From 6707062b0d04cdec686c68ae3f1195751c46a322 Mon Sep 17 00:00:00 2001
From: Merlin Scholz <21988035+ruhrscholz@users.noreply.github.com>
Date: Tue, 8 Mar 2022 15:49:29 +0100
Subject: [PATCH] docs: elaborate on networking issues with firewalld (#12214)

---
 website/content/docs/drivers/docker.mdx            |  7 +++++++
 website/content/docs/job-specification/network.mdx | 13 +++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/website/content/docs/drivers/docker.mdx b/website/content/docs/drivers/docker.mdx
index f84e97ed6..926cc2dc8 100644
--- a/website/content/docs/drivers/docker.mdx
+++ b/website/content/docs/drivers/docker.mdx
@@ -259,6 +259,12 @@ config {
   the task group. This will also prevent [Connect]-enabled tasks from reaching
   the Envoy sidecar proxy.
 
+  If you are in the process of migrating from the default Docker network to
+  group-wide bridge networking, you may encounter issues preventing your
+  containers from reaching networks outside of the bridge interface on systems with
+  firewalld enabled. This behavior is often caused by the CNI plugin not registering the group
+  network as trusted and can be resolved as described in the [network stanza] documentation.
+
 - `pid_mode` - (Optional) `host` or not set (default). Set to `host` to share
   the PID namespace with the host. Note that this also requires the Nomad agent
   to be configured to allow privileged containers.
@@ -1173,4 +1179,5 @@ Windows is relatively new and rapidly evolving you may want to consult the
 [allow_caps]: /docs/drivers/docker#allow_caps
 [Connect]: /docs/job-specification/connect
 [`bridge`]: docs/job-specification/network#bridge
+[network stanza]: /docs/job-specification/network#bridge-mode
 [`pids_limit`]: /docs/drivers/docker#pids_limit
diff --git a/website/content/docs/job-specification/network.mdx b/website/content/docs/job-specification/network.mdx
index c107e8166..5c6613e55 100644
--- a/website/content/docs/job-specification/network.mdx
+++ b/website/content/docs/job-specification/network.mdx
@@ -218,6 +218,19 @@ network {
 }
 ```
 
+Using bridge mode can result in failing outbound network requests on hosts that have
+[firewalld](https://firewalld.org) enabled. This includes most RHEL-based Linux distributions
+like CentOS, Rocky Linux or Oracle Linux. One solution for firewalld to allow network
+requsts coming from Nomad jobs is to mark the `nomad` bridge interface as trusted.
+
+```shell-session
+$ sudo firewall-cmd --zone=trusted --add-interface=nomad
+$ sudo firewall-cmd --zone=trusted --add-interface=nomad --permanent
+```
+
+It is neccessary to restart the affected jobs afterwards for them to be able to access
+the network. Further details can be found in Docker's documentation under [Docker and iptables](https://docs.docker.com/network/iptables/#integration-with-firewalld).
+
 ### DNS
 
 The following example configures the allocation to use Google's DNS resolvers 8.8.8.8 and 8.8.4.4.