Bright Cluster Manager uses Shorewall to manage the various firewall rules on the head/management node. By default, this seems to prevent Podman and Docker from working right.
I am working through a simple example of running a pod with PostgreSQL and PGAdmin but the connection to the host port that forwards to the pgadmin container seemed to be blocked. Connection attempts using both curl and web browsers would hang.
There is additional configuration that needs to be done for Shorewall to work with Podman. Shorewall has instructions on making it work with Docker, and it seems to work for podman with minor modifications.
First, modify the systemd service to not clear firewall rules on service stop. Do:
sudo systemctl edit shorewall.service
which gives a blank file. Add these contents:
[Service]
# reset ExecStop
ExecStop=
# set ExecStop to "stop" instead of "clear"
ExecStop=/sbin/shorewall $OPTIONS stop
Then activate the changes with
sudo systemctl daemon-reload
Next, we need to know the name of the Podman network interface. Use “ip link list” to see it. On my RHEL 8 system, the interface is
10: cni-podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
And make the following modifications to the appropriate config files.
Enable Docker mode in /etc/shorewall/shorewall.conf:
DOCKER=Yes
Define a zone for Podman in /etc/shorewall/zones:
#ZONE TYPE OPTIONS
pod ipv4 # 'pod' is just an example -- call it anything you like
Define policies for this zone in /etc/shorewall/policy:
#SOURCE DEST POLICY LEVEL
pod $FW REJECT
pod all ACCEPT
And match the zone to the interface in /etc/shorewall/interfaces:
# Need to specify "?FORMAT 2"
?FORMAT 2
#ZONE INTERFACE OPTIONS
pod cni-podman0 bridge # Allow ICC (inter-container communication); bridge implies routeback=1
Then, restart shorewall. And start the pod; or restart if it was already running.
You many need additional rules to allow an external host to connect into the pod. E.g. a pod containing a pgadmin container and a postgresql container, where the pgadmin container serves on port 80. Say your administrative hosts will be in the address block 10.0.10.0/23. Then, add the following to /etc/shorewall/rules:
# Accept connections from admin hosts to the pgadmin container
# ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net:10.0.10.0/23 pod tcp 80
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.