Firewall Settings

Firewall settings and Docker

If you don't properly configure your firewall settings to work with Docker, you may not be able to install GroundWork Monitor 8.0.0. On Centos and Red Hat systems with default firewalld rulesets, there is a known issue that can halt the GroundWork Monitor installation during the setup of the database with an error like the following:

Running GW8 data migrations...
Unable to access postgres, waiting 7 more seconds
Unable to access postgres, waiting 4 more seconds
ERROR: Unable to access postgres after waiting 10 seconds: exiting
Unable to migrate GW8 data volumes: exiting.
Error: No such container:path: gw8:README
Error: No such container:path: gw8:docker-compose.override.yml
Error: No such container:path: gw8:gw8.env
gw8
ERROR: Couldn't find env file: /home/gherteg/github/gwos/gw8-ga2/gw8/gw8.env

If you see this error, you can take the following steps to complete your GroundWork Monitor 8.0.0 installation. You will need to resolve the firewalld ruleset issues to a compatible setup for your internal security policy afterward. These steps will disable the default firewalld configuration and leave your GroundWork server in a potentially vulnerable state, so be sure to follow up and set up compatible secure rules.  

  1. Disable the existing firewalld ruleset. Type, at the command line:

    systemctl disable firewalld
    systemctl stop firewalld
  2. Remove the gw8 container that may have been left defined: 

    docker rm gw8
  3. Restart the Docker daemon (note this instantiates the firewall rules Docker needs, but does not restart the firewall itself): 

    service docker restart
  4. Complete the installation manually. From the command line in the gw8 directory: 

    TAG=8.0.0-GA
    docker pull groundworkdevelopment/gw8:${TAG}
    docker run \
        -v /var/run/docker.sock:/var/run/docker.sock \
        -v ${HOME}/.docker:/root/.docker \
        -v /tmp:/tmp/tmp \
        --name gw8 groundworkdevelopment/gw8:${TAG}

    You should see a message about the volumes getting initialized or migrated successfully.

  5. Copy the (still missing) environment files to the gw8 directory: 

    docker cp docker cp gw8:.env .
    docker cp gw8:gw8.env .
  6. Remove the gw8 container, since its purpose is fulfilled: 

    docker rm gw8
  7. Start GroundWork Monitor 8.0.0: 

    docker-compose up -d

    Don't forget! You will need to determine and instantiate the appropriate firewall rules for your host!

    GroundWork uses port TCP/443, and optionally TCP/5667 (for legacy GDMA) to the revproxy container, and it also requires container-to-container communications. You can adjust the firewalld settings to match your companies security policy as long as these conditions are met.

    A useful example of adjusting firewalld rulesets to secure a Docker CE host can be found here.