Commit b59c2d28 authored by temp's avatar temp Committed by Tim Gross
Browse files

docs: elaborate on networking issues with firewalld (#12214)

parent 7aa0ef93
Showing with 21 additions and 0 deletions
+21 -0
......@@ -247,6 +247,12 @@ config {
the task group. This will also prevent [Connect]-enabled tasks from reaching
the Envoy sidecar proxy.
If you are in the process of migrating from the default Docker network to
group-wide bridge networking, you may encounter issues preventing your
containers from reaching networks outside of the bridge interface on systems with
firewalld enabled. This behavior is often caused by the CNI plugin not registering the group
network as trusted and can be resolved as described in the [network stanza] documentation.
- `pid_mode` - (Optional) `host` or not set (default). Set to `host` to share
the PID namespace with the host. Note that this also requires the Nomad agent
to be configured to allow privileged containers.
......@@ -1153,3 +1159,5 @@ Windows is relatively new and rapidly evolving you may want to consult the
[allow_caps]: /docs/drivers/docker#allow_caps
[Connect]: /docs/job-specification/connect
[`bridge`]: docs/job-specification/network#bridge
[network stanza]: /docs/job-specification/network#bridge-mode
[`pids_limit`]: /docs/drivers/docker#pids_limit
......@@ -204,6 +204,19 @@ network {
}
```
Using bridge mode can result in failing outbound network requests on hosts that have
[firewalld](https://firewalld.org) enabled. This includes most RHEL-based Linux distributions
like CentOS, Rocky Linux or Oracle Linux. One solution for firewalld to allow network
requsts coming from Nomad jobs is to mark the `nomad` bridge interface as trusted.
```shell-session
$ sudo firewall-cmd --zone=trusted --add-interface=nomad
$ sudo firewall-cmd --zone=trusted --add-interface=nomad --permanent
```
It is neccessary to restart the affected jobs afterwards for them to be able to access
the network. Further details can be found in Docker's documentation under [Docker and iptables](https://docs.docker.com/network/iptables/#integration-with-firewalld).
### DNS
The following example configures the allocation to use Google's DNS resolvers 8.8.8.8 and 8.8.4.4.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment