diff options
| author | Markus Heiser <markus.heiser@darmarit.de> | 2021-06-23 12:39:49 +0200 |
|---|---|---|
| committer | Markus Heiser <markus.heiser@darmarit.de> | 2021-06-23 12:47:52 +0200 |
| commit | c8a6548592ff4f6d223cc548978b77ef84a39981 (patch) | |
| tree | a9d81c3cabbe056f819fbe53d5ad8c88514d95e9 /docs/utils/lxc.sh.rst | |
| parent | 056550d523ddf4e06821957e13623fc322cf4675 (diff) | |
| download | searxng-c8a6548592ff4f6d223cc548978b77ef84a39981.tar.gz searxng-c8a6548592ff4f6d223cc548978b77ef84a39981.zip | |
[mod] utils/lxc.sh: detect conflict of docker & LXC in the iptables
Docker is blocking network of existing LXC containers / there is a conflict in
the iptables setup of Docker & LXC. With this patch:
- utils/lxc.sh checks internet connectivity (instead of silently hang)
- Chapter "Internet Connectivity & Docker" describes the problem and made a
suggestion for a solution a solution
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
Diffstat (limited to 'docs/utils/lxc.sh.rst')
| -rw-r--r-- | docs/utils/lxc.sh.rst | 53 |
1 files changed, 51 insertions, 2 deletions
diff --git a/docs/utils/lxc.sh.rst b/docs/utils/lxc.sh.rst index 56bac2670..a98ab70b9 100644 --- a/docs/utils/lxc.sh.rst +++ b/docs/utils/lxc.sh.rst @@ -40,8 +40,14 @@ take some time**:: A cup of coffee later, your LXC suite is build up and you can run whatever task you want / in a selected or even in all :ref:`LXC suite containers <lxc.sh -help>`. If you do not want to build all containers, **you can build just -one**:: +help>`. + +.. hint:: + + If you see any problems with the internet connectivity of your + containers read section :ref:`internet connectivity docker`. + +If you do not want to build all containers, **you can build just one**:: $ sudo -H ./utils/lxc.sh build searx-ubu1804 @@ -66,6 +72,49 @@ If there comes the time you want to **get rid off all** the containers and $ sudo -H ./utils/lxc.sh remove $ sudo -H ./utils/lxc.sh remove images +.. _internet connectivity docker: + +Internet Connectivity & Docker +============================== + +.. sidebar:: further read + + - `Docker blocking network of existing LXC containers <https://github.com/docker/for-linux/issues/103>`__ + - `Docker and IPtables (fralef.me) <https://fralef.me/docker-and-iptables.html>`__ + - `Docker and iptables (docker.com) <https://docs.docker.com/network/iptables/#docker-on-a-router/>`__ + +There is a conflict in the ``iptables`` setup of Docker & LXC. If you have +docker installed, you may find that the internet connectivity of your LXD +containers no longer work. + +Whenever docker is started (reboot) it sets the iptables policy for the +``FORWARD`` chain to ``DROP`` `[ref] +<https://docs.docker.com/network/iptables/#docker-on-a-router>`__:: + + $ sudo -H iptables-save | grep FORWARD + :FORWARD ACCEPT [7048:7851230] + :FORWARD DROP [7048:7851230] + +A handy solution of this problem might be to reset the policy for the +``FORWARD`` chain after the network has been initialized. For this create a +file in the ``if-up`` section of the network (``/etc/network/if-up.d/iptable``) +and insert the following lines:: + + #!/bin/sh + iptables -F FORWARD + iptables -P FORWARD ACCEPT + +Don't forget to set the execution bit:: + + sudo chmod ugo+x /etc/network/if-up.d/iptable + +Reboot your system and check the iptables rules:: + + $ sudo -H iptables-save | grep FORWARD + :FORWARD ACCEPT [7048:7851230] + :FORWARD ACCEPT [7048:7851230] + + .. _lxc.sh install suite: Install suite |