fix dockerd sets iptables FORWARD policy to DROP

[mnbf9rca]

fixes #266 so that policy is persistent across reboots

[ktsakalozos]

Thank you for this PR @mnbf9rca as it gave me the chance to read about the --iptables flag. I need to spent more time on this and experiment a bit with the --iptables, --icc and --bridge flags. By reading https://docs.docker.com/v17.09/engine/userguide/networking/default_network/container-communication/#communication-between-containers and https://docs.docker.com/engine/reference/commandline/dockerd/#run-multiple-daemons it seems dockerd tries to do the right thing and enable forwarding on the bridge it thinks it is using (docker0 by default). However we are not using docker0 instead kubenet is using cbr0, so I need to check if by telling dockerd to use cbr0 the forwarding rules are set correctly.

[gbevan]

hi, for reference, this is how i fixed it using the DOCKER USER chain instead of tweaking the FORWARD DROP rule - https://gist.github.com/gbevan/8a0a786cfc2728cd2998f868b0ff5b72 there is a link in there to the original article that I found and followed.

[planetbeing]

It appears Docker will only set the default FORWARD policy to DROP if before launching, net.ipv4.ip_forward is not enabled and it had to enable it. (https://github.com/docker/libnetwork/blob/master/drivers/bridge/setup_ip_forwarding.go)

Editing /etc/sysctl.conf to uncomment the net.ipv4.ip_forward=1 line in Ubuntu appears to stop this behavior and perhaps be a more elegant way of addressing this issue.

[planetbeing]

It also may be instructive to read why the policy was changed by Docker in the first place: moby/moby#14041 and see if it applies here. If it does, it may not be a good idea for microk8s to advise users to set the policy in the first place and instead add additional iptables rules analogous to what was added for the docker0 interface for the cbr0 interface to get Kubernetes pod networking to work.

EDIT: I had luck getting networking to work with the following iptables/systemd unit:
https://gist.github.com/planetbeing/7c8f919a4dfbacf7681145a402884dbd

[ktsakalozos]

I had luck getting networking to work with the following iptables/systemd unit:
https://gist.github.com/planetbeing/7c8f919a4dfbacf7681145a402884dbd

I like this. It sets iptable rules on only the interface we create (cbr0). It should also work through our transition to containerd. We could feature flag these few iptable rules and have them applied everytime we start dockerd https://github.com/ubuntu/microk8s/blob/master/microk8s-resources/wrappers/run-docker-with-args#L31 . Your thoughts?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[ktsakalozos]

Closing this PR due to inactivity.