I am running a web API on the host system and it's not exposed on public IP.
I want to access from a docker windows container running on the same system.
By initial analysis, it seems windows container does not support to access host system from within a container.
Tried to access API with the following address but on none of them are working.
https://host_system_ip:port/api/controller/action
https://default_gateway_ip:port/api/controller/action
https://localhost:port/api/controller/action
https://127.0.0.1:port/api/controller/action
For security reasons I cannot make that API to be accessed on public IP, the only host system and containers running on same host machine should be allowed to access web API.
This works fine for me from within container. Make sure you are on latest OS etc and nothing is missing.
PS C:\> docker run --rm microsoft/windowsservercore powershell invoke-webrequest 192.168.1.221 -useBasicParsing
StatusCode : 200
StatusDescription : OK
Content : Application 995184 and started on 3/21/2018 8:59:09 AM
RawContent : HTTP/1.1 200 OK
Content-Length: 54
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Wed, 21 Mar 2018 14:01:22 GMT
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Pow...
Forms :
Headers : {[Content-Length, 54], [Cache-Control, private],
[Content-Type, text/html; charset=utf-8], [Date, Wed, 21
Mar 2018 14:01:22 GMT]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml :
RawContentLength : 54
PS C:\> ipconfig
Windows IP Configuration
Ethernet adapter vEthernet (nat):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::94d6:434:c0b6:8fdc%56
IPv4 Address. . . . . . . . . . . : 172.29.112.1
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . :
Ethernet adapter vEthernet (Internet):
Connection-specific DNS Suffix . : lan
Link-local IPv6 Address . . . . . : fe80::342a:be30:c7c:c1de%24
IPv4 Address. . . . . . . . . . . : 192.168.1.221
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
Related
I need to access a physical device from a container on a windows host (running Docker desktop). The device has a fixed ip-address in a separate subnet (192.168.0.5/24). How to properly setup the network for the container (via docker run or docker-compose)?
I first thought of just opening the relevant port but for one, it is chosen by random (e.h. 52714, 63575) and for second if the port is open, I cannot reach the device.
So I tried to fetch a ipvlan but in this configuration I am not reaching the container at all.
version: "3.8"
services:
python-fastapi:
container_name: fast_api
build:
context: Python
dockerfile: Vision_fastAPI.Dockerfile
ports:
- "5001:5000"
networks:
- myVLan
networks:
myVLan:
driver: ipvlan
driver_opts:
parent: host
ipvlan_mode: l2
ipam:
config:
- subnet: 192.168.0.0/24
Actually, I was trying to reproduce a tutorial (from a Ubuntu host):
docker network create -d ipvlan --subnet=192.168.0.0/24 --ip-range=192.168.0.0/24 -o ipvlan_mode=l2 -o parent=enp11s0f1 myVLan
Obviously, I struggle with the parent option. I thought, I would be the physical ethernet adapter but I have no idea of the naming in windows (docker-compose doesn't accept names like "Ethernet 8" so I guess, I am getting something wrong here). It works with a docker network ("default") but just in the way that it doesn't produce an error.
The configuration of the ethernet adapter is the following:
Ethernet adapter Ethernet 8:
Connection-specific DNS Suffix:
Description . . . . . . . . . . . : Lenovo USB Ethernet #4
Physical Address . . . . . . . . : 3C-18-A0-52-43-C1
DHCP Enabled . . . . . . . . . . : no
Autoconfiguration Enabled . . . . : Yes
IPv4 Address . . . . . . . . . . : 192.168.0.210(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip . . . . . . . : Enabled
Do absolutely nothing. Delete all of the networks: blocks in the Compose file. Connect to the external IP address as normal; Docker provides a network address translation (NAT) mechanism that will let you connect to the off-box service.
If you set up a Domain Name Service (DNS) server for your environment (highly recommended), make sure to use a fully-qualified domain name (FQDN) when you connect to the service, other-host.example.com. If you use a short name other-host then Docker will try to interpret that as a container name.
Running Wireshark 3.2.5 64bit on Windows 10 as administrator.
Mozilla VPN creates this interface as shown in IPCONFIG
Unknown adapter FirefoxPrivateNetworkVPN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WireGuard Tunnel
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : fc00:bbbb:bbbb:bb01::*:*(Preferred)
IPv4 Address. . . . . . . . . . . : 10.65.*.*(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.64.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Wireshark does not display this interface, although all other interfaces (real and virtual) are available.
I can see the encrypted data on the primary Ethernet interface.
I need Wireshark to monitor the traffic going through the Wireguard tunnel.
Other VPNs interfaces are visible in Wireshark, why not this one?
I have also noticed that Windows Wireguard implementation currently doesn't cooperate with other standard network tools. Not only WG interfaces are invisible to Wireshark, Wireshark connections could not be blocked by Windows Firewall for some reason. I see it as a security issue.
