search

lando / lando

A development tool for all your projects that is fast, easy, powerful and liberating
https://lando.dev
GNU General Public License v3.0
4.01k stars 544 forks source link

Cross-project communication broken on Fedora 39, Docker Engine 24. #3648

Open ahamilton9 opened 5 months ago

ahamilton9 commented 5 months ago

I recently moved from Ubuntu to Fedora, and everything seems fine except for this one bit. Docker's firewalld support seems to be properly editing the iptables configuration, but I think something is missing and I'm not sure if it's in Docker or Lando's wheelhouse.

The docker zone has most of the bridge network interfaces listed, but I do not see the "lando_bridge_network", and trying to add it manually gives me "success" but no change to this list:

docker (active)
  target: ACCEPT
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: br-213d2a57fb6f br-644459259f19 br-ab034134b70b docker0
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

All domains work on my host without issue. Cross-container communication using just hostnames within a project seem fine. It's just communicating across project. The internal urls, lndo.site, and custom domains all fail when called from within another project with curl: (7) Failed to connect to <domain> port 80/443: No route to host.

I'm at a loss. Any help would be appreciated.

ahamilton9 commented 5 months ago

After a bit more testing, this seems to be specifically an issue with firewalld. I removed it, and replaced it with the standard iptables service and everything is happy locally.

I would not call this a fix though, nor am I sure if this is something Lando has to compensate for with firewalld or if that's Docker's problem. If someone can help narrow down where the issue stems from I can make a ticket in the proper location.

branivreyes commented 3 months ago

Same here, I can't communicate between projects using the internal urls (like this). I can communicate only using the IPs from "landoproxyhyperion5000gandalfedition_edge". Maybe is a Fedora only issue.

matthieuleorat commented 1 month ago

Same here, and same workaround as branivreyes with lando v3.21.0-beta.10 and fedora 37

reynoldsalec commented 1 week ago

This does seem to be an issue specifically with Fedora/firewalld and Docker Compose. It sounds like you can disable some of the default firewalld rules that disable Docker Compose's networking: https://chriswiegman.com/2023/01/fixing-networking-in-fedora-37-and-docker-compose/

IMHO Lando shouldn't do something directly about this, since it's an underlying issue...messing around with people's firewalld settings seems a bit risky. However, having some documentation around it would be a good idea. Did anyone on this thread go to a specific Lando doc page before finding this?