docker container network access when using vpn - docker

Expected Result:
Container can access each other thru hostname or hostcomputer ip.
Actual Result:
When using network_mode I can't make any changes as static ip or links to other containers.
Description:
I've a couple of containers all using --net (network_mode) to a openvpn. As single instances they work and with nginx proxy I can access each from any computer.
However the containers can't find each other except with local ip (172.19.0.x). I could use that but what happens on host reboot. Will the ip addresses change?
docker-compose.yml
version: '3.4'
services:
vpn:
image: dperson/openvpn-client
container_name: vpn
cap_add:
- net_admin
networks:
- default
tmpfs:
- /tmp
restart: unless-stopped
security_opt:
- label:disable
stdin_open: true
tty: true
volumes:
- ../openvpn:/vpn
- /dev/net:/dev/net:z
environment:
- DNS='8.8.4.4 8.8.8.8'
- FIREWALL="1"
- TZ='Europe/Stockholm'
command: -f ""
networks:
- default
proxy:
image: nginx
container_name: proxy
environment:
TZ: 'Europe/Stockholm'
ports:
- "6003:8989" # sonarr
- "6004:7878" # radarr
- "6001:8112" # deluge
- "6002:9117" # jackett
depends_on:
- sonarr
- radarr
- deluge
- jackett
links:
- vpn:sonarr
- vpn:radarr
- vpn:deluge
- vpn:jackett
networks:
- default
volumes:
- ../nginx/default.conf:/etc/nginx/conf.d/default.conf
restart: always
command: "nginx -g 'daemon off;'"
sonarr:
image: linuxserver/sonarr
container_name: sonarr
volumes:
- ../sonarr:/config
- /etc/localtime:/etc/localtime:ro
- /media/megadrive/Media/Series:/tv
- /media/megadrive/Media/tmp/completed:/downloads
env_file: ../uidgid.env
network_mode: "service:vpn"
environment:
- TZ='Europe/Stockholm'
cap_add:
- net_admin
depends_on:
- vpn
restart: always
radarr:
image: linuxserver/radarr
container_name: radarr
volumes:
- ../radarr:/config
- /media/megadrive/Media/Movies:/movies
- /media/megadrive/Media/tmp/completed:/downloads
- /etc/localtime:/etc/localtime:ro
env_file: ../uidgid.env
network_mode: "service:vpn"
environment:
- TZ='Europe/Stockholm'
cap_add:
- net_admin
depends_on:
- vpn
restart: always
deluge:
image: linuxserver/deluge
container_name: deluge
depends_on:
- vpn
network_mode: "service:vpn"
volumes:
- ../deluge:/config
- /media/megadrive/Media/tmp/:/downloads
- /etc/localtime:/etc/localtime:ro
restart: always
env_file: ../uidgid.env
environment:
- TZ='Europe/Stockholm'
jackett:
container_name: jackett
image: linuxserver/jackett
restart: unless-stopped
network_mode: "service:vpn"
env_file: ../uidgid.env
environment:
- TZ='Europe/Stockholm'
volumes:
- ../jackett:/config
- /media/megadrive/Media/tmp/blackhole:/downloads
networks:
default:

It seems that letting vpn service use host instead of bridge (default). Will solve a couple of things.
Allow everything to work on host computer ip. As long as every service is on its own port this is okay.
Services still seems to be following openvpn rules
no more need for nginx for proxy to the webgui
vpn:
image: dperson/openvpn-client
container_name: vpn
cap_add:
- net_admin
tmpfs:
- /tmp
restart: unless-stopped
security_opt:
- label:disable
stdin_open: true
tty: true
volumes:
- ../openvpn:/vpn
- /dev/net:/dev/net:z
environment:
- DNS='8.8.4.4 8.8.8.8'
- FIREWALL="1"
- TZ='Europe/Stockholm'
command: -f ""
network_mode: "host"

The other option is that the services in the vpn use localhost to access each other. Since they share the network stack of the vpn container they are accessed as if they were the same host. This one had me stumped for a while this week.
One comment, you've got net_admin on all your containers, you only need it on the vpn

