docs: elaborate on networking issues with firewalld (#12214)

b59c2d28 · temp · Tim Gross · 7aa0ef93 · b59c2d28 · b59c2d28
Commit b59c2d28 authored 3 years ago by temp Committed by Tim Gross 3 years ago
Hide whitespace changes
Inline Side-by-side

Showing

with 21 additions and 0 deletions
+21 -0
--- a/website/content/docs/drivers/docker.mdx
+++ b/website/content/docs/drivers/docker.mdx
@@ -247,6 +247,12 @@ config {
  the task group. This will also prevent [Connect]-enabled tasks from reaching
  the Envoy sidecar proxy.

+  If you are in the process of migrating from the default Docker network to
+  group-wide bridge networking, you may encounter issues preventing your
+  containers from reaching networks outside of the bridge interface on systems with
+  firewalld enabled. This behavior is often caused by the CNI plugin not registering the group
+  network as trusted and can be resolved as described in the [network stanza] documentation.
+
 - `pid_mode` - (Optional) `host` or not set (default). Set to `host` to share
  the PID namespace with the host. Note that this also requires the Nomad agent
  to be configured to allow privileged containers.
@@ -1153,3 +1159,5 @@ Windows is relatively new and rapidly evolving you may want to consult the
 [allow_caps]: /docs/drivers/docker#allow_caps
 [Connect]: /docs/job-specification/connect
 [`bridge`]: docs/job-specification/network#bridge
+[network stanza]: /docs/job-specification/network#bridge-mode
+[`pids_limit`]: /docs/drivers/docker#pids_limit
--- a/website/content/docs/job-specification/network.mdx
+++ b/website/content/docs/job-specification/network.mdx
@@ -204,6 +204,19 @@ network {
 }
 ```

+Using bridge mode can result in failing outbound network requests on hosts that have
+[firewalld](https://firewalld.org) enabled. This includes most RHEL-based Linux distributions
+like CentOS, Rocky Linux or Oracle Linux. One solution for firewalld to allow network
+requsts coming from Nomad jobs is to mark the `nomad` bridge interface as trusted.
+
+```shell-session
+$ sudo firewall-cmd --zone=trusted --add-interface=nomad
+$ sudo firewall-cmd --zone=trusted --add-interface=nomad --permanent
+```
+
+It is neccessary to restart the affected jobs afterwards for them to be able to access
+the network. Further details can be found in Docker's documentation under [Docker and iptables](https://docs.docker.com/network/iptables/#integration-with-firewalld).
+
 ### DNS

 The following example configures the allocation to use Google's DNS resolvers 8.8.8.8 and 8.8.4.4.