I'm trying to get a simple OpenVPN server set up on a cheap Vultr vps through docker-compose.
I was able to generate certificates and such just fine, and can even connect to the server..
But when I try to connect to it on my mac through Tunnelblick, I have no internet. My IPv6 internet works, but seems to just be using my home internet, not the VPN tunnel.
Whenever I try to connect to any IPv4 traffic, it times out. Even trying ping 8.8.8.8 gives me a timeout error.
docker-compose:
version: '3.5'
services:
openvpn:
container_name: openvpn
image: kylemanna/openvpn
restart: unless-stopped
cap_add:
- NET_ADMIN
network_mode: host
ports:
- "943:943"
- "1194:1194/udp"
privileged: true
hostname: example.com
volumes:
- /lib/modules:/lib/modules:ro
- /etc/openvpn:/etc/openvpn
volumes:
openvpn-config:
name: openvpn-config
It may be related to DNS nameserver settings not being pushed to clients. You can try manually assigning a nameserver (e.g. 8.8.8.8) in Tunnelblick.
As for IPv6 traffic not being encapsulated, I'd check if the docker engine is configured to handle such traffic. It looks like Kylemanna's image needs additional configuration (e.g. add --ipv6 when starting the Docker daemon) as explained at IPv6 Support
Related
I am running Docker using Docker Desktop on Windows.
I would like to set-up a simple server.
I run it using:
$ docker run -di -p 1234:80 yahya/example-server
This works as expected and runs fine on localhost:1234.
However, I want to give it's own local domain name (e.g. api.example.test), which should only be accessible locally.
Normally for a VM setup I would edit the Windows hosts file, get the IP address of the VM (let's say it's 192.168.90.90) and add something like the following:
192.168.90.90 api.example.test
How would I do something similar in Docker.
I know you can enter an ip address for port forwarding, but if I enter any local IP I get the following error:
$ docker run -di -p 192.168.90.90:1234:80 yahya/example-server
docker: Error response from daemon: Ports are not available: exposing port TCP 192.168.90.90:80 -> 0.0.0.0:0: listen tcp 192.168.90.90:80: can't bind on the specified endpoint.
However, it does work for 10.0.0.7 for some reason (I found this IP automatically added in the hosts file after installing Docker Desktop).
$ docker run -di -p 10.0.0.7:1234:80 yahya/example-server
This essentially solves the issue, but would become an issue again if I have more than 1 project.
Is there a way I can use another local IP address (preferably without a nginx proxy)?
I think there is no simple way to do this without some kind of reverse-proxy.
In my dev environment I use Traefik and dnscrypt-proxy to achieve automatic *.test domain names for multiple projects at same time
First, start Traefik proxy on ports 80 and 433, example docker-compose.yml:
---
networks:
traefik:
name: traefik
services:
traefik:
image: traefik:2.8.3
container_name: traefik
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- traefik
ports:
- 80:80
- 443:443
environment:
TRAEFIK_API: 'true'
TRAEFIK_ENTRYPOINTS_http: 'true'
TRAEFIK_ENTRYPOINTS_http_ADDRESS: :80
TRAEFIK_ENTRYPOINTS_https: 'true'
TRAEFIK_ENTRYPOINTS_https_ADDRESS: :443
TRAEFIK_ENTRYPOINTS_https_HTTP_TLS: 'true'
TRAEFIK_GLOBAL_CHECKNEWVERSION: 'false'
TRAEFIK_GLOBAL_SENDANONYMOUSUSAGE: 'false'
TRAEFIK_PROVIDERS_DOCKER: 'true'
TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: 'false'
Then, attach your service to traefik network, and set labels for routing (see Traefik & Docker). Example docker-compose.yml:
---
networks:
traefik:
external: true
services:
example:
image: yahya/example-server
restart: always
labels:
traefik.enable: true
traefik.docker.network: traefik
traefik.http.routers.example.rule: Host(`example.test`)
traefik.http.services.example.loadbalancer.server.port: 80
networks:
- traefik
Finally, add to hosts:
127.0.0.1 example.test
Instead of manually adding all future domains to hosts, you can setup local DNS resolver. I prefer to use cloaking feature of dnscrypt-proxy for this.
You can install it using Installation instructions, then uncomment following line in dnscrypt-proxy.toml:
cloaking_rules = 'cloaking-rules.txt'
and add to cloaking-rules.txt:
*.test 127.0.0.1
finally, setup your network connection to use 127.0.0.1 as DNS resolver
I set up a Docker host with rootless. Portainer is working fine and I also can start with the following compose file the openproject but only when I run it on the standard bridge network from docker.
