I need to access a physical device from a container on a windows host (running Docker desktop). The device has a fixed ip-address in a separate subnet (192.168.0.5/24). How to properly setup the network for the container (via docker run or docker-compose)?
I first thought of just opening the relevant port but for one, it is chosen by random (e.h. 52714, 63575) and for second if the port is open, I cannot reach the device.
So I tried to fetch a ipvlan but in this configuration I am not reaching the container at all.
version: "3.8"
services:
python-fastapi:
container_name: fast_api
build:
context: Python
dockerfile: Vision_fastAPI.Dockerfile
ports:
- "5001:5000"
networks:
- myVLan
networks:
myVLan:
driver: ipvlan
driver_opts:
parent: host
ipvlan_mode: l2
ipam:
config:
- subnet: 192.168.0.0/24
Actually, I was trying to reproduce a tutorial (from a Ubuntu host):
docker network create -d ipvlan --subnet=192.168.0.0/24 --ip-range=192.168.0.0/24 -o ipvlan_mode=l2 -o parent=enp11s0f1 myVLan
Obviously, I struggle with the parent option. I thought, I would be the physical ethernet adapter but I have no idea of the naming in windows (docker-compose doesn't accept names like "Ethernet 8" so I guess, I am getting something wrong here). It works with a docker network ("default") but just in the way that it doesn't produce an error.
The configuration of the ethernet adapter is the following:
Ethernet adapter Ethernet 8:
Connection-specific DNS Suffix:
Description . . . . . . . . . . . : Lenovo USB Ethernet #4
Physical Address . . . . . . . . : 3C-18-A0-52-43-C1
DHCP Enabled . . . . . . . . . . : no
Autoconfiguration Enabled . . . . : Yes
IPv4 Address . . . . . . . . . . : 192.168.0.210(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip . . . . . . . : Enabled
Do absolutely nothing. Delete all of the networks: blocks in the Compose file. Connect to the external IP address as normal; Docker provides a network address translation (NAT) mechanism that will let you connect to the off-box service.
If you set up a Domain Name Service (DNS) server for your environment (highly recommended), make sure to use a fully-qualified domain name (FQDN) when you connect to the service, other-host.example.com. If you use a short name other-host then Docker will try to interpret that as a container name.
Related
I need to connect to docker host from a linux container in my windows server machine. But docker dns is not able to resolve docker.host.internal.
I have tried to add host.docker.internal in docker compose extra_hosts tag and have also tried to map my machine ip with this. But none of this is working.
extra_hosts:
"host.docker.internal:host-gateway"
extra_hosts:
"host.docker.internal:my_ip"
I have also tried to check the /etc/hosts file in my container and its is not there. Since the hosts file is not there so docker dns cannot resolve host.docker.internal.
docker exec my_container_id cat /etc/hosts
/etc/hosts: No such file or directory
My Environment:
Host Machine: Windows Server 2019
docker version: 20.10.10
lcow version: v4.14.35-v0.3.9
docker-compose version: v2.9.0
I have also tried to update my docker version to 20.10.11 which is working fine on my windows 10 machine.
PS C:\Windows\system32> docker version
Client:
Version: 20.10.11
API version: 1.41
Go version: go1.16.10
Git commit: dea9396
Built: Thu Nov 18 00:42:51 2021
OS/Arch: windows/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.11
API version: 1.41 (minimum version 1.24)
Go version: go1.16.9
Git commit: 847da18
Built: Thu Nov 18 00:38:11 2021
OS/Arch: windows/amd64
Experimental: true
I am unable to understand why docker is unable to create /etc/hosts file.
I have made this work by adding a manual entry in /etc/hosts file. Since I was not using docker desktop so docker deamon was not able to create /etc/hosts file inside my container. And due to this missing file my container was not able to connect to host.docker.internal. I made sure few things before doing this.
