I use drone with nftables. For nftables, I need to set the ip address and port to allow the drone/git, otherwise during cloning I get an error : Could not resolve host: gitlab.com
Drone and agent server run configuration:
docker run --ip 172.17.0.2 \
--volume=/var/run/docker.sock:/var/run/docker.sock \
--volume=/var/lib/drone:/data \
--env=DRONE_GITLAB_SERVER=https://gitlab.com \
--env=DRONE_GITLAB_CLIENT_ID=XXXXXXXXXXXXXXXXXXXXXX \
--env=DRONE_GITLAB_CLIENT_SECRET=XXXXXXXXXXXXXXXXXXXXXXXX \
--env=DRONE_RPC_SECRET=XXXXXXXXXXXXXXXXXXXXXXXXXX \
--env=DRONE_RUNNER_CAPACITY=10 \
--env=DRONE_SERVER_HOST=ci.example.com \
--env=DRONE_SERVER_PROTO=http \
--env=DRONE_TLS_AUTOCERT=false \
--env=DRONE_USER_CREATE=username:some_my_account,admin:true \
--env=DRONE_LOGS_DEBUG=false \
--env=DRONE_AGENTS_ENABLED=false \
--env=TZ=Europe/Moscow \
--publish=81:80 \
--restart=always \
--detach=true \
--name=drone \
drone/drone
docker run --ip 172.17.0.3 \
--volume=/var/run/docker.sock:/var/run/docker.sock \
--env=DRONE_RPC_SERVER=http://ci.example.com \
--env=DRONE_RPC_SECRET=XXXXXXXXXXXXXXXXXXXXXXXXX \
--env=DRONE_RUNNER_CAPACITY=10 \
--env=DRONE_RUNNER_NAME=XXXXXXXXXXXXXXXXXXXXXXXX \
--publish=127.0.0.1:3000:3000 \
--restart=always \
--detach=true \
--name=agent \
drone/agent
/etc/docker/daemon.json
{
"iptables": false,
"fixed-cidr": "172.17.0.0/16"
}
/lib/systemd/system/docker.service
ExecStart=
ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H fd:// -H tcp://0.0.0.0:2375
nftables.config:
table inet filter {
chain INPUT {
type filter hook input priority filter; policy drop;
iifname "lo" accept
icmp type echo-request accept
ct state established,related accept
tcp dport { 22, 80, 443 } accept
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 6086 bytes 525025 jump DOCKER-USER
counter packets 6086 bytes 525025 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state established,related counter packets 3032 bytes 334084 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 3048 bytes 190605 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 3048 bytes 190605 jump DOCKER-ISOLATION-STAGE-2
counter packets 6086 bytes 525025 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 3048 bytes 190605 return
}
chain DOCKER-USER {
counter packets 6086 bytes 525025 return
}
}
table inet nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 138415 bytes 8229415 jump DOCKER
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 2929 bytes 178582 masquerade
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
chain DOCKER {
iifname "docker0" counter packets 1456 bytes 87360 return
iifname != "docker0" ip daddr 127.0.0.1 tcp dport 81 dnat to 172.17.0.2:81
iifname != "docker0" ip daddr 127.0.0.1 tcp dport 3000 dnat to 172.17.0.3:3000
iifname != "docker0" ip daddr 127.0.0.1 tcp dport 5432 dnat to 172.17.0.5:5432
}
}
syslog during clone:
Jun 15 04:39:33 myhostname systemd-udevd[17052]: Using default interface naming scheme 'v245'.
Jun 15 04:39:33 myhostname systemd-udevd[17052]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun 15 04:39:33 myhostname systemd[5887]: var-lib-docker-overlay2-ad0f1af6d03cdd967bf0e8b577c3852bf616d12c5773738a1eb7c8816123d0b5\x2dinit-merged.mount: Succeeded.
Jun 15 04:39:33 myhostname systemd[1]: var-lib-docker-overlay2-ad0f1af6d03cdd967bf0e8b577c3852bf616d12c5773738a1eb7c8816123d0b5\x2dinit-merged.mount: Succeeded.
Jun 15 04:39:33 myhostname systemd[1]: var-lib-docker-overlay2-ad0f1af6d03cdd967bf0e8b577c3852bf616d12c5773738a1eb7c8816123d0b5-merged.mount: Succeeded.
Jun 15 04:39:33 myhostname systemd[5887]: var-lib-docker-overlay2-ad0f1af6d03cdd967bf0e8b577c3852bf616d12c5773738a1eb7c8816123d0b5-merged.mount: Succeeded.
