-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ufw rules are not cleaned when a container dies #7
Comments
Rules are not cleared also when rebooting the machine and restart policy is set to 'unless-stopped'. |
Thanks for reporting, I'll take a deeper look into these issues once I fix my laptop. I'm going to reinstall the OS this weekend so I'll able to back to work. |
I have a solution for cleaning ufw rules when restarting or shutdown the machine. The problem is that the user needs to add 3 scripts and do some commands.
As for cleaning the rules when a container dies. |
Indeed, we need some kind of container id, container ip mapping. I think ufw command actually has a feature for comments / description for rules. (which I never used) |
I agree this is the right solution for this mapping, I wasn't sure that ufw could do comments like iptables. |
Idea added in branch ufw-comment I have also implemented this idea in branch ufw-threads. |
I found an issue with handling die event instead of kill event, sometime docker is faster than ufw-docker-automated script and the container doesn't exist anymore when calling the docker API to retrieve information on the container. The issue would be the same during a kill event or event a start event, ufw-docker-automated script could be really late in comparison with docker. And it could lead to trying to find a container that doesn't exist anymore (when doing start and stop multiple times). This script must be resilient when the container doesn't exist anymore. I also think the issue #11 is related to this, I tested the same scenario with this fix and I don't have the issue of ghosts rules anymore. So maybe the threading approach is not necessary anymore. This issue was found on ufw-threads tests, case scenario :
Step for reproducing the issue :
|
When a container dies and the user remove it. UFW rules are not cleaned.
Example :
Commands :
If we check ufw rules we can see that they are remaining.
If the container dies, in this case we can catch the container id in it. Here the event that we could handle :
Maybe we should watch only die events. Because after a kill event there is a die event.
The text was updated successfully, but these errors were encountered: