kubernetescentosranchercentos8firewalld

I can't access the internet inside the pods of rancher running in centos

I'm running rancher in centos with the master node being the same machine. I can do everything but when i try to "apt-get update" inside the pods i get:

 Err:1 http://archive.ubuntu.com/ubuntu focal InRelease                   
  Temporary failure resolving 'archive.ubuntu.com'
Err:2 http://security.ubuntu.com/ubuntu focal-security InRelease         
  Temporary failure resolving 'security.ubuntu.com'
Err:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease           
  Temporary failure resolving 'archive.ubuntu.com'
Err:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Reading package lists... Done        
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-backports/InRelease  Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/focal-security/InRelease  Temporary failure resolving 'security.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.

The problem is in the firewalld of centos because when i disable the firewall i have internet access inside the pods. I have already added the ports provided in this link. But still i cant have access to the internet. Is there another way without disabling the centos firewall?

I'm using Centos 8 and Rancher 2.

Solution

  • I was able to solve it. The problem was in the docker not being able to resolve DNS queries inside containers. The work around was, first add the ports and then executing the following commands:

    # Check what interface docker is using, e.g. 'docker0'
ip link show

# Check available firewalld zones, e.g. 'public'
sudo firewall-cmd --get-active-zones

# Check what zone the docker interface it bound to, most likely 'no zone' yet
sudo firewall-cmd --get-zone-of-interface=docker0

# So add the 'docker0' interface to the 'public' zone. Changes will be visible only after firewalld reload
sudo nmcli connection modify docker0 connection.zone public

# Masquerading allows for docker ingress and egress (this is the juicy bit)
sudo firewall-cmd --zone=public --add-masquerade --permanent
# Reload firewalld
sudo firewall-cmd –reload

# Reload dockerd
sudo systemctl restart docker