}}}

postgres | syncing data to disk … ok

postgres |

postgres |

postgres | Success. You can now start the database server using:

postgres |

postgres | pg_ctl -D /var/lib/postgresql/data -l logfile start

postgres |

postgres | initdb: warning: enabling “trust” authentication for local connections

postgres | You can change this by editing pg_hba.conf or using the option -A, or

postgres | --auth-local and --auth-host, the next time you run initdb.

postgres | waiting for server to start…2020-08-25 14:24:50.916 UTC [34] LOG: starting PostgreSQL 12.4 on x86_64-pc-linux-musl, compiled by gcc (Alpine 9.3.0) 9.3.0, 64-bit

postgres | 2020-08-25 14:24:50.960 UTC [34] LOG: listening on Unix socket “/var/run/postgresql/.s.PGSQL.5432”

postgres | 2020-08-25 14:24:51.137 UTC [35] LOG: database system was shut down at 2020-08-25 14:24:47 UTC

postgres | 2020-08-25 14:24:51.179 UTC [34] LOG: database system is ready to accept connections

postgres | done

postgres | server started

hasura | {“type”:“pg-client”,“timestamp”:“2020-08-25T14:24:51.238+0000”,“level”:“warn”,“detail”:{“message”:“postgres connection failed, retrying(0).”}}

hasura | {“type”:“pg-client”,“timestamp”:“2020-08-25T14:24:52.391+0000”,“level”:“warn”,“detail”:{“message”:“postgres connection failed, retrying(1).”}}

hasura | {“type”:“startup”,“timestamp”:“2020-08-25T14:24:52.391+0000”,“level”:“error”,“detail”:{“kind”:“catalog_migrate”,“info”:{“internal”:“could not connect to server: No route to host\n\tIs the server running on host “postgres” (192.168.16.2) and accepting\n\tTCP/IP connections on port 5432?\n”,“path”:"$",“error”:“connection error”,“code”:“postgres-error”}}}

hasura | {“internal”:“could not connect to server: No route to host\n\tIs the server running on host “postgres” (192.168.16.2) and accepting\n\tTCP/IP connections on port 5432?\n”,“path”:"$",“error”:“connection error”,“code”:“postgres-error”}

postgres | CREATE DATABASE

postgres |

postgres |

postgres | /usr/local/bin/docker-entrypoint.sh: ignoring /docker-entrypoint-initdb.d/*

postgres |

postgres | waiting for server to shut down…2020-08-25 14:24:52.650 UTC [34] LOG: received fast shutdown request

postgres | 2020-08-25 14:24:52.692 UTC [34] LOG: aborting any active transactions

postgres | 2020-08-25 14:24:52.695 UTC [34] LOG: background worker “logical replication launcher” (PID 41) exited with exit code 1

postgres | 2020-08-25 14:24:52.695 UTC [36] LOG: shutting down

postgres | 2020-08-25 14:24:53.375 UTC [34] LOG: database system is shut down

postgres | done

postgres | server stopped

postgres |

postgres | PostgreSQL init process complete; ready for start up.

postgres |

postgres | 2020-08-25 14:24:53.547 UTC [1] LOG: starting PostgreSQL 12.4 on x86_64-pc-linux-musl, compiled by gcc (Alpine 9.3.0) 9.3.0, 64-bit

postgres | 2020-08-25 14:24:53.547 UTC [1] LOG: listening on IPv4 address “0.0.0.0”, port 5432

postgres | 2020-08-25 14:24:53.547 UTC [1] LOG: listening on IPv6 address “::”, port 5432

postgres | 2020-08-25 14:24:53.730 UTC [1] LOG: listening on Unix socket “/var/run/postgresql/.s.PGSQL.5432”

postgres | 2020-08-25 14:24:53.963 UTC [45] LOG: database system was shut down at 2020-08-25 14:24:53 UTC

postgres | 2020-08-25 14:24:54.070 UTC [1] LOG: database system is ready to accept connections