Related

Wrong ip assignment docker-compose

I am building a website and trying to deploy the whole stack using docker compose.
The website needs a database, an api, a middleware translation layer and a frontend that are all able to communicate with eachother.
I have understood that I might need a network. So I made one.
Problem is that all containers get random ip adresses within the ip range.
it seems aux_adresses does not do the thing I thought it did...
services:
db:
image: neo4j:community
restart: unless-stopped
volumes:
- ./conf:/conf
- ./data:/data
- ./import:/import
- ./logs:/logs
- ./plugins:/plugins
environment:
# Raise memory limits
- NEO4J_AUTH=neo4j/password
- NEO4J_dbms_memory_pagecache_size=1G
- NEO4J_dbms.memory.heap.initial_size=1G
- NEO4J_dbms_memory_heap_max__size=1G
ports:
- 7474:7474
- 7687:7687
networks:
- matrix-network
api:
build: ./api/.
restart: unless-stopped
ports:
- 8000:8000
networks:
- matrix-network
middleware:
build:
./database-middleware/.
restart: unless-stopped
ports:
- 4000:4000
networks:
- matrix-network
web:
build:
./.
restart: unless-stopped
ports:
- "80:80"
networks:
- matrix-network
networks:
matrix-network:
ipam:
driver: default
config:
- subnet: 172.28.0.0/16
ip_range: 172.28.5.0/24
gateway: 172.28.5.254
aux_addresses:
api: 172.28.1.5
db: 172.28.1.6
middleware: 172.28.1.7
web: 172.28.1.8
just use the service name instead of an ip.
so for example: http://middleware:4000 instead of the ip.
thx #tkausl

Why is my app not installed? File not found

This is my docker-compose.yml. I am trying to deploy app and mysql,I added network.
version: '3'
services:
#PHP Service
app:
image: lscr.io/linuxserver/bookstack
container_name: bookstack
restart: unless-stopped
environment:
- DB_HOST=mysql
- DB_USER=quantox
- DB_PASS=****
- DB_DATABASE=bookstackapp
working_dir: /var/www
volumes:
- ./:/var/www
- ./php/local.ini:/usr/local/etc/php/conf.d/local.ini
ports:
- 6875:80
networks:
- app-network
db:
image: mysql:5.7.22
container_name: mysql
restart: unless-stopped
ports:
- 33060:3306
environment:
- MYSQL_ROOT_PASSWORD=***
- TZ=Europe/Budapest
- MYSQL_DATABASE=bookstackapp
- MYSQL_USER=bookstack
- MYSQL_PASSWORD=****
volumes:
- dbdata:/var/lib/mysql/
- ./mysql/my.cnf:/etc/mysql/my.cnf
networks:
- app-network
#Docker Networks
networks:
app-network:
driver: bridge
#Volumes
volumes:
dbdata:
driver: local
After I go for up -d
I got
Name Command State Ports
-----------------------------------------------------------------------------------------------
bookstack /init Up 443/tcp, 0.0.0.0:6875->80/tcp,:::6875->80/tcp
mysql docker-entrypoint.sh mysqld Up 0.0.0.0:33060->3306/tcp,:::33060->3306/tcp
But in browser localhost:6875 shows
File not found.
Why? Both my app and mysql are on same network. What should I check now?
When using volumes (-v flags) permissions issues can arise between the host OS and the container, you could avoid this issue by allowing you to specify the user PUID and group PGID.

Making Nextcloud Docker accessible from local network

I installed a fully dockerized Nextcloud server on Ubuntu LTS 20.04.
Right now, it is accessible via nginx from the subdomain I assigned to it, with a SSL certificate from Lets Encrypt.
I would like to be able to access it from a local IP from within the network on port 8140.
I tried adding the ports to the docker-compose.yml file with:
ports:
- "8140:8140"
But the ports get assigned to 0.0.0.0 instead of the machine's IP address.
Anyone knows how to expose the container to the local network?
Here's an example of the docker-compose.yml I used:
version: '3'
services:
proxy:
image: jwilder/nginx-proxy:alpine
labels:
- "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true"
container_name: nextcloud-proxy
networks:
- nextcloud_network
ports:
- 80:80
- 443:443
- "8140:8140"
volumes:
- ./proxy/conf.d:/etc/nginx/conf.d:rw
- ./proxy/vhost.d:/etc/nginx/vhost.d:rw
- ./proxy/html:/usr/share/nginx/html:rw
- ./proxy/certs:/etc/nginx/certs:ro
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
restart: unless-stopped
letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: nextcloud-letsencrypt
depends_on:
- proxy
networks:
- nextcloud_network
volumes:
- ./proxy/certs:/etc/nginx/certs:rw
- ./proxy/vhost.d:/etc/nginx/vhost.d:rw
- ./proxy/html:/usr/share/nginx/html:rw
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: unless-stopped
db:
image: mariadb
container_name: nextcloud-mariadb
networks:
- nextcloud_network
volumes:
- db:/var/lib/mysql
- /etc/localtime:/etc/localtime:ro
environment:
- MYSQL_ROOT_PASSWORD=toor
- MYSQL_PASSWORD=mysql
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
restart: unless-stopped
app:
image: nextcloud:latest
container_name: nextcloud-app
networks:
- nextcloud_network
depends_on:
- letsencrypt
- proxy
- db
volumes:
- nextcloud:/var/www/html
- ./app/config:/var/www/html/config
- ./app/custom_apps:/var/www/html/custom_apps
- ./app/data:/var/www/html/data
- ./app/themes:/var/www/html/themes
- /etc/localtime:/etc/localtime:ro
environment:
- VIRTUAL_HOST=nextcloud.YOUR-DOMAIN
- LETSENCRYPT_HOST=nextcloud.YOUR-DOMAIN
- LETSENCRYPT_EMAIL=YOUR-EMAIL
restart: unless-stopped
volumes:
nextcloud:
db:
networks:
nextcloud_network:
As far as I know, you append the IP Address you are binding to locally as follows:
ports:
- 192.168.0.254:80:80
- 192.168.0.254:443:443
- "192.168.0.254:8140:8140"

Share Docker container through local network and access to it from an another host

I try to share a container through my local network, to access this container from an another machine on the same network. I have follow tihs tutorial (section "With macvlan devices") and I succeeded to share a simple web container and access from an another host.
But the container that I want to share is a little more sophisticated, because he comminicate with other containers on the host through an internal network on the host.
I try to bind my existing container created in my docker-compose but I can't access to it. Can you help me, or tell me where I'm wrong if so please ?
This is my docker-compose :
version: "2"
services:
baseimage:
container_name: baseimage
image: base
build:
context: ./
dockerfile: Dockerfile.base
web:
container_name: web
image: web
env_file:
- .env
context: ./
dockerfile: Dockerfile.web
extra_hosts:
- dev.api.exemple.com:127.0.0.1
- dev.admin.exemple.com:127.0.0.1
- dev.www.exemple.com:127.0.0.1
ports:
- 80:80
- 443:443
volumes:
- ./code:/ass
- /var/run/docker.sock:/var/run/docker.sock
tty: true
dns:
- 8.8.8.8
- 8.8.4.4
links:
- mysql
- redis
- elasticsearch
- baseimage
networks:
devbox:
ipv4_address: 172.20.0.2
cron:
container_name: cron
image: cron
build:
context: ./
dockerfile: Dockerfile.cron
volumes:
- ./code:/ass
tty: true
dns:
- 8.8.8.8
- 8.8.4.4
links:
- web:dev.api.exemple.com
- mysql
- redis
- elasticsearch
- baseimage
networks:
devbox:
ipv4_address: 172.20.0.3
mysql:
container_name: mysql
image: mysql:5.6
ports:
- 3306:3306
networks:
devbox:
ipv4_address: 172.20.0.4
redis:
container_name: redis
image: redis:3.2.4
ports:
- 6379:6379
networks:
devbox:
ipv4_address: 172.20.0.5
elasticsearch:
container_name: elastic
image: elasticsearch:2.3.4
environment:
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
volumes:
- ./es_data:/usr/share/elasticsearch/data
ports:
- 9200:9200
networks:
devbox:
ipv4_address: 172.20.0.6
chromedriver:
container_name: chromedriver
image: robcherry/docker-chromedriver:latest
privileged: true
ports:
- 4444:4444
environment:
- CHROMEDRIVER_WHITELISTED_IPS='172.20.0.2'
- CHROMEDRIVER_URL_BASE='wd/hub'
- CHROMEDRIVER_EXTRA_ARGS='--ignore-certificate-errors'
networks:
devbox:
ipv4_address: 172.20.0.7
links:
- web:dev.www.exemple.com
networks:
devbox:
driver: bridge
driver_opts:
com.docker.network.enable_ipv6: "false"
ipam:
driver: default
config:
- subnet: 172.20.0.0/16
gateway: 172.20.0.1
Create an external network assign the external network and devbox network to web. Web would then be publicly accessible via the external network public ip address and communicate with the internal services using the devbox network.
Will post working example asap

