I am running GitLab in a Docker container and wanted to configure https following these instructions. To do this, I invoked the terminal with the following command in Powershell:
docker exec -ti -u root b836c4cdfd37 bash
After entering the command sudo ufw allow https, the following error message is displayed:
WARN: initcaps
[Errno 2] iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Maybe iptables or your kernel needs to be upgraded.
Skipping adding existing rule
Skipping adding existing rule (v6)
How can I execute the sudo ufw allow https command without errors?
The instructions you are following are for installing GitLab directly on an Ubuntu host, not running GitLab inside of a docker container, which requires a different set of installation and networking steps. In your scenario, ufw will not work as described in the guide you're following because docker manages the networking for your container by default. Docker's networking can interfere with trying to manage your firewall configuration with ufw or iptables. Even if you manage to get the command to work, you'll find that docker's network management can bypass your ufw configurations in your container anyhow.
To install GitLab in docker, you should follow the official docker installation instructions. You can also review all the other installation methods for GitLab for additional context.
If you really want to continue installing gitlab "manually" inside of a container, just skip the UFW steps and make sure you have configured port mapping for the GitLab container from the docker host (e.g. to map http/https, docker run -p 80:80 -p 443:443 ...).
Related
I want to install a package by docker, following instruction in: https://dynamic-fba.readthedocs.io/en/latest/installation.html#installing-from-source
I installed ubuntu and then Docker. But I don't understand what I need to do next. There it is said to type (docker run -it -v ${PWD}:/opt/examples davidtourigny/dfba python3 examples/example1.py). I excatly type it in ubuntu but I get this error:
docker: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?.
See 'docker run --help'.
Using alternative method of dockerfile, I also get error. I don't know how to make use of make build, but used build instead following tutorials on the web.
It's my first time using Docker and I don't know what to do.
Any help is very appreciated.
The Docker application has two components, a back-end server, and a front-end cli. This way you can do cool stuff like control Docker remotely or have orchestration frameworks that manage multiple Docker nodes over the network like Kubernates.
For security, the Docker back-end server is not exposed on a normal TCP port but it uses a unix domain socket (Linux magic that makes a file act as a port) at unix:///var/run/docker.sock.
When you execute docker run -it ... the cli application will attempt to connect to the backend server, but it looks like the daemon/server is probably not running.
Try to check that daemon is running. If you are using systemd you can check with
systemctl status docker and start if is stopped with systemctl start docker finally it might be good to enable it to make sure it starts automatically on reboot, you can do that with systemctl enable docker
Make sure to start docker service (you can either go for systemctl start docker or reboot your computer).
Once this is done, it is likely that your user has no permissions to communicate with Docker without sudo. Docker has privileged access to your hardware and therefore giving a user the docker group is required for security reasons.
Run:
sudo usermod -aG docker $USER
groupadd docker
docker run hello-world
This will add you to docker group, reflect the changes inmediately and run a sample image from Docker.
If all was okay, the last command should tell you "Hello from Docker".
My setup:
Linux Mint 20
Docker version 19.03.12
Cisco AnyConnect 4.3.05017
My Issue:
When I connect to my company's VPN I cannot access the internet through my docker containers.
e.g. running docker run -it ubuntu apt update will fail with the message
"Err:1 http://archive.ubuntu.com/ubuntu focal InRelease
Temporary failure resolving 'archive.ubuntu.com'"
Disconnecting from VPN does not fix the issue. (see workaround #2)
I have two workarounds:
running docker with docker run -it --net=host ubuntu apt update will work fine, however, that is not a suitable workaround for my company's scripts and build system. It will do for ad-hoc jobs.
Disconnect from the VPN and run the following script (from https://github.com/moby/moby/issues/36151):
# /bin/bash
docker system prune -a
systemctl stop docker
iptables -F
ip link set docker0 down
brctl delbr docker0
systemctl start docker
will allow it to work again - but then I don't have access to my company's internal servers, which is also needed to build our software.
