kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-06 10:25:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

docs: elaborate on networking issues with firewalld (#12214)

Browse Source
This commit is contained in:
Merlin Scholz
2022-03-08 15:49:29 +01:00
committed by GitHub
parent 5c6f9a0570
commit 6707062b0d
2 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
website/content/docs/drivers/docker.mdx
View File

@@ -259,6 +259,12 @@ config {
the task group. This will also prevent [Connect]-enabled tasks from reaching
the Envoy sidecar proxy.
If you are in the process of migrating from the default Docker network to
group-wide bridge networking, you may encounter issues preventing your
containers from reaching networks outside of the bridge interface on systems with
firewalld enabled. This behavior is often caused by the CNI plugin not registering the group
network as trusted and can be resolved as described in the [network stanza] documentation.
- `pid_mode` - (Optional) `host` or not set (default). Set to `host` to share
the PID namespace with the host. Note that this also requires the Nomad agent
to be configured to allow privileged containers.
@@ -1173,4 +1179,5 @@ Windows is relatively new and rapidly evolving you may want to consult the
[allow_caps]: /docs/drivers/docker#allow_caps
[Connect]: /docs/job-specification/connect
[`bridge`]: docs/job-specification/network#bridge
[network stanza]: /docs/job-specification/network#bridge-mode
[`pids_limit`]: /docs/drivers/docker#pids_limit

13
website/content/docs/job-specification/network.mdx
View File

@@ -218,6 +218,19 @@ network {
}
```
Using bridge mode can result in failing outbound network requests on hosts that have
[firewalld](https://firewalld.org) enabled. This includes most RHEL-based Linux distributions
like CentOS, Rocky Linux or Oracle Linux. One solution for firewalld to allow network
requsts coming from Nomad jobs is to mark the `nomad` bridge interface as trusted.
```shell-session
$ sudo firewall-cmd --zone=trusted --add-interface=nomad
$ sudo firewall-cmd --zone=trusted --add-interface=nomad --permanent
```
It is neccessary to restart the affected jobs afterwards for them to be able to access
the network. Further details can be found in Docker's documentation under [Docker and iptables](https://docs.docker.com/network/iptables/#integration-with-firewalld).
### DNS
The following example configures the allocation to use Google's DNS resolvers 8.8.8.8 and 8.8.4.4.