Docker Connectivity Issues (Ipv4/Ipv6)
We have seen some issues with ipv4 and Ipv6 interconnectivity issues between our on premises containers and the outside world.
IP packet forwarding is governed by the
ip_forward system parameter. Packets can only pass between containers if this parameter is
1. Usually you will simply leave the Docker server at its default setting
--ip-forward=true and Docker will go set
1 for you when the server starts up. If you set
--ip-forward=false and your system’s kernel has it enabled, the
--ip-forward=false option has no effect. To check the setting on your kernel or to turn it on manually:
sysctl net.ipv4.conf.all.forwarding net.ipv4.conf.all.forwarding = 0
sysctl net.ipv4.conf.all.forwarding net.ipv4.conf.all.forwarding = 1
Please see this article from docker for more details on Docker Connectivity.
Prior to install ensure your proxy settings are valid for the session and you can curl, lynx, or wget to test internet connectivity
echo $http_proxyYou can then attempt a curl or docker hub call to ensure outside connectivity
Prior to install, you may want to disable local firewall (iptables) to rule out local connectivity issues,
however here is some details around sysdig connectivity and backend connectivity requirements.
6443 Agent communication
443 Sysdig Monitor user interface access
8800 Administration console access
here are specifics around what is used for connectivity for our backend for on premises Solution:
File Write Permissions Issues (SELINUX or APP ARMOR)
During the install,you may see issues with writing to volumes such as (/var or /opt) from either the onprem install scripts or docker. you may want to disable SELINUX (CENTOS/RHEL) or Apparmor (UBUNTU/DEBIAN) during the course of install so that the valid directories are created.
This can be accomplished by:
From the command line, you can edit the
/etc/sysconfig/selinux file. This file is a symlink to
/etc/selinux/config. The configuration file is self-explanatory. Changing the value of
SELINUXTYPEchanges the state of SELinux and the name of the policy to be used the next time the system boots.
[root@host2a ~]# cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=permissive # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0
More info here
AppArmor can be disabled, and the kernel module unloaded by entering the following:
sudo systemctl stop apparmor.service sudo update-rc.d -f apparmor remove
To re-enable AppArmor enter:
sudo systemctl start apparmor.service sudo update-rc.d apparmor defaults
More info here