hasura | {“type”:“startup”,“timestamp”:“2020-08-25T14:24:56.661+0000”,“level”:“info”,“detail”:{“kind”:“server_configuration”,“info”:{“live_query_options”:{“batch_size”:100,“refetch_delay”:1},“transaction_isolation”:“ISOLATION LEVEL READ COMMITTED”,“plan_cache_options”:{“plan_cache_size”:4000},“enabled_log_types”:[“http-log”,“websocket-log”,“startup”,“webhook-log”],“server_host”:“HostAny”,“enable_allowlist”:false,“log_level”:“info”,“auth_hook_mode”:null,“use_prepared_statements”:true,“unauth_role”:null,“stringify_numeric_types”:false,“enabled_apis”:[“metadata”,“graphql”,“config”,“pgdump”],“enable_telemetry”:true,“enable_console”:true,“auth_hook”:null,“jwt_secret”:null,“cors_config”:{“allowed_origins”:"*",“disabled”:false,“ws_read_cookie”:null},“console_assets_dir”:null,“admin_secret_set”:false,“port”:8080}}}

hasura | {“type”:“startup”,“timestamp”:“2020-08-25T14:24:56.661+0000”,“level”:“info”,“detail”:{“kind”:“postgres_connection”,“info”:{“retries”:1,“database_url”:“postgres://myuser:…@postgres:5432/mydb”}}}

hasura | {“type”:“pg-client”,“timestamp”:“2020-08-25T14:24:57.702+0000”,“level”:“warn”,“detail”:{“message”:“postgres connection failed, retrying(0).”}}

hasura | {“type”:“pg-client”,“timestamp”:“2020-08-25T14:24:58.854+0000”,“level”:“warn”,“detail”:{“message”:“postgres connection failed, retrying(1).”}}

hasura | {“type”:“startup”,“timestamp”:“2020-08-25T14:24:58.854+0000”,“level”:“error”,“detail”:{“kind”:“catalog_migrate”,“info”:{“internal”:“could not connect to server: No route to host\n\tIs the server running on host “postgres” (192.168.16.2) and accepting\n\tTCP/IP connections on port 5432?\n”,“path”:"$",“error”:“connection error”,“code”:“postgres-error”}}}

hasura | {“internal”:“could not connect to server: No route to host\n\tIs the server running on host “postgres” (192.168.16.2) and accepting\n\tTCP/IP connections on port 5432?\n”,“path”:"$",“error”:“connection error”,“code”:“postgres-error”}

hasura exited with code 1

hasura | {“type”:“startup”,“timestamp”:“2020-08-25T14:25:02.125+0000”,“level”:“info”,“detail”:{“kind”:“server_configuration”,“info”:{“live_query_options”:{“batch_size”:100,“refetch_delay”:1},“transaction_isolation”:“ISOLATION LEVEL READ COMMITTED”,“plan_cache_options”:{“plan_cache_size”:4000},“enabled_log_types”:[“http-log”,“websocket-log”,“startup”,“webhook-log”],“server_host”:“HostAny”,“enable_allowlist”:false,“log_level”:“info”,“auth_hook_mode”:null,“use_prepared_statements”:true,“unauth_role”:null,“stringify_numeric_types”:false,“enabled_apis”:[“metadata”,“graphql”,“config”,“pgdump”],“enable_telemetry”:true,“enable_console”:true,“auth_hook”:null,“jwt_secret”:null,“cors_config”:{“allowed_origins”:"*",“disabled”:false,“ws_read_cookie”:null},“console_assets_dir”:null,“admin_secret_set”:false,“port”:8080}}}

hasura | {“type”:“startup”,“timestamp”:“2020-08-25T14:25:02.125+0000”,“level”:“info”,“detail”:{“kind”:“postgres_connection”,“info”:{“retries”:1,“database_url”:“postgres://myuser:…@postgres:5432/mydb”}}}

^CGracefully stopping… (press Ctrl+C again to force)

Stopping hasura … done

Stopping postgres … done

Stopping nginx … done