search

shinebayar-g / ufw-docker-automated

Manage docker containers firewall with UFW!
Apache License 2.0
198 stars 31 forks source link

Ubuntu 22.04 with crowdsec firewall bouncer does not add any docker rules. #48

Closed florie1706 closed 1 year ago

florie1706 commented 1 year ago

Hi @shinebayar-g

I do not know if it is related to the currently installed crowds-firewall-bouncer, but even with v0.11.0 the log does not say anything :(

./ufw-docker-automated

only shows

2023/01/20 20:32:08 ufw-docker-automated: Connected to the Docker Engine.

and

sudo journalctl -u ufw-docker-automated -f

shows only this, even on a container restart

Jan 20 05:52:45 nas sudo[635511]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jan 20 05:52:46 nas sudo[635511]: pam_unix(sudo:session): session closed for user root
Jan 20 20:27:40 nas systemd[1]: Stopping Ufw docker automated...
Jan 20 20:27:40 nas systemd[1]: ufw-docker-automated.service: Deactivated successfully.
Jan 20 20:27:40 nas systemd[1]: Stopped Ufw docker automated.
Jan 20 20:27:40 nas systemd[1]: Started Ufw docker automated.
Jan 20 20:28:45 nas ufw-docker-automated[2957078]: 2023/01/20 20:28:45 ufw-docker-automated: Connected to the Docker Engine.
Jan 20 20:28:45 nas sudo[2966573]:     root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/ufw show added
Jan 20 20:28:45 nas sudo[2966573]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Jan 20 20:28:45 nas sudo[2966573]: pam_unix(sudo:session): session closed for user root

Originally posted by @florie1706 in https://github.com/shinebayar-g/ufw-docker-automated/issues/47#issuecomment-1398845233

shinebayar-g commented 1 year ago

Hi. Are you referring to this software? https://github.com/crowdsecurity/cs-firewall-bouncer Anyways ufw-docker-automated connects to the Docker engine socket. Then listens to event messages. If you're not seeing anything after connection. Then there is a chance that there is no events coming in. Does the said software also connects to Docker socket?

Also try this command https://docs.docker.com/engine/reference/commandline/events/ I believe docker events should give you a realtime view of Docker events. It should be similar to what ufw-docker-automated uses under the hood.

If Docker socket is disconnected, we should see ufw-docker-automated: Event error. message coming from here.

florie1706 commented 1 year ago

Yes this should be the software. I do not know if it is related but I did install that and had a kernel update couple of days ago. After reboot your software did not work any longer.

A docker service restart brought your mentioned event error message.

./ufw-docker-automated
2023-01-27T17:05:24+01:00 INF main.go:18 > ufw-docker-automated: Connected to the Docker Engine.
2023-01-27T17:07:12+01:00 ERR main.go:46 > ufw-docker-automated: Event error. error="unexpected EOF"
2023-01-27T17:07:17+01:00 INF client.go:30 > ufw-docker-automated: Trying to reconnect..
2023-01-27T17:07:24+01:00 INF client.go:36 > ufw-docker-automated: Reconnected to the Docker Engine.

docker events brings massive information. When I restart a container it looks like this in the events but nothing in ufw-docker-automated:

2023-01-27T18:09:14.455064464+01:00 container start caed2cffe792d5 (UFW_ALLOW_FROM=192.168.178.0/24-LAN Main, UFW_MANAGED=True, build_version=Linuxserver ....... (and so on)

but no rules were added :(

shinebayar-g commented 1 year ago

Hmm Docker events are there... There must be something else going on then. I'm suspecting cli isn't receiving any events. I can make a little debugger for you to try out. In that debugger, we'll only try to print docker events and do nothing else. In the meantime, could you give me a little bit more information about your environment? These are helpful.

# kernel version
uname -a
# docker version
docker version
# ufw version
ufw --version

Also minimal reproducible steps please.

florie1706 commented 1 year ago

Thank you very much!

It is pretty standard Ubuntu Server 22.04.1 LTS, couple of docker containers, a punch with UFW_ALLOW_FROM Always worked. Did install Crowdsec in a docker container with corresponds with a traefik container. Thru a manual on the internet I also did install this cs-firewall-bouncer which is running directly on the host.

If I had a problem before sudo journalctl -u ufw-docker-automated -f was my friend to investigate, but for now this is just not saying anything and also just the standard host rules are in my ufw, such as samba etc.

kernel version

Linux nas 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

docker version

Client: Version: 20.10.12 API version: 1.41 Go version: go1.17.3 Git commit: 20.10.12-0ubuntu4 Built: Mon Mar 7 17:10:06 2022 OS/Arch: linux/amd64 Context: default Experimental: true

Server: Engine: Version: 20.10.12 API version: 1.41 (minimum version 1.12) Go version: go1.17.3 Git commit: 20.10.12-0ubuntu4 Built: Mon Mar 7 15:57:50 2022 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.5.9-0ubuntu3.1 GitCommit:
runc: Version: 1.1.0-0ubuntu1.1 GitCommit:
docker-init: Version: 0.19.0 GitCommit:

ufw version

ufw 0.36.1 Copyright 2008-2021 Canonical Ltd.

florie1706 commented 1 year ago

I just tried docker run -d -p 8080:80 -p 8081:81 -l UFW_MANAGED=TRUE nginx:alpine from your README, that created the rules for that ;)

shinebayar-g commented 1 year ago

I just tried docker run -d -p 8080:80 -p 8081:81 -l UFW_MANAGED=TRUE nginx:alpine from your README, that created the rules for that ;)

Excuse me, I'm lost there. So example is working for you?

florie1706 commented 1 year ago

Yes, but all my docker-compose files were not processed.

That is strange, isn't it?

shinebayar-g commented 1 year ago

Ah gotcha. Could you show me the steps to reproduce the error? (Remove private info, also change image names if it's private as well. Try to use bare nginx:alpine image, if it reproduces that's good) If docker run example is working for you I can't do much else 😬

Only thing I can think of related to docker compose is, now there are 2 versions. docker-compose vs docker compose. One maybe not working.

florie1706 commented 1 year ago

docker run returns

ufw-docker-automated[123]: 2023-01-27T21:08:20+01:00 INF create.go:91 > ufw-docker-automated: Adding inbound rule: /usr/bin/sudo ufw route allow proto tcp from any to 1XX.XXX.XXX.2 port 80 comment kinarr:b0f811
ufw-docker-automated[123]: 2023-01-27T21:08:21+01:00 INF create.go:101 > ufw: Rule added

I use docker-compose which is docker-compose version 1.29.2 and when I run an unchanged (for ages) docker-compose.yaml which was always running fine, ufw related nothing happens yet. I usually do docker-compose -p PROJECT -f /home/user/docker/name.yml up -d This fires up the container, it is perfectly fine on my LAN, but is currently not available from outside.

shinebayar-g commented 1 year ago

Could you drop that docker-compose.yml here?

florie1706 commented 1 year ago

oh man, you just opened my eyes, in my docker-compose.yml I had

UFW_MANAGED: true

that always worked. As I change it to

UFW_MANAGED: 'TRUE'

everything is back to normal.

Sorry for that and thanks for your time, that helped me to find the solution 👍

shinebayar-g commented 1 year ago

Oh cool, no problem. When debugging something it's always important to look back and go through steps you made. Sometimes we miss obvious things.