I want to run a docker container. This container must be isolated from the host computer.
This means the container should not access to files and memory of the host computer.
The container will only access to network throught mapped port (-p option) and nat.
So i run this command:
docker run -it --cap-drop ALL myimage
There is something very strange because i can't run a basic command like "apt-get update" on the container.
I have setgroups, seteuid errors.
I do not understand why i have to add capabilities for that !
I understand docker needs capabilities on the container, for the container itself. But i do not want to allow capabilities on the host system.
How should i do to disable all capabilities for host interaction and allow all capabilities for the container itself ?
Thanks a lot
Related
I am running a custom image (based on the docker image Locust) locally using the below command
docker run -p 5557:5557 my-stress-test:0.1
My dockerfile looks as below
FROM locustio/locust:latest
COPY ./ /mnt/locust
CMD ["-P", "5557", "-f", "/mnt/locust/locustfile.py"]
Now, I deploy this image on to my cloud service which runs this image generating the command
docker run -p 5557 my-stress-test:0.1
This is the command I cannot change. However, I am not able to run the image without port forwarding, like -p 5557:5557. How can I change my dockerfile or anything to run the image without port forwarding.
In dockers you should know how its network works.
There is 3 type of port configuration:
docker run my-stress-test:0.1
docker run -p 5557:5557 my-stress-test:0.1
docker run -p 127.0.0.1:5557:5557 my-stress-test:0.1
In the first type, only apps in the same network as this app can connect to that port.
In the second type, all apps inside and outside of the container network can connect to that port.
In the third type only apps inside the container network, and other apps inside the host can connect to the app, and apps outside of the host cannot connect to the app.
I think the third type is what you are looking for.
If you have multiple network in your host, and you want other apps from other hosts to access the app, you can bind that network ip to the port. for example
docker run -p 192.168.0.10:5557:5557 my-stress-test:0.1
With Docker, you can't publish ports in the dockerfile or at any other time other than at run by design.
How to publish ports in docker files
This question will be best posed to your cloud provider as to why you're unable to change the command that runs a container of your image.
how to access a path of a container from docker-machine? I have the ip docker-machine and I want to connect via remote in a docker image, e.g:
when I connect to ssh docker#5.5.5.5, all file are docker-machine, but I wat to conect a docker image via ssh.
whe I use this comman docker exec -u 0 -it test bash all files from the imagen are ok, but I want to access with ssh using docker-machine.
How can I do it?
This is tricky as Docker is designed to run a single process in foreground and containers dies when the process completed. This means Docker containers don't run anything additional other than what you define in the Dockerfile or docker-compose.yml.
What you can try is using docker-compose.yml file, expose the port 22 to outside world (also can be done through command line with Dockerfile). This is NOT guaranteed to work as this require the image to run an SSH daemon and most cases it runs one process.
If you're looking to persist files that are used by containers, such as when a container is re-deployed it starts where it left off, you can mount a folder from host machine to the container as a volume.
I want to run a docker container with central log and fail2ban service to prevent from dos/ddos attacks.
I'm having a problem to run a container with such capabilities that it could also modify the hosts iptables.
There is a project ianblenke/docker-fail2ban however it does not work...
Giving the container flag privileged only allows me to control iptables on this container. Is there any way to control hosts iptables through container?
Regards.
--privileged flag is not required anymore.
Starting with Docker 1.2 you can now run your image with parameters --cap-add=NET_ADMIN and --cap-add=NET_RAW which will allow internal iptables.
It might be also worth noticing that in official Ubuntu images from Docker Hub iptables package is not installed.
So general instruction should be
apt-get install iptables
run docker container with --net=host and --cap-add=NET_ADMIN --cap-add=NET_RAW options.
Also, if you have a docker image that is missing iptables package, and you don't want to create a custom image from it, you may run container with iptables in the same network space. E.g. if you have container container-without-iptables running, and you want to start some container-with-iptables in the same network namespace, you can do:
docker run -it --pid=container:container-without-iptables --net=container:container-without-iptables --cap-add sys_admin container-with-iptables
Docker containers, by default, run inside an isolated network namespace where they do not have access to the host network configuration (including iptables).
If you want your container to be able to modify the network configuration of the host, you need to pass the --net=host option to docker run. From the docker-run(1) man page:
--net="bridge"
Set the Network mode for the container
'bridge': creates a new network stack for the container on the docker bridge
'none': no networking for this container
'container:': reuses another container network stack
'host': use the host network stack inside the container.
Note: the host mode gives the container full access to
local system services such as D-bus and is therefore
considered insecure.
You will need to run with both --privileged and --net=host.
I have installed docker on a CentOS machine. Now I am trying to run a MapR sandbox on it. After starting I get this:
Starting MapR Services.................
To manage this node go to: https://172.17.0.13:8443
But I am not able to access this URL from the windows machine in the same network as the CentOS machine.
This is an internal docker network inaccessible outside of the box. In order to access this container you need:
EXPOSE command in container (most likely it is already there)
run container with -p option
If you just specify -p port will be random - you could find it with inspect command, or you could use permanent port -p hostIp:externalPort:8443 where hostIp is address of your docker host.
After that you could access container from network as https://hostIp:externalPort
I want to run a docker container in my server, and expose a specific port to other server in the same intranet. But I don't want my container can be accessed by internet outside.
Is there any solution for my situation?
Any help will be appreciated.
If your host computer is running on Windows, you can configure firewall to allow that specific port to be accessed only from that machine.
Another option is to configure boot2docker (via iptables) to restrict access only to specific IP address. But I think it works only for the current session: you have to edit boot2docker image and add it to be used permanently. And the drawback is that all docker images running in docker inside boot2docker would be affected with this change.
So, my suggestion is to restrict access on host computer side, such as:
c:\>boot2docker init
c:\>boot2docker up
c:\>boot2docker ssh -L 0.0.0.0:8080:localhost:8080
docker#boot2docker:~$ docker run -p 8080:8080 myContainer
And restrict port 8080 on firewall level of your host computer.