Jun 15 04:39:33 myhostname kernel: [63775.004204] br-6c75fee1d253: port 1(veth59d834b) entered blocking state
Jun 15 04:39:33 myhostname kernel: [63775.004206] br-6c75fee1d253: port 1(veth59d834b) entered disabled state
Jun 15 04:39:33 myhostname kernel: [63775.004298] device veth59d834b entered promiscuous mode
Jun 15 04:39:33 myhostname kernel: [63775.005619] br-6c75fee1d253: port 1(veth59d834b) entered blocking state
Jun 15 04:39:33 myhostname kernel: [63775.005620] br-6c75fee1d253: port 1(veth59d834b) entered forwarding state
Jun 15 04:39:33 myhostname kernel: [63775.005645] br-6c75fee1d253: port 1(veth59d834b) entered disabled state
Jun 15 04:39:33 myhostname systemd-udevd[17052]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun 15 04:39:33 myhostname systemd-udevd[17052]: veth59d834b: Could not generate persistent MAC: No data available
Jun 15 04:39:33 myhostname systemd-udevd[17062]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jun 15 04:39:33 myhostname systemd-udevd[17062]: Using default interface naming scheme 'v245'.
Jun 15 04:39:33 myhostname systemd-udevd[17062]: veth2334f55: Could not generate persistent MAC: No data available
Jun 15 04:39:33 myhostname containerd[2716]: time="2022-06-15T04:39:33.174032984+03:00" level=info msg="loading plugin \"io.containerd.event.v1.publisher\"..." runtime=io.containerd.runc.v2 type=io.containerd.event.v1
Jun 15 04:39:33 myhostname containerd[2716]: time="2022-06-15T04:39:33.176877515+03:00" level=info msg="loading plugin \"io.containerd.internal.v1.shutdown\"..." runtime=io.containerd.runc.v2 type=io.containerd.internal.v1
Jun 15 04:39:33 myhostname containerd[2716]: time="2022-06-15T04:39:33.177126858+03:00" level=info msg="loading plugin \"io.containerd.ttrpc.v1.task\"..." runtime=io.containerd.runc.v2 type=io.containerd.ttrpc.v1
Jun 15 04:39:33 myhostname containerd[2716]: time="2022-06-15T04:39:33.177543117+03:00" level=info msg="starting signal loop" namespace=moby path=/run/containerd/io.containerd.runtime.v2.task/moby/2dc02da1385c581ca364fd6d454fbee9a2346d60e6524e1a3097563c1750cdd0 pid=17089 runtime=io.containerd.runc.v2
Jun 15 04:39:33 myhostname systemd[1]: run-docker-runtime\x2drunc-moby-2dc02da1385c581ca364fd6d454fbee9a2346d60e6524e1a3097563c1750cdd0-runc.hBBDqv.mount: Succeeded.
Jun 15 04:39:33 myhostname systemd[5887]: run-docker-runtime\x2drunc-moby-2dc02da1385c581ca364fd6d454fbee9a2346d60e6524e1a3097563c1750cdd0-runc.hBBDqv.mount: Succeeded.
Jun 15 04:39:33 myhostname kernel: [63775.328487] eth0: renamed from veth2334f55
Jun 15 04:39:33 myhostname kernel: [63775.328679] IPv6: ADDRCONF(NETDEV_CHANGE): veth59d834b: link becomes ready
Jun 15 04:39:33 myhostname kernel: [63775.328712] br-6c75fee1d253: port 1(veth59d834b) entered blocking state
Jun 15 04:39:33 myhostname kernel: [63775.328713] br-6c75fee1d253: port 1(veth59d834b) entered forwarding state
Jun 15 04:39:33 myhostname kernel: [63775.328735] IPv6: ADDRCONF(NETDEV_CHANGE): br-6c75fee1d253: link becomes ready
Jun 15 04:39:38 myhostname dockerd[12824]: time="2022-06-15T04:39:38.529312108+03:00" level=info msg="ignoring event" container=2dc02da1385c581ca364fd6d454fbee9a2346d60e6524e1a3097563c1750cdd0 module=libcontainerd namespace=moby topic=/tasks/delete type="*events.TaskDelete"
Jun 15 04:39:38 myhostname containerd[2716]: time="2022-06-15T04:39:38.530668729+03:00" level=info msg="shim disconnected" id=2dc02da1385c581ca364fd6d454fbee9a2346d60e6524e1a3097563c1750cdd0
Jun 15 04:39:38 myhostname containerd[2716]: time="2022-06-15T04:39:38.531881557+03:00" level=warning msg="cleaning up after shim disconnected" id=2dc02da1385c581ca364fd6d454fbee9a2346d60e6524e1a3097563c1750cdd0 namespace=moby
Jun 15 04:39:38 myhostname containerd[2716]: time="2022-06-15T04:39:38.532136380+03:00" level=info msg="cleaning up dead shim"
Jun 15 04:39:38 myhostname containerd[2716]: time="2022-06-15T04:39:38.545645353+03:00" level=warning msg="cleanup warnings time=\"2022-06-15T04:39:38+03:00\" level=info msg=\"starting signal loop\" namespace=moby pid=17177 runtime=io.containerd.runc.v2\n"
Jun 15 04:39:38 myhostname kernel: [63780.435127] br-6c75fee1d253: port 1(veth59d834b) entered disabled state
Jun 15 04:39:38 myhostname kernel: [63780.435565] veth2334f55: renamed from eth0
Jun 15 04:39:38 myhostname kernel: [63780.447549] br-6c75fee1d253: port 1(veth59d834b) entered disabled state