I have created several network adapter on my docker host (debian). So i have there for example
ens1283 = 192.168.10.5
ens3283 = 192.168.50.11
Why: ens3283 has on the host of course a mac address which gives me the possibility to distribute a fixed ip.
Now I created a bridge on portainer with the following settings:
Nam VLAN50FIX11
ID 2725cc96b95b7de962a5a69d3437e0b601f4606782ad97bffe8234166eaab93e
Driver bridge
Scope local
Attachable false
Internal false
IPV4 Subnet - 172.17.11.0/16 IPV4 Gateway - 172.17.11.1
IPV4 IP range - 172.17.11.1/25 IPV4 Excluded Ips
Access control
Ownership administrators
Network options
com.docker.network.bridge.enable_icc true
com.docker.network.bridge.enable_ip_masquerade true
com.docker.network.bridge.host_binding_ipv4 192.168.50.11
com.docker.network.bridge.name VLAN50FIX11
com.docker.network.driver.mtu 1500
I also tried it with different network so: 192.168.50.0/24 and a lot other version.
But I had never luck I always got ERR_SS_PROTOCOL_ERROR in the browser. When I start the stack with the default bridge, it works fine.
Docker compose file:
version: '3.9'
services:
openproject:
hostname: SVGXXX-OPEN-01
image: openproject/community:12.1.5
networks:
- VLAN50FIX11
ports:
- 8181:80
container_name: openproject
environment:
- PUID=1001
- PGID=1001
- SECRET_KEY_BASE=9jsdjkSKjf99847459Dg7956ds61
volumes:
- /var/lib/containers/openproject/pgdata:/var/openproject/pgdata
- /var/lib/containers/openproject/assets:/var/openproject/assets
restart: unless-stopped
networks:
VLAN50FIX11:
external: true
I always recieve: ERR_SSL_PROTOCOL_ERROR when I start the openproject stack.
What do I need to change?
Thanks for your help
Perhaps you have to set
OPENPROJECT_HTTPS=false
disables the on-by-default HTTPS mode of OpenProject so you can access
the instance over HTTP-only. For all production systems we strongly
advise not to set this to false, and instead set up a proper TLS/SSL
termination on your outer web server.
https://www.openproject.org/docs/installation-and-operations/installation/docker/#all-in-one-container
I have two docker containers that share the same network. When I ssh into one of the containers make a http call to the other, I get 200 response: curl -i http://app-web.
I need to be able to call app-web container via https: curl https://app-web, however that returns: Failed to connect to app-web port 443: Connection refused.
This is the docker-compose.yml file for the app-web. What am I missing?
version: "3.8"
networks:
local-proxy:
external: true
internal:
external: false
services:
web:
build:
context: ./docker/bin/php
container_name: app-web"
expose:
- "80"
- "443"
networks:
- internal
- local-proxy
As stated by #David Maze
Your application isn't listening on port 443. Compose expose: does
pretty much nothing at all, and you can delete that section of the
file without changing anything about how the containers work.
You need to make sure that the app-web container is set up and actually listening on port 443.
For example, for Apache, this may mean:
Enabling the necessary modules. I.e. a2enmod headers ssl.
Setting up that domain to be able to handle/receive SSL connections.
Restarting your server to implement the changes.
More to that here. How To Create a Self-Signed SSL Certificate for Apache in Ubuntu 18.04
I am trying to connect MinIO with KeyCloak and I follow the instructions provided in this documentation:
https://github.com/minio/minio/blob/master/docs/sts/keycloak.md
What I have done so far is deploy a Docker container for the MinIO server, another one for the MinioClient and a third one used for the KeyCloak server.
As you can see in the following snippet the configuration of the Minio Client container is done correctly, since I can list the buckets available in the Minio Server:
mc ls myminio
[2020-05-14 11:54:59 UTC] 0B bucket1/
[2020-05-06 12:23:01 UTC] 0B bucket2/
I have an issue arising when I try to configure MinIO as depicted in step 3 (Configure MinIO) of the documentation. In more detail, the command that I run is this one:
mc admin config set myminio identity_openid config_url="http://localhost:8080/auth/realms/demo/.well-known/openid-configuration" client_id="account"
And the error I get is this one:
mc: <ERROR> Cannot set 'identity_openid config_url=http://localhost:8080/auth/realms/demo/.well-known/openid-configuration client_id=account' to server. Get http://localhost:8080/auth/realms/demo/.well-known/openid-configuration: dial tcp 127.0.0.1:8080: connect: connection refused.
When I curl this address http://localhost:8080/auth/realms/demo/.well-known/openid-configuration from the MinIO Client container though, I retrieve the JSON file.
Turns out, all I had to do is change the localhost in the config_url, from localhost to the IP of the KeyCloak container (172.17.0.3).