Currently Wireguard for Windows uses Wintun interface. For comparison, OpenVPN has had an option to use Wintun interface for some time now too. And when you use it its interface is also invisible to Wireshark. But you can still block OpenVPN in the Windows Firewall.
EDIT:
Solution (2021-08-22): Update npcap Windows driver to the most recent one. Then Wintun interfaces will appear for Wireshark.
Now the problem is that Wireshark currently incorrectly dissects what it captures on the Wintun interface - it sees "Ethernet II" packets going around with unknown protocol 0xXXXX inside, while actually it's IPv4 packets not "Ethernet II", and 0xXXXX is just a part of an IP address. The data is not encrypted though, so you can identify packets by data contents: for example, it's an ICMP echo on the screenshot.
I have a gMSA credential spec working with docker run but not with docker-compose. Details for the compose file and the docker run command are below. I'm completely lost as to what I'm missing. I did a lot of googling and I'm not sure what's going on. My primary thoughts is that something with the docker-compose file is off, but I'm not sure.
Docker-compose
version: '3.3'
services:
basic:
image: mcr.microsoft.com/windows/servercore:ltsc2019
entrypoint: ping -t localhost
hostname: server01
security_opt:
- credentialspec=file://server01.json
dns:
- "192.168.43.2"
user: "NT AUTHORITY\\NETWORK SERVICE"
networks:
default:
external:
name: "Net"
After running docker-compose up
C:\Users\administrator> docker exec -it b9e2a783ab09 powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\> ipconfig
Windows IP Configuration
Ethernet adapter vEthernet (Ethernet) 10:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4416:3381:8d1a:122a%43
Autoconfiguration IPv4 Address. . : 169.254.18.42
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
PS C:\> ipconfig /renew
Windows IP Configuration
Ethernet adapter vEthernet (Ethernet) 10:
Connection-specific DNS Suffix . : localdomain
Link-local IPv6 Address . . . . . : fe80::4416:3381:8d1a:122a%43
IPv4 Address. . . . . . . . . . . : 192.168.43.198
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
PS C:\> nslookup testdomain.local
Server: UnKnown
Address: 192.168.43.2
Name: testdomain.local
Addresses: 192.168.43.2
192.168.52.133
PS C:\> nltest /sc_verify:testdomain.local
I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED
docker run
docker run -it --security-opt "credentialspec=file://server01.json" --user="nt authority\system" --hostname="server01" --network="Net" --dns="192.168.43.2" mcr.microsoft.com/windows/servercore:ltsc2019 powershell
PS C:\> nslookup testdomain.local
Server: UnKnown
Address: 192.168.43.2
Name: testdomain.local
Addresses: 192.168.43.2
192.168.52.133
PS C:\> nltest /sc_verify:testdomain.local
Flags: b0 HAS_IP HAS_TIMESERV
Trusted DC Name \\dc01.testdomain.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully
PS C:\>
Hey so I'm leaving this up as a mark of shame.
Notice that I used different users? Turns out I needed to use system and not the network service account. That fixed it.
Use double-quoted:
security_opt:
- "credentialspec=file://server01.json"
I've just started playing with docker and I'm facing a real strange issue. After installing, I've pulled an IIS nanoserver image and I've started it:
λ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
beabe561852f d4 "C:\\ServiceMonitor.e…" 3 minutes ago Up 3 minutes 0.0.0.0:81->80/tcp nano-server
After that I've tried to access the site through the http://localhost:81. Since it wasn't working, I've inspected the IP with the following command:
λ docker inspect -f "{{json .NetworkSettings.Networks}}" b
{"nat":{"IPAMConfig":null,"Links":null,"Aliases":null,"NetworkID":"11117ac2f84721d1ca93c719192dd4d2aa5f9e6d23e7b3077dfd8ffb63aaf2e2","EndpointID":"68984bc164035e4035af1878673dda69e913dde19d641943cb68f7121aa9dae6","Gateway":"172.23.160.1","IPAddress":"172.23.174.235","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"00:15:5d:33:81:0a","DriverOpts":null}}
Pinging wasn't working either:
λ ping 172.23.174.235
Pinging 172.23.174.235 with 32 bytes of data:
Reply from 10.200.2.222: Destination net unreachable.
Reply from 10.200.2.222: Destination net unreachable.
Reply from 10.200.2.222: Destination net unreachable.
Reply from 10.200.2.222: Destination net unreachable.
Ping statistics for 172.23.174.235:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
So, I've tried running powershell in the container to check the IP:
PS C:\> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : mshome.net
Link-local IPv6 Address . . . . . : fe80::14e3:fd95:19a:c89b%4
IPv4 Address. . . . . . . . . . . : 192.168.238.55
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 172.23.160.1
192.168.238.49
PS C:\>
As you can see, the container's "real" IP is completely different from the one that docker think it's being used by it.
