Hi can any one help me to tell the correct command to provide internet access to a running container ?
I know we have to specify --net in docker run command to access internet from inside container.
What if I want to provide internet access to container which I didn't ran with --net command (i.e to container which does not have internet access)
I got docker network connect NetworkName ContainerName/ID command from: https://docs.docker.com/engine/reference/commandline/network_connect/
but running above command does not providing internet access so requesting to share me correct command.
Note: Am trying this on centos container
Your docker containers should have internet access by default as that is the normal setup of docker, and by no means should they require providing --net to get that. If they don't then you probably have something mixed up on your host like ie. additional firewall rules or lack of ip forwarding enabled.
For starters, check if you have enabled ip forwarding, should look like following :
$ cat /proc/sys/net/ipv4/ip_forward
1
and verify if you don't have something funky in your iptables
Docker containers should resolve internet traffic once you configured properly. Please check the container network status by,
Enter public DNS (8.8.8.8)manually in /etc/resolve.conf.
If not working check the container network side.
#goto /etc/default/docker
#add public DNS values there (DOCKER_OPTS="--dns 208.67.222.222 --dns 208.67.220.220")
#sudo service docker restart
Login to the container and ping google.com
Related
I'm using an OpenVPN server in a Docker container for multiple client connections.
This container is located in a specific Docker network in which I have a web server as client target.
I want to publish the host name of my web server to clients so that they won't need to know its IP address in order to reach it.
To do so, I want to open the Docker's native DNS server to the OpenVPN clients and push to them the OpenVPN's IP as DNS server.
However, the Docker DNS server resides in the OpenVPN container, listening on 127.0.0.11 (with iptables internal redirections but that's another story).
Thus, in the OpenVPN server container, I need to add an iptables rule in order to forward a DNS request coming from the external OpenVPN IP to the internal 127.0.0.11 one.
But such an internal forward requires me to execute the following command:
sysctl -w net.ipv4.conf.tun0.route_localnet=1
Using the only NET_ADMIN capability when running docker run (--cap-add=NET_ADMIN), I get the following error message:
sysctl: error setting key 'net.ipv4.conf.tun0.route_localnet': Read-only file system
However, this perfectly works using the --privileged flag, but the one is too permissive.
Is there any Linux capability that can do the trick without using the --privileged flag?
I couldn't find the answer in the Linux capabilities manual.
I found a solution, using the --sysctl's docker run option
Solution in docker-compose.yml:
sysctls:
- net.ipv4.conf.tun0.route_localnet=1 # Doesn't work as tun0 doesn't
# exist yet at container start time
- net.ipv4.conf.default.route_localnet=1 # Workaround.
I'm seeing problems mounting local volumes when running docker on Windows 10. The problems only appear when I have my company VPN enabled.
C:\Users\matt> docker run --rm -v d:/tmp:/data alpine ls /data
my_local_test_file.txt
When connected to VPN, I get this:
C:\Users\matt> docker run --rm -v d:/tmp:/data alpine ls /data
C:\Program Files\Docker\Docker\Resources\bin\docker.exe: Error response from daemon: error while creating mount source path '/host_mnt/d/tmp': mkdir /host_mnt/d: file exists.
Docker version is 17.12.0-ce-win47
I believe the problem is that docker uses the network when mounting local volumes, and the VPN routes ALL network traffic via the VPN gateway, so docker can't see the local drive.
Is there a workaround for this?
I'm aware I could run docker within a linux VM, or use docker toolbox. Neither of those are particularly good.
Is there another possible workaround?
the VPN routes ALL network traffic via the VPN gateway
You're probably right, in which case all traffic routed from Docker client to Docker daemon will also be through the VPN. When you use Docker CLI on Windows, it will connect to the Docker daemon which is accessible through the network. Using a VPN may disrupt this mechanism.
I think what's happening is:
When VPN is disabled, you use the Docker daemon on your machine and everything works
When VPN is enabled, another Docker daemon is used either because your VPN redirect traffic addressed to your Docker host (127.0.0.1 by default or set via -H flag or DOCKER_HOST env variable). This means that somehow this IP or host exists on your VPN network and there is a Docker daemon listening on it (which is kind of odd admittedly, it may be risky to use that daemon)
If that's really happening, you'll certainly see different output from docker ps -a, docker images, etc. because you are connecting to different daemons. (the daemon accessible through your VPN is actually being owned by someone else, you'd better not use it!)