I checked if bridge network was created (from my host machine):
PS C:\Windows\system32> docker network ls
NETWORK ID NAME DRIVER SCOPE
9f3ee06eaa1f nat nat local
1b17a917b877 none null local
56f23d8f2228 talflow_code-default nat local
Then I inspected the nat network which is the default bridge network created by docker deamon:
PS C:\Windows\system32> docker network inspect nat
[
{
"Name": "nat",
"Id": "9f3ee06eaa1f3ec923e734b18228d08b2cda9242293a2b71fd82c7a413109609",
"Created": "2022-08-11T12:18:01.4356971-07:00",
"Scope": "local",
"Driver": "nat",
"EnableIPv6": false,
"IPAM": {
"Driver": "windows",
"Options": null,
"Config": [
{
"Subnet": "172.31.80.0/20",
"Gateway": "172.31.80.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {
"com.docker.network.windowsshim.hnsid": "9C6F07F8-D106-4CD4-B3B7-C303886D4815",
"com.docker.network.windowsshim.networkname": "nat"
},
"Labels": {}
}
]
Here the bridge IP is 172.31.80.1
Next I verified if this IP is accessible inside my container. Note that I had to use ubuntu container to verify this. As containers only have basic commands so I pulled the latest ubuntu image from dockerhub and installed ping, ip and route commands on it to verify the connectivity of container with host.
Inside my ubuntu container I typed route command to check the IP table
root#8a7d33102d90:/# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 172.31.80.1 0.0.0.0 UG 1 0 0 eth0
172.31.80.0 * 255.255.0.0 U 0 0 0 eth0
In the IP route table I can see the bridge IP as default route. This entry verifies that my container can communicate with the docker bridge network. I can either use this IP to access any service on my host machine or my host machine IP (I used the host machine IP as this was static, in case of dynamic IP prefer to use bridge network IP or dns)
Now inside my ubuntu container I can ping bridge IP and my host machine IP both:
root#8a7d33102d90:/# ping 172.31.80.1
PING 172.31.80.1 (172.31.80.1) 56(84) bytes of data.
64 bytes from 172.31.80.1: icmp_seq=1 ttl=64 time=0.070 ms
64 bytes from 172.31.80.1: icmp_seq=2 ttl=64 time=0.201 ms
64 bytes from 172.31.80.1: icmp_seq=3 ttl=64 time=0.116 ms
root#8a7d33102d90:/# ping 10.25.241.37
PING 10.25.241.37 (10.25.241.37) 56(84) bytes of data.
64 bytes from 10.25.241.37: icmp_seq=1 ttl=64 time=0.070 ms
64 bytes from 10.25.241.37: icmp_seq=2 ttl=64 time=0.201 ms
64 bytes from 10.25.241.37: icmp_seq=3 ttl=64 time=0.116 ms
Note that 10.25.241.37 is the IPv4 address of my Ethernet0 adapter, you can check this by typing ipconfig command in powershell:
PS C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.25.241.37
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 10.25.241.33
Ethernet adapter vEthernet (nat):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::81af:fd91:a6cf:6158%15
IPv4 Address. . . . . . . . . . . : 172.31.80.1
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . :
Ethernet adapter vEthernet (56f23d8f2228039):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::7453:b5f6:e090:b8a4%22
IPv4 Address. . . . . . . . . . . : 172.20.0.1
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
Once I verified that there was no issue with networking. I simply created the /etc/hosts file inside my actual container from where I wanted to access docker host.
PS C:\Windows\system32> docker exec -it a027f718c24e /bin/bash
root#a027f718c24e:/usr/local/airflow# echo '10.25.241.37 host.docker.internal' | tee -a /etc/hosts
After adding this entry I can access host.docker.internal from my container. Not that I added this entry only for testing purpose. As I had to add this inside the running container. So once the container is stopped this file will be gone and you will need to create that again which is not right. So I will instead use the staic IP (10.25.241.37) of my machine instead of host.docker.internal to make request to services hosted on host machine.
Running Wireshark 3.2.5 64bit on Windows 10 as administrator.
Mozilla VPN creates this interface as shown in IPCONFIG
Unknown adapter FirefoxPrivateNetworkVPN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WireGuard Tunnel
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : fc00:bbbb:bbbb:bb01::*:*(Preferred)
IPv4 Address. . . . . . . . . . . : 10.65.*.*(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.64.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Wireshark does not display this interface, although all other interfaces (real and virtual) are available.
I can see the encrypted data on the primary Ethernet interface.
I need Wireshark to monitor the traffic going through the Wireguard tunnel.
Other VPNs interfaces are visible in Wireshark, why not this one?
I have also noticed that Windows Wireguard implementation currently doesn't cooperate with other standard network tools. Not only WG interfaces are invisible to Wireshark, Wireshark connections could not be blocked by Windows Firewall for some reason. I see it as a security issue.
Currently Wireguard for Windows uses Wintun interface. For comparison, OpenVPN has had an option to use Wintun interface for some time now too. And when you use it its interface is also invisible to Wireshark. But you can still block OpenVPN in the Windows Firewall.
EDIT:
Solution (2021-08-22): Update npcap Windows driver to the most recent one. Then Wintun interfaces will appear for Wireshark.
Now the problem is that Wireshark currently incorrectly dissects what it captures on the Wintun interface - it sees "Ethernet II" packets going around with unknown protocol 0xXXXX inside, while actually it's IPv4 packets not "Ethernet II", and 0xXXXX is just a part of an IP address. The data is not encrypted though, so you can identify packets by data contents: for example, it's an ICMP echo on the screenshot.
I have a gMSA credential spec working with docker run but not with docker-compose. Details for the compose file and the docker run command are below. I'm completely lost as to what I'm missing. I did a lot of googling and I'm not sure what's going on. My primary thoughts is that something with the docker-compose file is off, but I'm not sure.
Docker-compose
version: '3.3'
services:
basic:
image: mcr.microsoft.com/windows/servercore:ltsc2019
entrypoint: ping -t localhost
hostname: server01
security_opt:
- credentialspec=file://server01.json
dns:
- "192.168.43.2"
user: "NT AUTHORITY\\NETWORK SERVICE"
networks:
default:
external:
name: "Net"
After running docker-compose up
C:\Users\administrator> docker exec -it b9e2a783ab09 powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\> ipconfig
Windows IP Configuration
Ethernet adapter vEthernet (Ethernet) 10:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4416:3381:8d1a:122a%43
Autoconfiguration IPv4 Address. . : 169.254.18.42
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
PS C:\> ipconfig /renew
Windows IP Configuration
Ethernet adapter vEthernet (Ethernet) 10:
Connection-specific DNS Suffix . : localdomain
Link-local IPv6 Address . . . . . : fe80::4416:3381:8d1a:122a%43
IPv4 Address. . . . . . . . . . . : 192.168.43.198
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
PS C:\> nslookup testdomain.local
Server: UnKnown
Address: 192.168.43.2
Name: testdomain.local
Addresses: 192.168.43.2
192.168.52.133
PS C:\> nltest /sc_verify:testdomain.local
I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED
docker run
docker run -it --security-opt "credentialspec=file://server01.json" --user="nt authority\system" --hostname="server01" --network="Net" --dns="192.168.43.2" mcr.microsoft.com/windows/servercore:ltsc2019 powershell
PS C:\> nslookup testdomain.local
Server: UnKnown
Address: 192.168.43.2
Name: testdomain.local
Addresses: 192.168.43.2
192.168.52.133
PS C:\> nltest /sc_verify:testdomain.local
Flags: b0 HAS_IP HAS_TIMESERV
Trusted DC Name \\dc01.testdomain.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully
PS C:\>
Hey so I'm leaving this up as a mark of shame.
Notice that I used different users? Turns out I needed to use system and not the network service account. That fixed it.