This is just a temporary solution that works for now, but I will continue searching for something more concrete than just hardcoding the IP.
When I figure out the solution, this answer will be updated.
Update
I had to create a docker-compose.yml file as the one below in order to overcome the issues without having to manually place the IP of the KeyCloak container.
version: '2'
services:
miniod:
image: minio/minio
restart: always
container_name: miniod
ports:
- 9000:9000
volumes:
- "C:/data:/data"
environment:
- "MINIO_ACCESS_KEY=access_key"
- "MINIO_SECRET_KEY=secret_key"
command: ["server", "/data"]
networks:
- minionw
mcd:
image: minio/mc
container_name: mcd
networks:
- minionw
kcd:
image: quay.io/keycloak/keycloak:10.0.1
container_name: kcd
restart: always
ports:
- 8080:8080
environment:
- "KEYCLOAK_USER=admin"
- "KEYCLOAK_PASSWORD=pass"
networks:
- minionw
networks:
minionw:
driver: "bridge"
Connection refused occurs when a port is not accessible on the hostname or IP we specified.
Please try exposing the port using --expose flag along with the port number which you wish to expose when using the docker CLI. Then being exposed, you can access on it on localhost
Docker Version: Version 17.03.0-ce-mac2 (15654)
OS: macOS Sierra
I am trying to setup an HA environment using docker-compose. A quick overview of the what the topology might look like is that I will have at least two instances of keepalived and haproxy running, the haproxy will be in front of multiple servers. However, in this posting I make reference to only one instance of keepalived, haproxy, and server for simplification.
The problem that I have right now is that I am unable to direct traffic to the virtual IP address that I assign to keepalived. For testing purposes in my docker compose file I have a client that tries to communicate using the VIP, and it results in a connection refused error.
dial tcp 192.168.99.120:80: getsockopt: connection refused
However, if I reach out directly to haproxy there is not a connection issue. Furthermore, I can communicate directly to the haproxy from host but not to keepalived.
I feel like this has something to do with how networks work in docker but I am pretty new to using docker and have not been able to track down the issue. Any help would be much appreciated.
My configuration files are all included below.
docker-compose.yml:
version: '2'
services:
keepalived1:
image: neoassist/docker-keepalived:latest
container_name: keepalived1
volumes:
- "./keepalived.conf:/etc/keepalived/keepalived.conf"
environment:
- VIRTUAL_IP=192.168.99.120
- VIRTUAL_MASK=24
- VRID=1
- CHECK_IP=any
- CHECK_PORT=80
- INTERFACE=eth0
entrypoint: sh -c 'sleep 4;/usr/bin/keepalived.sh'
network_mode: "host"
cap_drop:
- NET_ADMIN
privileged: true
haproxy1:
image: haproxy:latest
container_name: haproxy1
ports:
- 7054:7054
volumes:
- "./haproxy1.cfg:/usr/local/etc/haproxy/haproxy.cfg"
environment:
- EXPOSE=7054
links:
- fabric-ca-server1:fabric-ca-server1
fabric-ca-server1:
image: hyperledger/fabric-ca
container_name: fabric-ca-server1
ports:
- 7051:7054
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
volumes:
- "./fabric-ca-server:/etc/hyperledger/fabric-ca-server"
command: sh -c "fabric-ca-server start -d -b admin:adminpw"
admin-client:
image: hyperledger/fabric-ca
container_name: admin-client
network_mode: "host"
command: sh -c "sleep 14;fabric-ca-client enroll -d -u http://admin:adminpw#192.168.99.120"
haproxy.cfg
global
maxconn 4096
defaults
mode http
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
frontend server
bind *:7054
mode tcp
default_backend server_cluster
backend server_cluster
balance source
mode tcp
option tcpka
server server1 fabric-ca-server1:7054
keepalived.conf
vrrp_script haproxy {
script "pidof haproxy"
interval 2
weight 2
}
vrrp_instance haproxy_1 {
virtual_router_id 1
advert_int 1
interface eth0
nopreempt
state BACKUP
virtual_ipaddress {
192.168.99.120/24 dev eth0
}
track_script {
haproxy
}
}
ifconfig from my mac has:
vboxnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 0a:00:27:00:00:00
inet 192.168.99.1 netmask 0xffffff00 broadcast 192.168.99.255
I don't think this will ever work with Docker for Mac because it actually uses a VM under the covers to run your Docker containers. This should work on a system with native Docker support if you try using host networking rather than bridge networking.
My suggestion would be to look at either Docker swarm mode (not the standalone Docker swarm) or Kubernetes which both provide mechanisms to scale services and provide load balancing across them via a single address