search

linuxserver / docker-letsencrypt

DEPRECATED: Please use linuxserver/swag instead
GNU General Public License v3.0
720 stars 172 forks source link

Enforcing SELinux to Docker container resulted in iptables error. #465

Closed jasonrichdarmawan closed 4 years ago

jasonrichdarmawan commented 4 years ago

Test it in two different environments:

  1. Disabled SELinux to the Docker Containers.
  2. Enforcing SELinux to the Docker Containers. /etc/docker/daemon.json 
    {
"selinux-enabled": true
}

Expected Behavior

docker exec -ti <CONTAINER> iptables -L lists the chains' rules.

Current Behavior

$ docker exec -ti proxy iptables -L
modprobe: can't change directory to '/lib/modules': No such file or directory
iptables v1.8.3 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Steps to Reproduce

  1. Install Docker Engine, mask firewalld services, install iptables-services package, flush the iptables chains' rules and restart the docker.service.
  2. Enforce SELINUX /etc/selinux/config, relabel security context touch ./autorelabel and shutdown -r now
  3. run the container with image linuxserver/letsencrypt
  4. run $ docker exec -ti <CONTAINER> iptables -L

Environment

OS: CentOS 8
CPU architecture: x86_64
How docker service was installed: https://github.com/kidfrom/docs/blob/master/DOCKER.md

Command used to create docker container (run/create/compose/screenshot)

https://github.com/tempatkerja/docker-odoo

Docker logs

$ docker exec -ti proxy iptables -L
modprobe: can't change directory to '/lib/modules': No such file or directory
iptables v1.8.3 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

$ docker exec -ti proxy fail2ban-client set sshd banip <IP ADDRESS>
2020-05-31 12:32:17,078 fail2ban.actions        [382]: NOTICE  [sshd] Ban IP ADDRESS
2020-05-31 12:32:17,095 fail2ban.utils          [382]: #39-Lev. 7f7422695870 -- exec: iptables -w -N f2b-sshd
iptables -w -A f2b-sshd -j RETURN
iptables -w -I INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
2020-05-31 12:32:17,095 fail2ban.utils          [382]: ERROR   7f7422695870 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2020-05-31 12:32:17,095 fail2ban.utils          [382]: ERROR   7f7422695870 -- stderr: "iptables v1.8.3 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)"
2020-05-31 12:32:17,095 fail2ban.utils          [382]: ERROR   7f7422695870 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-05-31 12:32:17,095 fail2ban.utils          [382]: ERROR   7f7422695870 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2020-05-31 12:32:17,095 fail2ban.utils          [382]: ERROR   7f7422695870 -- stderr: "iptables v1.8.3 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)"
2020-05-31 12:32:17,095 fail2ban.utils          [382]: ERROR   7f7422695870 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-05-31 12:32:17,095 fail2ban.utils          [382]: ERROR   7f7422695870 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2020-05-31 12:32:17,095 fail2ban.utils          [382]: ERROR   7f7422695870 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2020-05-31 12:32:17,095 fail2ban.utils          [382]: ERROR   7f7422695870 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2020-05-31 12:32:17,095 fail2ban.utils          [382]: ERROR   7f7422695870 -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2020-05-31 12:32:17,095 fail2ban.utils          [382]: ERROR   7f7422695870 -- stderr: "iptables v1.8.3 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)"
2020-05-31 12:32:17,095 fail2ban.utils          [382]: ERROR   7f7422695870 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-05-31 12:32:17,096 fail2ban.utils          [382]: ERROR   7f7422695870 -- returned 3
2020-05-31 12:32:17,096 fail2ban.actions        [382]: ERROR   Failed to execute ban jail 'sshd' action 'iptables-multiport' info 'ActionInfo({'ip': 'IP ADDRESS', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f7422abf3a0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f7422abf940>})': Error starting action Jail('sshd')/iptables-multiport
jasonrichdarmawan commented 4 years ago

closed.

solution:

$ modprobe ip_tables
$ modprobe ip_conntrack
$ modprobe iptable_filter
$ modprobe ipt_state