What you can do:
Do not route 127.0.0.1 (or whatever is configured as Docker host) through your VPN
Action to take will depend on the VPN software you are using, or you can add route directly on your windows machine (here is a good article on the subject)
Find out your IP when VPN is enabled and configure Daemon to listen to this IP
When your VPN is enabled, run ipconfig /all and find the interface used by your VPN and it's IP address, for example 10.142.0.12 (you can compare output before/after enabling VPN to identify which one it is)
Configure your Docker daemon to listen this IP address and restart it. Either use the UI, or on Windows config file is located at %programdata%\docker\config\daemon.json by default, you need to specify "hosts": ["10.142.0.12", "127.0.0.1"] for example (see docs for details)
Configure Docker host to 10.142.0.12 when VPN is enabled, either by setting environment variable DOCKER_HOST=10.142.0.12 or with client docker -H 10.142.0.12 <cmd>
/!\ Security note: this may present a security issue as anyone knowing your IP on the VPN network will be able to use the Daemon on your machine
Hope this helps. I am not a Windows expert so I was not able to give details on Windows-related issues, but feel free to ask details if needed.
I setup docker with pptp client to connect to pptp server followed by http://cyan.ly/blog/multiple-vpn-docker-2015
However, when I try to run more than one docker container, I got pptp failed. Only one docker container can connect to pptp server. It seems they cannot share the same device ?
Any help would be appreciated.
Point-to-Point Tunneling Protocol (PPTP) traffic is uniquely identified by a source IP address and a Call ID field in the GRE header. When multiple clients connect to the same VPN endpoint behind a common Network Address Translation (NAT), they all have the same source IP address. Because the different VPN clients are unaware of each other, they might choose the same Call ID field, which prohibits multiple connections because the VPN endpoint has no way to differentiate between the various connections.
When i was running my Docker Container using the parameter --net=host,
only one container was getting connected
docker run -it --net=bridge --cap-add=NET_ADMIN --device=/dev/ppp --privileged -v /dev:/dev -v /lib/modules:/lib/modules 1368917489 /bin/bash
But after seeing it closely, i came to a conclusion that one should
run the container with paramter --net=bridge
Basically, when we are running the containers with network settings bridge, then it will get IP Address directly from DHCP, which will resolve our issue.
Try this and you can make hundreds of connection using Docker containers !
I'm trying to access Docker remote API from within a container because I need to start other containers.
The host address is 172.19.0.1, so I'm using http://172.19.0.1:2375/images/json to get the list of images (from host, http://localhost:2375/images/json works as expected.
The connection is refused, I guess because Docker (for Windows) listens on 127.0.0.1 and not on 0.0.0.0.
I've tried to change configuration (both from UI and daemon.json) adding the entry:
"hosts": ["tcp://0.0.0.0:2375"]
but the daemon fails to start. How can I access the api?
You can set DOCKER_OPTS in windows as below and try. In Windows, Docker runs inside a VM. So, you have to ssh into the VM and make the changes.
DOCKER_OPTS='-H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock'
Check if it works for you.
Update :- To ssh into the VM (assuming default is the VM name you have created using Docker toolbox), enter the following command in the Docker Quickstart Terminal,
docker-machine ssh default
You can find more details here.
You could link the host's /var/run/docker.sock within the container where you need it. This way, you don't expose the Docker Remote API via an open port.
Be aware that it does provide root-like access to docker.
-v /var/run/docker.sock:/var/run/docker.sock
You should use "tcp://host.docker.internal:2375" to connect to host machine from container. Please make sure that you can ping the "host.docker.internal" address
https://github.com/docker/for-win/issues/1976
I have installed docker on my Windows m/c.
I am trying to install Gerrit on that.
Pull image is done-Successfully
Run image is also done -->
docker run -d -p 8080:8080 -p 29418:29418 ******/gerrit
I try to connect it through browser with my container id:8080 but it throws error
This site can’t be reached
What is oing wrong.. Please help with suggestions.
BR,
Rash
You need to access your container by IP of virtual machine. You can obtain it with command: docker-machine ls. Then access container in browser by (replace ip) http://192.168.99.100:8080
This is a known limitation of windows containers at the moment as per the docker documentation (https://docs.docker.com/docker-for-windows/troubleshoot/#limitations-of-windows-containers-for-localhost-and-published-ports).
As of Windows 10 Creator's update this has kinda been fixed where you can use host IP with the bounded host port(http://<hostIp>:<hostBoundedPort>), but still not localhost or any of it's aliases.
Alternatively you can avoid port mapping hit the container IP directly. There is numerous ways to get your container IP. Personally I would use:
docker ps
This lists out all the the running docker containers allowing you to find the Container ID for the container that you want to hit followed by:
docker inspect <initial_part_or_full_id>
This will output low level information about the container, including it's Network settings where you will find the NAT-ed endpoint details containing the IP. Then simply http://<containerIP>:<containerPort>.