Firewall settings

Firewall settings and Docker

If your firewall settings are too restrictive, they may not work with Docker, and you may not be able to install GroundWork Monitor 8. Also, GroundWork uses port 5433 in the installation and upgrade process, so if you are blocking access to this port on the host, you may have this problem. Some security programs like SELinux, AppArmor, and anti-virus programs may do this. On CentOS and Red Hat systems with default firewalld rulesets, there is a known issue that actually prevents container-to-container communications which has the same effect. 

Any of these conditions can halt the GroundWork Monitor installation or upgrade during the setup of the database with an error like the following:

Running GW8 data migrations...
Unable to access postgres, waiting 7 more seconds
Unable to access postgres, waiting 4 more seconds
ERROR: Unable to access postgres after waiting 10 seconds: exiting
Unable to migrate GW8 data volumes: exiting.
Error: No such container:path: gw8:README
Error: No such container:path: gw8:docker-compose.override.yml
Error: No such container:path: gw8:gw8.env
ERROR: Couldn't find env file: /home/<username>/github/gwos/gw8-ga2/gw8/gw8.env

If you see this error, you can take the following steps to complete your GroundWork Monitor 8 installation or upgrade. You will need to resolve the firewalld ruleset, security suite or anti-virus restriction issues to be compatible with using Docker. You should also at least temporarily allow port 5433/tcp for the duration of the install or upgrade, and this restriction can be reinstated.

For example, these steps will disable the default firewalld configuration and leave your GroundWork server in a potentially vulnerable state, so be sure to follow up and set up compatible secure rules after you have completed installing or upgrading GroundWork Monitor.  

  1. Disable the existing firewalld ruleset. Type, at the command line:

    systemctl disable firewalld
    systemctl stop firewalld
    iptables -F
  2. Remove the gw8 container that may have been left defined: 

    docker rm gw8
  3. Restart the Docker daemon (note this instantiates the firewall rules Docker needs, but does not restart the firewall itself): 

    service docker restart
  4. If desired, you may be able to complete the installation manually. From the command line in the gw8 directory, you can type: 

    docker run \
        -v /var/run/docker.sock:/var/run/docker.sock \
        -v ${HOME}/.docker:/root/.docker \
        -v /tmp:/tmp/tmp \
        --name gw8 groundworkdevelopment/gw8:${TAG}

    Your TAG value is dependent on the version you are installing or upgrading to. You should see a message about the volumes getting initialized or migrations being run successfully.

  5. Copy the environment files to the gw8 directory if in fact they are still missing. They may not be on upgrade, and should not be replaced if so: 

    docker cp docker cp gw8:.env .
    docker cp gw8:gw8.env .
  6. Remove the gw8 container, since its purpose is fulfilled: 

    docker rm gw8
  7. Start GroundWork if necessary (depending on the steps above, it may already be running: 

    docker-compose up -d

    Firewall rules

    Don't forget! You will need to determine and instantiate the appropriate firewall rules or security settings for your host!

    GroundWork uses port TCP/443, and optionally TCP/5667 (for legacy GDMA) to the revproxy container, and it also requires container-to-container communications. You can adjust the firewalld settings to match your companies security policy as long as these conditions are met.

    A useful example of adjusting firewalld rulesets to secure a Docker CE host can be found here.