I've already tried disconnecting the container from the network and reconnecting it again, but the results are always the same.
Any clues on what's going on here? Even more important, any tips on how to solve it?
Thanks
In this case, I've removed all unused networks with the docker network prune command. After deleting the Default Switch, everything started to work out correctly. I'm not sure on why this was required, but probably there was something wrong with that switch configuration...
I am trying to create an apache container in docker by following below link:
https://www.assistanz.com/installing-apache-web-server-in-windows-container-using-docker-file/
Version Details:
Host OS: Windows Server 2016 (VMWare virtualized machine)
Docker Version:
PS C:\Windows\system32> docker version
Client:
Version: 17.06.2-ee-16
API version: 1.30
Go version: go1.8.7
Git commit: 9ef4f0a
Built: Thu Jul 26 16:43:19 2018
OS/Arch: windows/amd64
Server:
Engine:
Version: 17.06.2-ee-16
API version: 1.30 (minimum version 1.24)
Go version: go1.8.7
Git commit: 9ef4f0a
Built: Thu Jul 26 16:52:17 2018
OS/Arch: windows/amd64
Experimental: false
I managed to create the container and run it with below command:
docker run -it -p 8080:80 apache powershell
PS C:\> ipconfig
Windows IP Configuration
Ethernet adapter vEthernet (Container NIC 258c52dd):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::706a:94f1:9a6:6c49%31
IPv4 Address. . . . . . . . . . . : 172.21.60.107
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 172.21.48.1
Confirm if the apache is running on port 80 from inside of the container:
PS C:\> iwr http://localhost -usebasicparsing
StatusCode : 200
StatusDescription : OK
From host machine:
Access http://container-ip:80 and failed
PS C:\Windows\system32> iwr http://172.21.60.107:80 -usebasicparsing
iwr : Unable to connect to the remote server
Access http://host-ip:8080 and failed
PS C:\Windows\system32> iwr http://192.168.105.87:8080 -usebasicparsing
iwr : Unable to connect to the remote server
Tried to access from other pc using http://host-ip:8080 and also failed.
Few things that i did for troubleshooting:
Check container port forwarding by running docker ps
PS C:\Windows\system32> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8bdaf5b11ab9 apache "powershell" 14 minutes ago Up 14 minutes 0.0.0.0:8080->80/tcp inspiring_turing
Check Static Mapping by running Get-NetNatStaticMapping
PS C:\Windows\system32> Get-NetNatStaticMapping
StaticMappingID : 3
NatName : Hf41327a7-ce0a-464c-83ff-21223867c9ea
Protocol : TCP
RemoteExternalIPAddressPrefix : 0.0.0.0/0
ExternalIPAddress : 0.0.0.0
ExternalPort : 8080
InternalIPAddress : 172.21.60.107
InternalPort : 80
InternalRoutingDomainId : {00000000-0000-0000-0000-000000000000}
Active : True
Ensure again that Firewall and Antivirus are disabled
Ensure there is no proxy
PS C:\Windows\system32> Get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
DisableCachingOfSSLPages : 1
IE5_UA_Backup_Flag : 5.0
PrivacyAdvanced : 1
SecureProtocols : 2688
User Agent : Mozilla/4.0 (compatible; MSIE 8.0; Win32)
CertificateRevocation : 1
ZonesSecurityUpgrade : {75, 36, 102, 206...}
WarnonZoneCrossing : 0
EnableNegotiate : 1
MigrateProxy : 1
ProxyEnable : 0
PSPath : Microsoft.PowerShell.Core\Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
PSParentPath : Microsoft.PowerShell.Core\Registry::HKCU\Software\Microsoft\Windows\CurrentVersion
PSChildName : Internet Settings
PSProvider : Microsoft.PowerShell.Core\Registry
Check container network
PS C:\Windows\system32> Get-ContainerNetwork
Name Id Subnets Mode SourceMac DNSServers DNSSuffix
---- -- ------- ---- --------- ---------- ---------
nat f41327a7-ce0a-464c-83ff-21223867c9ea {172.21.48.0/20} NAT
Ping container IP from host => Okay
Telnet to container IP and Port from host => Failed
PS C:\Windows\system32> telnet 172.21.60.107 80
Connecting To 172.21.60.107...Could not open connection to the host, on port 80: Connect failed
Ping host IP from container => Failed
Have googled this issue and tried a lot of troubleshooting but seems like i could not find the solution for my issue. Most of the issue reported is due to the localhost loopback issue in window.
Any pointer on how to troubleshoot this further?
I am suspecting there is something blocking the container port. But i cant find it.
Thanks