I setup docker with pptp client to connect to pptp server followed by http://cyan.ly/blog/multiple-vpn-docker-2015
However, when I try to run more than one docker container, I got pptp failed. Only one docker container can connect to pptp server. It seems they cannot share the same device ?
Any help would be appreciated.
Point-to-Point Tunneling Protocol (PPTP) traffic is uniquely identified by a source IP address and a Call ID field in the GRE header. When multiple clients connect to the same VPN endpoint behind a common Network Address Translation (NAT), they all have the same source IP address. Because the different VPN clients are unaware of each other, they might choose the same Call ID field, which prohibits multiple connections because the VPN endpoint has no way to differentiate between the various connections.
When i was running my Docker Container using the parameter --net=host,
only one container was getting connected
docker run -it --net=bridge --cap-add=NET_ADMIN --device=/dev/ppp --privileged -v /dev:/dev -v /lib/modules:/lib/modules 1368917489 /bin/bash
But after seeing it closely, i came to a conclusion that one should
run the container with paramter --net=bridge
Basically, when we are running the containers with network settings bridge, then it will get IP Address directly from DHCP, which will resolve our issue.
Try this and you can make hundreds of connection using Docker containers !
Related
Good morning!
Im using check point mobile to connect to my client VPN, and I have 2 containers in docker: mysql and karaf both sharing the network I created using the command docker network create --subnet=vpnAddress mynet
I used the command --network=mynet when running the containers.
Until here its all ok, I can connect via putty ssh to karaf, install the kar and all bundles are ok.
But when calling the services I realize that the container is not connected to the VPN, even so that I created a network with the VPN address. I need to be connected to the VPN in order to call the services.
Im connected externally(outside docker) to the VPN using the check point mobile, but I need docker to add/connect to the VPN.
Im using windows 10 (using docker with linux containers), I tried to go to C:\ProgramData\DockerDesktop\tmp-d4w and edit the file host.docker.internal too and change the IP to my VPN address, but none works.
I searched a lot, and I saw people talking about docker vpn images such as nordVpn or openVpn, but I cant use that.
I have been told I need to add the vpn network to docker, But im green at networking and I dont know how to do it, and what I did didn't work.
Hope you can help me. thanks!
edit: in docker engine i added the "bip": "vpnAddress/24"
I realize now that network bridge uses the VPN address now, tried to --network=bridge in both karaf and mysql container, but now karaf cant connect to mysql, but if I use the default docker create network mynet and run the 2 container using that network it works, but no luck with the VPN this way.
I haven't used Docker on Windows, but a quick look at some VPN containers shows that, in *nix at least, they use --device /dev/net/tun --cap-add=NET_ADMIN to expose the VPN "device" to the container. Other containers then use docker networking or links to connect to this VPN container - so looking at how the VPN containers do it might be helpful.
One suggestion for Mac seems to be using extra_hosts like so:
extra_hosts:
- "vpn.company.com:172.21.1.1"
You might be able to hack it with something like that. (or physically adding 172.21.1.1 vpn.company.com to /etc/hosts in the container). Also, checking for IP address conflicts between the Docker daemon and your host machine.
Windows docs seem to suggest they don't support network interfaces as "devices", so you probably need to either create a very specific docker network or modify host networking settings, starting with getting Docker daemon to recognize the VPN network.
See the Configure Advanced Networking section for some examples. I'd try creating a network associated with the VPN device first, then look into flags like --subnet and --gateway.
docker network create -d transparent \
-o com.docker.network.windowsshim.interface="Ethernet 2" TransparentNet2
This creates a network with a particular subnet and gateway, then runs a container with a statically-assigned IP on that network.
C:\> docker network create -d transparent \
--subnet=10.123.174.0/23 \
--gateway=10.123.174.1 MyTransparentNet
C:\> docker run -it --network=MyTransparentNet \
--ip=10.123.174.105 windowsservercore cmd
Good luck!
i want to expose the container ip to the external network where the host is running so that i can directly ping the docker container ip from an external machine.
If i ping the docker container ip from the external machine where the machine hosting the docker and the machine from which i am pinging are in the same network i need to get the response from these machines
Pinging the container's IP (i.e. the IP it shows when you look at docker inspect [CONTAINER]) from another machine does not work. However, the container is reachable via the public IP of its host.
In addition to Borja's answer, you can expose the ports of Docker containers by adding -p [HOST_PORT]:[CONTAINER_PORT] to your docker run command.
E.g. if you want to reach a web server in a Docker container from another machine, you can start it with docker run -d -p 80:80 httpd:alpine. The container's port 80 is then reachable via the host's port 80. Other machines on the same network will then also be able to reach the webserver in this container (depending on Firewall settings etc. of course...)
Since you tagged this as kubernetes:
You cannot directly send packets to individual Docker containers. You need to send them to somewhere else that’s able to route them. In the case of plain Docker, you need to use the docker run -p option to publish a port to the host, and then containers will be reachable via the published port via the host’s IP address or DNS name. In a Kubernetes context, you need to set up a Service that’s able to route traffic to the Pod (or Pods) that are running your container, and you ultimately reach containers via that Service.
