I am unable to figure out how to read iptables in my docker container. I was handed over this by someone who I am not in contact with hence I am unable to figure this out. Any help would mean a lot please.
Related
I bought a VPS on Vultr (host system Ubuntu 22.04) with the example IP identified as 123.123.123 and tried to launch a new container with the following command:
docker run -d -p 8081:80 nginx:alpine
Knowing the public IP of my server, I should theoretically be able to access it through the following address in the browser http://123.123.123:8081. However, it isn't working at least publicly. Because if I decide to stop UFW in the host (using Ubuntu 22.04):
service ufw stop
Then I'm able to access it without any problem (or using cURL through SSH without disabling UFW):
But, after enabling the uncomplicated firewall with:
service ufw start
Then the host is unreachable:
These are the current rules of UFW:
I have as well a Portainer instance through docker as well (which works as well only when UFW is disabled):
I tried as well using Nginx Proxy Manager, but I'm unable to make it work with something so simple as this nginx basic container. Any help is appreciated and I'd be happy to provide more information if it's necessary.
Surprisingly, Docker does not work out of the box with Linux’s “Universal Firewall,” or UFW. They both modify the same iptables configuration, and this can lead to misconfigurations exposing containers that weren’t supposed to be public.
A quick fix from Docker's official documentation - but which isn't recommended for most users - and it seems not recommended by many other users. Please read more about that below.
Prevent Docker from manipulating iptables
It is possible to set the iptables key to false in the Docker engine’s
configuration file at /etc/docker/daemon.json, but this option is not
appropriate for most users. It is not possible to completely prevent
Docker from creating iptables rules, and creating them after-the-fact
is extremely involved and beyond the scope of these instructions.
Setting iptables to false will more than likely break container
networking for the Docker engine.
This works, however, this is only a half solution. It disables Docker’s ability to manage its own networking and can cause containers to not be able to access the internet at all out of the box. This can still work, but you’ll need to manually maintain iptables rules for Docker containers and custom networks, which is complicated, annoying, and defeats the purpose of UFW’s simplicity.
Another solution which require a bit more effort could be found in this Github repo detailing the problem and the steps to fix it.
https://github.com/chaifeng/ufw-docker
Also linking here a related question from StackOverflow.
I'm new to Docker and I'm doing the Get-Started part of the documentation, but I got stuck in step 4, I do not make mistakes when doing this step, but when I enter the ip 192.168.99.100 it does not show me anything. I hope you can help me THANK YOU.docker info
Angel, I do not know which step or docs you're talking about (adding links would help a lot), but there's only one way to start a Docker Swarm
docker swarm init
You may also specify the IP of the machine you're starting the swarm in if it has more than one network interface:
docker swarm init --advertise-addr <ip-where-you-want-the-node-to-listen-to-swarm-events>
I would really recommend you do not use docker toolbox, instead use Play With Docker, where you'll be able to spawn nodes and try stuff around without needing to configure anything.
When I look at all running processes on my Linux machine, there are quite a few docker-proxy processes. It seems like every running container (port) results in one docker-proxy!
Problem is I cannot find any documentation which processes docker actually starts and how their relationship/usage is.
Does anyone know if there is any documentation on that?
A full explanation of the docker-proxy is available here.
The summary is that the proxy is used to handle connections originating from the local machine that might otherwise not pass through the iptables rules that Docker configures to handle port forwarding, or when Docker has been configured such that it does not manipulate iptables at all.
I am using Docker version 17.06.2-ce, build cec0b72 on CentOS Linux release 7.2.1511.
My goal is to get a docker container to publish on one of the host's ports and have the information be visible to another system in the same subnet. My docker image is the friendlyhello image built in the getting started tutorial. I have an image of it on docker hub which you can pull with the below command. It exposes port 80 within the file, and then I call the image with
docker run -d -p 8080:80 jeremydr2/get-started:part2
I can get the correct response (basically "hello world") when I curl localhost:8080 or curl 10.x.x.x:8080 while on the host in which the container is running. When curling on another host, I get some html formatting and
default "Access Denied" response (403)
Note that a successful response can take over a minute, but an unsuccessful response will still be immediate.
From what I've read about this, I shouldn't have to mess with iptables at all to get this to work, which is good, because I don't really understand networking very well. However, I think something is wrong, because iptables -t nat -L | grep 8080 doesn't return anything, when I expect it to have a line about redirecting or allowing traffic to that port. I have disabled SELinux and firewalld, and installed iptables-services instead.
I can send traffic between the hosts with other commands like:
[root#host1 ~]# ncat -l 8001
[root#host2 ~]# echo "testing123" > /dev/tcp/<host1_ip_addr>/8001
so I feel confident it is not just a misconfigured network. FWIW, I've also tried the docker run ... command with --network=host, and this did not help, either. This has been 2 days of my life now. If anyone has advice I'd greatly appreciate it.
EDIT: This is definitely, somehow, a misconfigured network. I redid it at home, and it "just worked" the way everyone says docker is supposed to. Any advice on how to go about figuring out what part of the network stuff is blocking docker would be appreciated.
It was because of the proxies I had set up to reach the internet. After unsetting all the proxy variables, I was able to curl from the other system to the host. I had been told that the no_proxy and NO_PROXY variables I had set up were sufficient to prevent this, but that was not the case.
Thanks for everyone who looked at this.
I would like to be able to get a list of all containers running on the same docker network from within a docker container. As the built in docker DNS can give me the IP addresses if I have the hostnames, it seems like it should be able to just give me a list of hostnames (maybe DNS cannot do this, I don't know).
Other approaches that I've thought of for getting a list of containers:
Bind mount the docker socket into the container and use docker ps. Not a great idea as far as security goes.
Use --link which I believe places entries in /etc/hosts. I could then read them from there, but this sort of defeats the purpose as I would have to already know the host names when I launched the container.
I'm looking to avoid using an external service discovery mechanism, but I would appreciate all suggestions for how to get a list of containers.
An easy way to achieve this would be running a one or more docker command(s) in the host, to get the information you need in a loop and store it in a known location (ex in bash)
while true; do echo `docker ps --format {{.ID}}` > /SOME/KNOWN/FILE; sleep 5; done
and then let the containers access this file, using volumes.
It is much safer than providing access to the docker socket, and you can improve it to provide all the information you need (ex json with name, ip, running time, etc).