zaclys/searxng
1
0
Fork 1
mirror of https://github.com/searxng/searxng synced 2024-01-01 19:24:07 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #173 from return42/fix-lxc-iptables

Browse source 
[mod] utils/lxc.sh: detect conflict of docker & LXC in the iptables
This commit is contained in:
Markus Heiser 2021-06-25 08:23:40 +00:00 committed by GitHub
commit d19869b9f7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 76 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
docs/dev/lxcdev.rst
View file

@ -52,7 +52,12 @@ software:
and the script :ref:`lxc.sh`, with we can scale our installation, maintenance or and the script :ref:`lxc.sh`, with we can scale our installation, maintenance or
even development tasks over a stack of isolated containers / what we call the: even development tasks over a stack of isolated containers / what we call the:
**searxNG LXC suite** **SearxNG LXC suite**
.. hint::
If you see any problems with the internet connectivity of your
containers read section :ref:`internet connectivity docker`.
Gentlemen, start your engines! Gentlemen, start your engines!

53
docs/utils/lxc.sh.rst
View file

@ -40,8 +40,14 @@ take some time**::
A cup of coffee later, your LXC suite is build up and you can run whatever task A cup of coffee later, your LXC suite is build up and you can run whatever task
you want / in a selected or even in all :ref:`LXC suite containers <lxc.sh you want / in a selected or even in all :ref:`LXC suite containers <lxc.sh
help>`. If you do not want to build all containers, **you can build just help>`.
one**::
.. hint::
If you see any problems with the internet connectivity of your
containers read section :ref:`internet connectivity docker`.
If you do not want to build all containers, **you can build just one**::
$ sudo -H ./utils/lxc.sh build searx-ubu1804 $ sudo -H ./utils/lxc.sh build searx-ubu1804
@ -66,6 +72,49 @@ If there comes the time you want to **get rid off all** the containers and
$ sudo -H ./utils/lxc.sh remove $ sudo -H ./utils/lxc.sh remove
$ sudo -H ./utils/lxc.sh remove images $ sudo -H ./utils/lxc.sh remove images
.. _internet connectivity docker:
Internet Connectivity & Docker
==============================
.. sidebar:: further read
- `Docker blocking network of existing LXC containers <https://github.com/docker/for-linux/issues/103>`__
- `Docker and IPtables (fralef.me) <https://fralef.me/docker-and-iptables.html>`__
- `Docker and iptables (docker.com) <https://docs.docker.com/network/iptables/#docker-on-a-router/>`__
There is a conflict in the ``iptables`` setup of Docker & LXC. If you have
docker installed, you may find that the internet connectivity of your LXD
containers no longer work.
Whenever docker is started (reboot) it sets the iptables policy for the
``FORWARD`` chain to ``DROP`` `[ref]
<https://docs.docker.com/network/iptables/#docker-on-a-router>`__::
$ sudo -H iptables-save | grep FORWARD
:FORWARD ACCEPT [7048:7851230]
:FORWARD DROP [7048:7851230]
A handy solution of this problem might be to reset the policy for the
``FORWARD`` chain after the network has been initialized. For this create a
file in the ``if-up`` section of the network (``/etc/network/if-up.d/iptable``)
and insert the following lines::
#!/bin/sh
iptables -F FORWARD
iptables -P FORWARD ACCEPT
Don't forget to set the execution bit::
sudo chmod ugo+x /etc/network/if-up.d/iptable
Reboot your system and check the iptables rules::
$ sudo -H iptables-save | grep FORWARD
:FORWARD ACCEPT [7048:7851230]
:FORWARD ACCEPT [7048:7851230]
.. _lxc.sh install suite: .. _lxc.sh install suite:
Install suite Install suite

19
utils/lxc.sh
View file

@ -5,6 +5,8 @@
# shellcheck source=utils/lib.sh # shellcheck source=utils/lib.sh
source "$(dirname "${BASH_SOURCE[0]}")/lib.sh" source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
source_dot_config source_dot_config
# shellcheck source=utils/brand.env
source "${REPO_ROOT}/utils/brand.env"
# load environment of the LXC suite # load environment of the LXC suite
LXC_ENV="${LXC_ENV:-${REPO_ROOT}/utils/lxc-searx.env}" LXC_ENV="${LXC_ENV:-${REPO_ROOT}/utils/lxc-searx.env}"
@ -535,6 +537,9 @@ lxc_install_boilerplate() {
if lxc start -q "${container_name}" &>/dev/null; then if lxc start -q "${container_name}" &>/dev/null; then
sleep 5 # guest needs some time to come up and get an IP sleep 5 # guest needs some time to come up and get an IP
fi fi
if ! check_connectivity "${container_name}"; then
die 42 "Container ${container_name} has no internet connectivity!"
fi
lxc_init_container_env "${container_name}" lxc_init_container_env "${container_name}"
info_msg "[${_BBlue}${container_name}${_creset}] install /.lxcenv.mk .." info_msg "[${_BBlue}${container_name}${_creset}] install /.lxcenv.mk .."
cat <<EOF | lxc exec "${container_name}" -- bash | prefix_stdout "[${_BBlue}${container_name}${_creset}] " cat <<EOF | lxc exec "${container_name}" -- bash | prefix_stdout "[${_BBlue}${container_name}${_creset}] "
@ -554,6 +559,20 @@ EOF
fi fi
} }
check_connectivity() {
local ret_val=0
info_msg "check internet connectivity ..."
if ! lxc exec "${1}" -- ping -c 1 8.8.8.8 &>/dev/null; then
ret_val=1
err_msg "no internet connectivity!"
info_msg "Most often the connectivity is blocked by a docker installation:"
info_msg "Whenever docker is started (reboot) it sets the iptables policy "
info_msg "for the FORWARD chain to DROP, see:"
info_msg " ${DOCS_URL}/utils/lxc.sh.html#internet-connectivity-docker"
iptables-save | grep ":FORWARD"
fi
return $ret_val
}
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------
main "$@" main "$@"