docs: elaborate on networking issues with firewalld (#12214) (#12226)

hashicorp · Mar 8, 2022 · d0c6eee · d0c6eee
1 parent f3f9786
commit d0c6eee
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 0 deletions.
diff --git a/website/content/docs/drivers/docker.mdx b/website/content/docs/drivers/docker.mdx
@@ -237,6 +237,12 @@ config {
   configuration on the host (which is outside the scope of Nomad). Valid values
   pre-docker 1.9 are `default`, `bridge`, `host`, `none`, or `container:name`.
 
+  If you are in the process of migrating from the default Docker network to
+  group-wide bridge networking, you may encounter issues preventing your
+  containers from reaching networks outside of the bridge interface on systems with
+  firewalld enabled. This behavior is often caused by the CNI plugin not registering the group
+  network as trusted and can be resolved as described in the [network stanza] documentation.
+
 - `pid_mode` - (Optional) `host` or not set (default). Set to `host` to share
   the PID namespace with the host. Note that this also requires the Nomad agent
   to be configured to allow privileged containers.
@@ -1114,3 +1120,14 @@ Windows is relatively new and rapidly evolving you may want to consult the
 [plugin-stanza]: /docs/configuration/plugin
 [allocation working directory]: /docs/runtime/environment#task-directories 'Task Directories'
 [`auth_soft_fail=true`]: #auth_soft_fail
+[cap_add]: /docs/drivers/docker#cap_add
+[cap_drop]: /docs/drivers/docker#cap_drop
+[no_net_raw]: /docs/upgrade/upgrade-specific#nomad-1-1-0-rc1-1-0-5-0-12-12
+[upgrade_guide_extra_hosts]: /docs/upgrade/upgrade-specific#docker-driver
+[tini]: https://github.com/krallin/tini
+[docker_caps]: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
+[allow_caps]: /docs/drivers/docker#allow_caps
+[Connect]: /docs/job-specification/connect
+[`bridge`]: docs/job-specification/network#bridge
+[network stanza]: /docs/job-specification/network#bridge-mode
+[`pids_limit`]: /docs/drivers/docker#pids_limit
diff --git a/website/content/docs/job-specification/network.mdx b/website/content/docs/job-specification/network.mdx
@@ -199,6 +199,19 @@ network {
 }
 ```
 
+Using bridge mode can result in failing outbound network requests on hosts that have
+[firewalld](https://firewalld.org) enabled. This includes most RHEL-based Linux distributions
+like CentOS, Rocky Linux or Oracle Linux. One solution for firewalld to allow network
+requsts coming from Nomad jobs is to mark the `nomad` bridge interface as trusted.
+
+```shell-session
+$ sudo firewall-cmd --zone=trusted --add-interface=nomad
+$ sudo firewall-cmd --zone=trusted --add-interface=nomad --permanent
+```
+
+It is neccessary to restart the affected jobs afterwards for them to be able to access
+the network. Further details can be found in Docker's documentation under [Docker and iptables](https://docs.docker.com/network/iptables/#integration-with-firewalld).
+
 ### DNS
 
 The following example configures the allocation to use Google's DNS resolvers 8.8.8.8 and 8.8.4.4.