I have tried these things:
Added DNS to daemon.json (My docker container has no internet)
Fixing the resolv.conf (My docker container has no internet)
https://superuser.com/questions/1130898/no-internet-connection-inside-docker-containers
Docker container can only access internet with --net=host
https://stackoverflow.com/a/35519951/9496422
and basically any other hit on the first two pages of google searching for "docker container no internet behind vpn"
In order to do this you need to enable the setting "Allow local (LAN) access when using VPN (if configured)" in Cisco AnyConnect.
cisco-anyconnect-preferences-window
However, some companies doesn't allow to do this because of security policy.
I'm trying to set up Docker with two containers. One is a web app and the second is a dnsmasq DHCP server.
Docker should update the dnsmasq container and the dhcp ip list from a event from the web app. The only option I have so far is to generate the dhcp hosts file and restart the dnsmasq container but it need to be done manually in the Docker host outside the web app container.
Is there a way to restart the service from another container?
The only way to restart a container from another container would be to mount /var/run/docker.sock and use the API. But I wouldn't do that from a webapp for obvious security reasons.
I would share the dhcp hosts file between the containers (with the -v option) and have a script running in the dnsmasq container that checks for changes in this file and restart the dnsmasq service in the container. There's no need to restart the container. You could use Supervisord to start dnsmasq and this script. I would use the --init flag to avoid zombie process.
From your host:
docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock --name=xxx ubuntu bash
docker cp /usr/bin/docker xxx:/usr/bin/docker
Go inside the container and check unresolved libs:
ldd /usr/bin/docker
Manually copy missing libs from host into container and setup including symlinks as required. In my case I had to:
docker cp /usr/lib/x86_64-linux-gnu/libltdl.so.7.3.1 xxx:/usr/lib/x86_64-linux-gnu/libltdl.so.7.3.1
And then inside the container I had to:
ln -sf /usr/lib/x86_64-linux-gnu/libltdl.so.7.3.1 /usr/lib/x86_64-linux-gnu/libltdl.so.7
Inside the container check again: ldd /usr/bin/docker if all is well, you can now run docker inside the container.
Note, that docker-compose run right away when i copied from host to container. Only docker i had to copy the extra library and setup the symlinks.
I am running 'Docker version 1.10.3, build 20f81dd' on Ubuntu 14.04. Now my requirement is to create/delete/manage new container from the REST API (HTTP) from outside world. So, for this how could I enable Docker to run on a port.
It will be helpful if I get details step as in net I tried few but didn't work.
I found the solution and it's very easy at all. Here is the configuration.
Got To:
vi /etc/default/docker
Add DOCKER_OPTS="-H tcp://127.0.0.1:2375"
restart docker service.
Run netstat -lnp and see docker is running on port 2375
I want to run a docker container with central log and fail2ban service to prevent from dos/ddos attacks.
I'm having a problem to run a container with such capabilities that it could also modify the hosts iptables.
There is a project ianblenke/docker-fail2ban however it does not work...
Giving the container flag privileged only allows me to control iptables on this container. Is there any way to control hosts iptables through container?
Regards.
--privileged flag is not required anymore.
Starting with Docker 1.2 you can now run your image with parameters --cap-add=NET_ADMIN and --cap-add=NET_RAW which will allow internal iptables.
It might be also worth noticing that in official Ubuntu images from Docker Hub iptables package is not installed.
So general instruction should be
apt-get install iptables
run docker container with --net=host and --cap-add=NET_ADMIN --cap-add=NET_RAW options.
Also, if you have a docker image that is missing iptables package, and you don't want to create a custom image from it, you may run container with iptables in the same network space. E.g. if you have container container-without-iptables running, and you want to start some container-with-iptables in the same network namespace, you can do:
docker run -it --pid=container:container-without-iptables --net=container:container-without-iptables --cap-add sys_admin container-with-iptables
Docker containers, by default, run inside an isolated network namespace where they do not have access to the host network configuration (including iptables).
If you want your container to be able to modify the network configuration of the host, you need to pass the --net=host option to docker run. From the docker-run(1) man page:
--net="bridge"
Set the Network mode for the container
'bridge': creates a new network stack for the container on the docker bridge
'none': no networking for this container
'container:': reuses another container network stack
'host': use the host network stack inside the container.
Note: the host mode gives the container full access to
local system services such as D-bus and is therefore
considered insecure.
You will need to run with both --privileged and --net=host.