Docker Compose - Network_mode:Service: - 2 containers cant talk to each other

Over the last couple weeks I have been getting to grips with docker and decided to teach myself. I’m getting a fairly good grasp of it now and have just ventured out into using docker compose.
I have a docker compose yml file that I found online and have been modfying it to my needs.
Basically this docker compose file runs Sonarr, Radarr, Transmission, openvpn and nginx.
Sonarr and Radarr are using service:vpn as their network so that their traffic passes through the VPN.
NGINX is used as a reverse proxy to get to Sonarr and Radarr at the following urls - http://radarr:7878 & http://sonarr:8989 using “sonarr.myredacteddomain/com” “radarr.myredacteddomain/com” which is working great.
NGINX uses the “Link:” to be able get to sonarr and radarr as you can see from my yml below. Problem i’m now having is that I need Radarr and Sonarr to be able to talk to transmission so that they both know where my download client is located. If on Sonarr I enter transmission:9091 or transmission.myredacteddomain/com Sonarr/Radarr cant see it.
Looking at these containers Radarr and Sonarr dont seem to have an IP address so how is it that NGINX can see them via radarr:7878 etc but Sonarr and Radarr cant see transmission in the same way? Can anyone help me with my yml file here?
version: '3.0'
networks:
default:
ipam:
driver: default
services:
jackett:
image: linuxserver/jackett
depends_on:
- vpn
restart: always
network_mode: "service:vpn"
environment:
PGID: 1000
PUID: 1000
TZ: Europe/London
volumes:
- /mnt/user/config/jackett:/config
- /mnt/user/media/downloads/jackett:/downloads
transmission:
image: linuxserver/transmission:48
depends_on:
- vpn
environment:
TZ: 'Europe/London'
PGID: 1000
PUID: 1000
network_mode: "service:vpn"
tmpfs:
- /tmp
restart: unless-stopped
stdin_open: true
tty: true
volumes:
- /mnt/user/config/transmission:/config
- /mnt/user/media/downloads:/downloads
radarr:
image: linuxserver/radarr
depends_on:
- vpn
restart: always
network_mode: "service:vpn"
environment:
PGID: 1000
PUID: 1000
TZ: Europe/London
volumes:
- /mnt/user/config/radarr:/config
- /mnt/user/media/downloads/complete:/downloads
- /mnt/user/media/movies:/movies
sonarr:
image: linuxserver/sonarr
depends_on:
- vpn
restart: always
network_mode: "service:vpn"
environment:
PGID: 1000
PUID: 1000
TZ: Europe/London
volumes:
- /mnt/user/config/sonarr:/config
- /mnt/user/media/downloads/complete:/downloads
- /mnt/user/media/tvshows:/tv
vpn:
image: dperson/openvpn-client
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
cap_add:
- net_admin
dns:
- 8.8.4.4
- 8.8.8.8
environment:
TZ: 'Europe/London'
read_only: true
tmpfs:
- /tmp
restart: unless-stopped
security_opt:
- label:disable
stdin_open: true
tty: true
volumes:
- /dev/net:/dev/net:z
- /mnt/user/config/vpn:/vpn
web:
image: nginx
depends_on:
- transmission
- sonarr
- jackett
- radarr
environment:
TZ: 'Europe/London'
IPV6: 0
links:
- vpn:transmission
- vpn:jackett
- vpn:radarr
- vpn:sonarr
ports:
- "80:80"
- "443:443"
read_only: true
volumes:
- /mnt/user/config/nginx:/etc/nginx/conf.d:ro
- /mnt/user/config/nginx/ssl:/etc/nginx/ssl:ro
tmpfs:
- /run
- /tmp
- /var/cache/nginx
restart: unless-stopped
stdin_open: true
tty: true
Managed to work it out!
Turns out that containers that are using the Network_Mode:Service:vpn share the ip address of the VPN docker.
Solved my own problem!

Resources