Use double-quoted:
security_opt:
- "credentialspec=file://server01.json"
I've just started playing with docker and I'm facing a real strange issue. After installing, I've pulled an IIS nanoserver image and I've started it:
λ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
beabe561852f d4 "C:\\ServiceMonitor.e…" 3 minutes ago Up 3 minutes 0.0.0.0:81->80/tcp nano-server
After that I've tried to access the site through the http://localhost:81. Since it wasn't working, I've inspected the IP with the following command:
λ docker inspect -f "{{json .NetworkSettings.Networks}}" b
{"nat":{"IPAMConfig":null,"Links":null,"Aliases":null,"NetworkID":"11117ac2f84721d1ca93c719192dd4d2aa5f9e6d23e7b3077dfd8ffb63aaf2e2","EndpointID":"68984bc164035e4035af1878673dda69e913dde19d641943cb68f7121aa9dae6","Gateway":"172.23.160.1","IPAddress":"172.23.174.235","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"00:15:5d:33:81:0a","DriverOpts":null}}
Pinging wasn't working either:
λ ping 172.23.174.235
Pinging 172.23.174.235 with 32 bytes of data:
Reply from 10.200.2.222: Destination net unreachable.
Reply from 10.200.2.222: Destination net unreachable.
Reply from 10.200.2.222: Destination net unreachable.
Reply from 10.200.2.222: Destination net unreachable.
Ping statistics for 172.23.174.235:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
So, I've tried running powershell in the container to check the IP:
PS C:\> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : mshome.net
Link-local IPv6 Address . . . . . : fe80::14e3:fd95:19a:c89b%4
IPv4 Address. . . . . . . . . . . : 192.168.238.55
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 172.23.160.1
192.168.238.49
PS C:\>
As you can see, the container's "real" IP is completely different from the one that docker think it's being used by it.
I've already tried disconnecting the container from the network and reconnecting it again, but the results are always the same.
Any clues on what's going on here? Even more important, any tips on how to solve it?
Thanks
In this case, I've removed all unused networks with the docker network prune command. After deleting the Default Switch, everything started to work out correctly. I'm not sure on why this was required, but probably there was something wrong with that switch configuration...
I am running a web API on the host system and it's not exposed on public IP.
I want to access from a docker windows container running on the same system.
By initial analysis, it seems windows container does not support to access host system from within a container.
Tried to access API with the following address but on none of them are working.
https://host_system_ip:port/api/controller/action
https://default_gateway_ip:port/api/controller/action
https://localhost:port/api/controller/action
https://127.0.0.1:port/api/controller/action
For security reasons I cannot make that API to be accessed on public IP, the only host system and containers running on same host machine should be allowed to access web API.
This works fine for me from within container. Make sure you are on latest OS etc and nothing is missing.
PS C:\> docker run --rm microsoft/windowsservercore powershell invoke-webrequest 192.168.1.221 -useBasicParsing
StatusCode : 200
StatusDescription : OK
Content : Application 995184 and started on 3/21/2018 8:59:09 AM
RawContent : HTTP/1.1 200 OK
Content-Length: 54
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Wed, 21 Mar 2018 14:01:22 GMT
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Pow...
Forms :
Headers : {[Content-Length, 54], [Cache-Control, private],
[Content-Type, text/html; charset=utf-8], [Date, Wed, 21
Mar 2018 14:01:22 GMT]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml :
RawContentLength : 54
PS C:\> ipconfig
Windows IP Configuration
Ethernet adapter vEthernet (nat):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::94d6:434:c0b6:8fdc%56
IPv4 Address. . . . . . . . . . . : 172.29.112.1
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . :
Ethernet adapter vEthernet (Internet):
Connection-specific DNS Suffix . : lan
Link-local IPv6 Address . . . . . : fe80::342a:be30:c7c:c1de%24
IPv4 Address. . . . . . . . . . . : 192.168.1.221
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1