summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorMarkus Heiser <markus.heiser@darmarit.de>2021-06-23 12:39:49 +0200
committerMarkus Heiser <markus.heiser@darmarit.de>2021-06-23 12:47:52 +0200
commitc8a6548592ff4f6d223cc548978b77ef84a39981 (patch)
treea9d81c3cabbe056f819fbe53d5ad8c88514d95e9 /docs
parent056550d523ddf4e06821957e13623fc322cf4675 (diff)
downloadsearxng-c8a6548592ff4f6d223cc548978b77ef84a39981.tar.gz
searxng-c8a6548592ff4f6d223cc548978b77ef84a39981.zip
[mod] utils/lxc.sh: detect conflict of docker & LXC in the iptables
Docker is blocking network of existing LXC containers / there is a conflict in the iptables setup of Docker & LXC. With this patch: - utils/lxc.sh checks internet connectivity (instead of silently hang) - Chapter "Internet Connectivity & Docker" describes the problem and made a suggestion for a solution a solution Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
Diffstat (limited to 'docs')
-rw-r--r--docs/dev/lxcdev.rst7
-rw-r--r--docs/utils/lxc.sh.rst53
2 files changed, 57 insertions, 3 deletions
diff --git a/docs/dev/lxcdev.rst b/docs/dev/lxcdev.rst
index ef26e3734..33b729103 100644
--- a/docs/dev/lxcdev.rst
+++ b/docs/dev/lxcdev.rst
@@ -52,7 +52,12 @@ software:
and the script :ref:`lxc.sh`, with we can scale our installation, maintenance or
even development tasks over a stack of isolated containers / what we call the:
- **searxNG LXC suite**
+ **SearxNG LXC suite**
+
+.. hint::
+
+ If you see any problems with the internet connectivity of your
+ containers read section :ref:`internet connectivity docker`.
Gentlemen, start your engines!
diff --git a/docs/utils/lxc.sh.rst b/docs/utils/lxc.sh.rst
index 56bac2670..a98ab70b9 100644
--- a/docs/utils/lxc.sh.rst
+++ b/docs/utils/lxc.sh.rst
@@ -40,8 +40,14 @@ take some time**::
A cup of coffee later, your LXC suite is build up and you can run whatever task
you want / in a selected or even in all :ref:`LXC suite containers <lxc.sh
-help>`. If you do not want to build all containers, **you can build just
-one**::
+help>`.
+
+.. hint::
+
+ If you see any problems with the internet connectivity of your
+ containers read section :ref:`internet connectivity docker`.
+
+If you do not want to build all containers, **you can build just one**::
$ sudo -H ./utils/lxc.sh build searx-ubu1804
@@ -66,6 +72,49 @@ If there comes the time you want to **get rid off all** the containers and
$ sudo -H ./utils/lxc.sh remove
$ sudo -H ./utils/lxc.sh remove images
+.. _internet connectivity docker:
+
+Internet Connectivity & Docker
+==============================
+
+.. sidebar:: further read
+
+ - `Docker blocking network of existing LXC containers <https://github.com/docker/for-linux/issues/103>`__
+ - `Docker and IPtables (fralef.me) <https://fralef.me/docker-and-iptables.html>`__
+ - `Docker and iptables (docker.com) <https://docs.docker.com/network/iptables/#docker-on-a-router/>`__
+
+There is a conflict in the ``iptables`` setup of Docker & LXC. If you have
+docker installed, you may find that the internet connectivity of your LXD
+containers no longer work.
+
+Whenever docker is started (reboot) it sets the iptables policy for the
+``FORWARD`` chain to ``DROP`` `[ref]
+<https://docs.docker.com/network/iptables/#docker-on-a-router>`__::
+
+ $ sudo -H iptables-save | grep FORWARD
+ :FORWARD ACCEPT [7048:7851230]
+ :FORWARD DROP [7048:7851230]
+
+A handy solution of this problem might be to reset the policy for the
+``FORWARD`` chain after the network has been initialized. For this create a
+file in the ``if-up`` section of the network (``/etc/network/if-up.d/iptable``)
+and insert the following lines::
+
+ #!/bin/sh
+ iptables -F FORWARD
+ iptables -P FORWARD ACCEPT
+
+Don't forget to set the execution bit::
+
+ sudo chmod ugo+x /etc/network/if-up.d/iptable
+
+Reboot your system and check the iptables rules::
+
+ $ sudo -H iptables-save | grep FORWARD
+ :FORWARD ACCEPT [7048:7851230]
+ :FORWARD ACCEPT [7048:7851230]
+
+
.. _lxc.sh install suite:
Install suite