wkloucek
commented
2 years ago Tried again today on:
Device: TS-431X Firmware: 5.0.0.1966 Build 2022´/03/24 Container Station: 2.5.1.392 ownCloud app: 10.8.0.1-rc1 (with container station proxy configuration fix, https://github.com/owncloud/qnap-packaging/releases/tag/v10.8.0.1-rc1, https://github.com/owncloud/qnap-packaging/pull/100/files)
after fresh boot / reboot:
curl
curl http://127.0.0.1:11409/status.php yields a response from ownCloud: {"installed":true,"maintenance":false,"needsDbUpgrade":false,"version":"10.8.0.4","versionstring":"10.8.0","edition":"Enterprise","productname":"ownCloud"}
iptables
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N CSFORWARD
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N SYSDOCKER
-N SYSDOCKER-ISOLATION-STAGE-1
-N SYSDOCKER-ISOLATION-STAGE-2
-N SYSDOCKER-USER
-A FORWARD -j SYSDOCKER-USER
-A FORWARD -j SYSDOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-65e651001c55 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-65e651001c55 -j SYSDOCKER`curl http://127.0.0.1:11409/status.php` yields a response from ownCloud:
-A FORWARD -i br-65e651001c55 ! -o br-65e651001c55 -j ACCEPT
-A FORWARD -i br-65e651001c55 -o br-65e651001c55 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o lxcbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o lxcbr0 -j DOCKER
-A FORWARD -i lxcbr0 ! -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -o lxcbr0 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j SYSDOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j CSFORWARD
-A OUTPUT -m set --match-set BRNOIPSET src,dst -j DROP
-A CSFORWARD -i br-b02b762598fe -o br-b02b762598fe -j ACCEPT
-A CSFORWARD -i br-3f1ec4d5f2c0 -o br-3f1ec4d5f2c0 -j ACCEPT
-A CSFORWARD -i br-c84ccb838c3b -o br-c84ccb838c3b -j ACCEPT
-A CSFORWARD -i br-b502569f97ad -o br-b502569f97ad -j ACCEPT
-A CSFORWARD -i br-49db839ef112 -o br-49db839ef112 -j ACCEPT
-A CSFORWARD -i br-1c27f5ce4a89 -o br-1c27f5ce4a89 -j ACCEPT
-A CSFORWARD -i lxcbr0 -o lxcbr0 -j ACCEPT
-A CSFORWARD -i docker0 -o docker0 -j ACCEPT
-A CSFORWARD -o docker0 -m conntrack --ctstate INVALID,NEW -j DROP
-A CSFORWARD -o lxcbr0 -m conntrack --ctstate INVALID,NEW -j DROP
-A CSFORWARD -o br-1c27f5ce4a89 -m conntrack --ctstate INVALID,NEW -j DROP
-A CSFORWARD -o br-49db839ef112 -m conntrack --ctstate INVALID,NEW -j DROP
-A CSFORWARD -o br-b502569f97ad -m conntrack --ctstate INVALID,NEW -j DROP
-A CSFORWARD -o br-c84ccb838c3b -m conntrack --ctstate INVALID,NEW -j DROP
-A CSFORWARD -o br-3f1ec4d5f2c0 -m conntrack --ctstate INVALID,NEW -j DROP
-A CSFORWARD -o br-b02b762598fe -m conntrack --ctstate INVALID,NEW -j DROP
-A DOCKER-ISOLATION-STAGE-1 -i lxcbr0 ! -o lxcbr0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o lxcbr0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A SYSDOCKER -d 172.30.76.4/32 ! -i br-65e651001c55 -o br-65e651001c55 -p tcp -m tcp --dport 8080 -j ACCEPT
-A SYSDOCKER-ISOLATION-STAGE-1 -i br-65e651001c55 ! -o br-65e651001c55 -j SYSDOCKER-ISOLATION-STAGE-2
-A SYSDOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j SYSDOCKER-ISOLATION-STAGE-2
-A SYSDOCKER-ISOLATION-STAGE-1 -j RETURN
-A SYSDOCKER-ISOLATION-STAGE-2 -o br-65e651001c55 -j DROP
-A SYSDOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A SYSDOCKER-ISOLATION-STAGE-2 -j RETURN
-A SYSDOCKER-USER -j RETURNafter restarting the ownCloud app:
curl
curl http://127.0.0.1:11409/status.php yields NO response from ownCloud
iptables
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N CSFORWARD
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N SYSDOCKER
