docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update firewall troubleshooting hints (#5543)

This commit is contained in:
Misty Stanley-Jones 2017-12-15 16:29:55 -08:00 committed by GitHub
parent c8eeebcd0d
commit 2bf0f7221f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
engine/installation/linux/linux-postinstall.md
View File

@ -338,49 +338,25 @@ to configure your firewall to allow incoming connections on the Docker port,
which defaults to `2376` if TLS encrypted transport is enabled or `2375` which defaults to `2376` if TLS encrypted transport is enabled or `2375`
otherwise. otherwise.
#### Specific instructions for UFW Two common firewall daemons are
[UFW (Uncomplicated Firewall)](https://help.ubuntu.com/community/UFW) (often
used for Ubuntu systems) and [firewalld](http://www.firewalld.org/) (often used
for RPM-based systems). Consult the documentation for your OS and firewall, but
the following information might help you get started. These options are fairly
permissive and you may want to use a different configuration that locks your
system down more.
[UFW (Uncomplicated Firewall)](https://help.ubuntu.com/community/UFW) drops all - **UFW**: Set `DEFAULT_FORWARD_POLICY="ACCEPT"` in your configuration.
forwarding traffic and all incoming traffic by default. If you want to access
the Docker Remote API from another host and you have enabled remote access, you
need to configure UFW to allow incoming connections on the Docker port, which
defaults to `2376` if TLS encrypted transport is enabled or `2375` otherwise. By
default, Docker runs **without** TLS enabled. If you do not use TLS, you are
strongly discouraged from allowing access to the Docker Remote API from remote
hosts, to prevent remote privilege-escalation attacks.
To configure UFW and allow incoming connections on the Docker port: - **firewalld**: Add rules similar to the following to your policy (one for
incoming requests and one for outgoing requests). Be sure the interface names
and chain names are correct.
1. Verify that UFW is enabled. ```xml
<direct>
```bash [ <rule ipv="ipv6" table="filter" chain="FORWARD_direct" priority="0"> -i zt0 -j ACCEPT </rule> ]
$ sudo ufw status [ <rule ipv="ipv6" table="filter" chain="FORWARD_direct" priority="0"> -o zt0 -j ACCEPT </rule> ]
``` </direct>
If `ufw` is not enabled, the remaining steps will not be helpful.
2. Edit the UFW configuration file, which is usually `/etc/default/ufw` or
`/etc/sysconfig/ufw`. Set the `DEFAULT_FORWARD_POLICY` policy to `ACCEPT`.
```none
DEFAULT_FORWARD_POLICY="ACCEPT"
```
Save and close the file.
3. If you need to enable access to the Docker Remote API from external hosts
and understand the security implications (see the section before this
procedure), then configure UFW to allow incoming connections on the Docker port,
which is `2375` if you do not use TLS, and `2376` if you do.
```bash
$ sudo ufw allow 2376/tcp
```
4. Reload UFW.
```bash
$ sudo ufw reload
``` ```
### `Your kernel does not support cgroup swap limit capabilities` ### `Your kernel does not support cgroup swap limit capabilities`