Description
We want to use docker in a restricted setup where we can controle who has access to the running containers. On startup docker adds rules to the FORWARD chain, empties the DOCKER chain and resets the DOCKER-ISOLATION chain.
Since we want to restrict access to the used bridges we want to add rules preventing this in the FORWARD chain, but the problem with this is that docker puts its own rules before our custom rules, in effect offering access to the containers for everyone.
Is there any setting to prevent docker from changing the FORWARD chain on startup and only update the DOCKER chain? or is it possible to implement such a switch. This way you can control access to the docker containers without messing up docker automatic firewall settings when using portmappings.
The --iptables=false setting works, but when starting containers nothing is added to the iptables anymore. So that isn't a workable solution either..
Output of docker version:
Client:
Version: 1.11.1
API version: 1.23
Go version: go1.5.4
Git commit: 5604cbe
Built: Wed Apr 27 00:34:42 2016
OS/Arch: linux/amd64
Server:
Version: 1.11.1
API version: 1.23
Go version: go1.5.4
Git commit: 5604cbe
Built: Wed Apr 27 00:34:42 2016
OS/Arch: linux/amd64
Output of docker info:
Containers: 2
Running: 1
Paused: 0
Stopped: 1
Images: 111
Server Version: 1.11.1
Storage Driver: devicemapper
Pool Name: docker-253:1-150997978-pool
Pool Blocksize: 65.54 kB
Base Device Size: 10.74 GB
Backing Filesystem: xfs
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 11.77 GB
Data Space Total: 107.4 GB
Data Space Available: 7.219 GB
Metadata Space Used: 15.33 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.132 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.107-RHEL7 (2016-06-09)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: overlay bridge null host
Kernel Version: 3.10.0-327.13.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.79 GiB
Name: xxxx.xxxxxxxxxxx.xx
ID: H2Q6:YFIW:O4SQ:55KY:ZDPS:S5OT:XXJJ:HYEV:UDON:5TWF:3CMK:GILX
Docker Root Dir: /var/lib/docker
Debug mode (client): false
Debug mode (server): false
Http Proxy: http://192.168.202.13:3128
Https Proxy: http://192.168.202.13:3128
No Proxy: /var/run/docker.soc,localhost,127.0.0.1
Registry: https://index.docker.io/v1/
Labels:
nl.bzk.rol=db
Cluster store: etcd://192.168.197.230:2379/cluster01
Cluster advertise: 192.168.197.231:2375