Jun 15 04:39:38 myhostname kernel: [63780.447993] device veth59d834b left promiscuous mode
Jun 15 04:39:38 myhostname kernel: [63780.447996] br-6c75fee1d253: port 1(veth59d834b) entered disabled state
Jun 15 04:39:38 myhostname systemd-udevd[17202]: veth2334f55: Failed to get link config: No such device
Jun 15 04:39:38 myhostname systemd-udevd[17203]: veth2334f55: Failed to get link config: No such device
Jun 15 04:39:40 myhostname dockerd[12824]: time="2022-06-15T04:39:40.011915258+03:00" level=warning msg="[resolver] connect failed: dial udp 188.120.247.2:53: connect: network is unreachable"
Jun 15 04:39:40 myhostname dockerd[12824]: time="2022-06-15T04:39:40.011993737+03:00" level=warning msg="[resolver] connect failed: dial udp 185.60.132.11:53: connect: network is unreachable"
Jun 15 04:39:40 myhostname dockerd[12824]: time="2022-06-15T04:39:40.012056375+03:00" level=warning msg="[resolver] connect failed: dial udp 188.120.247.2:53: connect: network is unreachable"
Jun 15 04:39:40 myhostname dockerd[12824]: time="2022-06-15T04:39:40.012081031+03:00" level=warning msg="[resolver] connect failed: dial udp 185.60.132.11:53: connect: network is unreachable"
Jun 15 04:39:41 myhostname dockerd[12824]: time="2022-06-15T04:39:41.508093277+03:00" level=warning msg="[resolver] connect failed: dial udp 185.60.132.11:53: connect: network is unreachable"
Jun 15 04:39:41 myhostname dockerd[12824]: time="2022-06-15T04:39:41.508214657+03:00" level=warning msg="[resolver] connect failed: dial udp 185.60.132.11:53: connect: network is unreachable"
Jun 15 04:39:41 myhostname systemd[5887]: run-docker-netns-e1695f528b1a.mount: Succeeded.
Jun 15 04:39:41 myhostname systemd[1]: run-docker-netns-e1695f528b1a.mount: Succeeded.
Jun 15 04:39:41 myhostname systemd[5887]: var-lib-docker-containers-2dc02da1385c581ca364fd6d454fbee9a2346d60e6524e1a3097563c1750cdd0-mounts-shm.mount: Succeeded.
Jun 15 04:39:41 myhostname systemd[1]: var-lib-docker-containers-2dc02da1385c581ca364fd6d454fbee9a2346d60e6524e1a3097563c1750cdd0-mounts-shm.mount: Succeeded.
Jun 15 04:39:41 myhostname systemd[5887]: var-lib-docker-overlay2-ad0f1af6d03cdd967bf0e8b577c3852bf616d12c5773738a1eb7c8816123d0b5-merged.mount: Succeeded.
Jun 15 04:39:41 myhostname systemd[1]: var-lib-docker-overlay2-ad0f1af6d03cdd967bf0e8b577c3852bf616d12c5773738a1eb7c8816123d0b5-merged.mount: Succeeded.
Drone server and agent can ping gitlab.com because they are allowed in nftables.
How can I set the ip and port for the drone/git manually? Maybe I can assemble the drone/git image manually and specify the IP address there?
All the same, I managed to figure out and fix the docker and nftables configuration files.
Now it works!
/etc/docker/daemon.json must be:
{
"iptables": false,
"fixed-cidr": "172.17.0.0/25",
"default-address-pools": [
{
"base":"172.17.0.0/16",
"size":24
}
]
}
nftables.config like this:
table inet filter {
chain INPUT {
type filter hook input priority filter; policy drop;
iifname "lo" accept
icmp type echo-request accept
ct state established,related accept
tcp dport { 22, 80, 443 } accept
ip6 saddr { fe80::/10 } tcp dport 2375 accept
ip saddr { 172.17.0.0/16 } tcp dport 2375 accept
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter jump DOCKER-USER
counter jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state established,related counter accept
oifname "docker0" counter jump DOCKER
iifname "docker0" oifname != "docker0" counter accept
iifname "docker0" oifname "docker0" counter accept
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
chain DOCKER {
iifname != "docker0" oifname "docker0" ip daddr 172.17.0.2 tcp dport 81 accept
iifname != "docker0" oifname "docker0" ip daddr 172.17.0.3 tcp dport 3000 accept
iifname != "docker0" oifname "docker0" ip daddr 172.18.0.5 tcp dport 5432 accept
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter jump DOCKER-ISOLATION-STAGE-2
counter return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter return
}
chain DOCKER-USER {
counter return
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter jump DOCKER
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
}
chain DOCKER {
iifname "docker0" counter packets 4409 bytes 264540 return
iifname != "docker0" ip daddr 127.0.0.1 tcp dport 81 dnat to 172.17.0.2:81
iifname != "docker0" ip daddr 127.0.0.1 tcp dport 3000 dnat to 172.17.0.3:3000
iifname != "docker0" ip daddr 127.0.0.1 tcp dport 5432 dnat to 172.18.0.5:5432
}
}
That is all :)