-N SYSDOCKER-ISOLATION-STAGE-1
-N SYSDOCKER-ISOLATION-STAGE-2
-N SYSDOCKER-USER
-A FORWARD -j SYSDOCKER-USER
-A FORWARD -j SYSDOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-d85a5117b23c -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-d85a5117b23c -j SYSDOCKER
-A FORWARD -i br-d85a5117b23c ! -o br-d85a5117b23c -j ACCEPT
-A FORWARD -i br-d85a5117b23c -o br-d85a5117b23c -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o lxcbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o lxcbr0 -j DOCKER
-A FORWARD -i lxcbr0 ! -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -o lxcbr0 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j SYSDOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j CSFORWARD
-A OUTPUT -m set --match-set BRNOIPSET src,dst -j DROP
-A CSFORWARD -i br-b02b762598fe -o br-b02b762598fe -j ACCEPT
-A CSFORWARD -i br-3f1ec4d5f2c0 -o br-3f1ec4d5f2c0 -j ACCEPT
-A CSFORWARD -i br-c84ccb838c3b -o br-c84ccb838c3b -j ACCEPT
-A CSFORWARD -i br-b502569f97ad -o br-b502569f97ad -j ACCEPT
-A CSFORWARD -i br-49db839ef112 -o br-49db839ef112 -j ACCEPT
-A CSFORWARD -i br-1c27f5ce4a89 -o br-1c27f5ce4a89 -j ACCEPT
-A CSFORWARD -i lxcbr0 -o lxcbr0 -j ACCEPT
-A CSFORWARD -i docker0 -o docker0 -j ACCEPT
-A CSFORWARD -o docker0 -m conntrack --ctstate INVALID,NEW -j DROP
-A CSFORWARD -o lxcbr0 -m conntrack --ctstate INVALID,NEW -j DROP
-A CSFORWARD -o br-1c27f5ce4a89 -m conntrack --ctstate INVALID,NEW -j DROP
-A CSFORWARD -o br-49db839ef112 -m conntrack --ctstate INVALID,NEW -j DROP
-A CSFORWARD -o br-b502569f97ad -m conntrack --ctstate INVALID,NEW -j DROP
-A CSFORWARD -o br-c84ccb838c3b -m conntrack --ctstate INVALID,NEW -j DROP
-A CSFORWARD -o br-3f1ec4d5f2c0 -m conntrack --ctstate INVALID,NEW -j DROP
-A CSFORWARD -o br-b02b762598fe -m conntrack --ctstate INVALID,NEW -j DROP
-A DOCKER-ISOLATION-STAGE-1 -i lxcbr0 ! -o lxcbr0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o lxcbr0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A SYSDOCKER -d 172.30.76.4/32 ! -i br-65e651001c55 -o br-65e651001c55 -p tcp -m tcp --dport 8080 -j ACCEPT
-A SYSDOCKER -d 172.30.80.4/32 ! -i br-d85a5117b23c -o br-d85a5117b23c -p tcp -m tcp --dport 8080 -j ACCEPT
-A SYSDOCKER-ISOLATION-STAGE-1 -i br-d85a5117b23c ! -o br-d85a5117b23c -j SYSDOCKER-ISOLATION-STAGE-2
-A SYSDOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j SYSDOCKER-ISOLATION-STAGE-2
-A SYSDOCKER-ISOLATION-STAGE-1 -j RETURN
-A SYSDOCKER-ISOLATION-STAGE-2 -o br-d85a5117b23c -j DROP
-A SYSDOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A SYSDOCKER-ISOLATION-STAGE-2 -j RETURN
-A SYSDOCKER-USER -j RETURNOutcome
it still doesn't work. Looks like the port publishing is not working. We could use the container ip directly as a workaround (https://github.com/owncloud/qnap-packaging/pull/101)
Description
Device: TS-431X Firmware: 5.0.0.1932 Build 20220129 ownCloud app: across all versions
The ownCloud app is usable when not stopped and started during device runtime. But if one stops and starts the ownCloud app, it is no longer usable. In order to make it work again, the device needs to be rebooted.
Steps to reproduce
https://<your-device-ip>/owncloudhttps://<your-device-ip>/owncloudInstead of stopping and starting ownCloud in step 2) and 3) you can just install the ownCloud app again. It will have the same effect.
Analysis
After a reboot the iptables rules look like this:
After stopping and starting the ownCloud app, the iptables rules look like this:
The diff shows that iptables look different. Normally only the interface name should have been changed.