The container-internal IP addresses are essentially useless in many contexts. (They cannot be reached from off-host at all; in some environments you can’t even reach them from outside of Docker on the same host.) There are other mechanisms you can use to reach containers (docker run -p from outside Docker, inter-container DNS from within Docker) and you never need to look up these IP addresses at all.
Your question places a heavy emphasis on ping(1). This is a very-low-level debugging tool that uses a network protocol called ICMP. If sending packets using ICMP is actually core to your workflow, you will have difficulty running it in Docker or Kubernetes. I suspect you aren’t actually. Don’t worry so much about being able to directly ping containers; use higher-level tools like curl(1) if you need to verify that a request is reaching its container.
It's pretty easy actually, assuming you have control over the routing tables of your external devices (either directly, or via your LAN's gateway/router). Assuming your containers are using a bridge network of 172.17.0.0/16, you add a static entry for the 172.17.0.0/16 network, with your Docker physical LAN IP as the gateway. You might need to also allow this forwarding in your Docker OS firewall configuration.
After that, you should be able to connect to your docker container using its bridge address (172.17.0.2 for example). Note however that it will likely not respond to pings, due to the container's firewall.
If you're content to access your container using only the bridge IP (and never again use your Docker host IP with the mapped-port), you can remove port mapping from the container entirely.
You need to create a new bridge docker network and attach the container to this network. You should be able to connect by this way.
docker network create -d bridge my-new-bridge-network
or
docker network create --driver=bridge --subnet=192.168.0.0/16 my-new-bridge-network
connect:
docker network connect my-new-bridge-network container1
or
docker network connect --ip 192.168.0.10/16 my-new-bridge-network container-name
If the problem persist, just reload docker daemon, restart the service. Is a known issue.
Hi can any one help me to tell the correct command to provide internet access to a running container ?
I know we have to specify --net in docker run command to access internet from inside container.
What if I want to provide internet access to container which I didn't ran with --net command (i.e to container which does not have internet access)
I got docker network connect NetworkName ContainerName/ID command from: https://docs.docker.com/engine/reference/commandline/network_connect/
but running above command does not providing internet access so requesting to share me correct command.
Note: Am trying this on centos container
Your docker containers should have internet access by default as that is the normal setup of docker, and by no means should they require providing --net to get that. If they don't then you probably have something mixed up on your host like ie. additional firewall rules or lack of ip forwarding enabled.
For starters, check if you have enabled ip forwarding, should look like following :
$ cat /proc/sys/net/ipv4/ip_forward
1
and verify if you don't have something funky in your iptables
Docker containers should resolve internet traffic once you configured properly. Please check the container network status by,
Enter public DNS (8.8.8.8)manually in /etc/resolve.conf.
If not working check the container network side.
#goto /etc/default/docker
#add public DNS values there (DOCKER_OPTS="--dns 208.67.222.222 --dns 208.67.220.220")
#sudo service docker restart
Login to the container and ping google.com
I'm using a Digital Ocean docker droplet and have 3 docker containers: 1 for front-end, 1 for back-end and 1 for other tools with different dependencies, let's call it back-end 2.
The front-end calls the back-end 1, the back-end 1 in turn calls the back-end 2. The back-end 2 container exposes a gRPC service over port 50051. Locally, by running the following command, I was able to identify the docker service to be running with the IP 127.17.0.1:
docker network inspect bridge --format='{{json .IPAM.Config}}'
Therefore, I understand that my gRPC server is accessible from the following url 127.17.0.1:50051 within the server.
Unfortunately, the gRPC server refuses connections when running from the docker droplet while it works perfectly well when running locally.
Any idea what may be different?
You should generally set up a Docker private network to communicate between containers using their container names; see e.g. How to communicate between Docker containers via "hostname". The Docker-internal IP addresses are subject to change if you delete and recreate a container and aren't reachable from off-host, and trying to find them generally isn't a best practice.
172.17.0.0/16 is a typical default for the Docker-internal IP network (127.0.0.0/8 is the reserved IPv4 loopback network) and it looks like you might have typoed the address you got from docker network inspect.
Try docker run with following command:
docker run -d -p {server ip}:12345 {back-end 2 image}
It will expose IP port to docker container and will be accessible from other servers.
Note: also check firewall rules, if firewall is blocking access.
You could run docker binding to ip and port as shown by Aakash. Please restrict access to this specific IP and port to be accessed only from the other docker IP and port - this will help to run docker private and doesn't allow other (even the other docker/instances within your network).
I have following problem:
Assume that I started two Docker containers on host machine: A and B.
docker run A -ti -p 2000:2000
docker run B -ti -p 2001:2001
I want to be able to get to each of this containers FROM INTERNET by:
http://example.com:2000
http://example.com:2001
How to reach that?
The rest of the equation here is just normal TCP / IP flow. You'll need to make sure of the following:
If the host has some an implicit deny for incoming traffic on its physical interface, you will need to open up ports 2000 and 2001, just like you would for any service (Docker or not).
If the host is behind a NAT or other external means of routing, you'll need to punch holes for those ports there as well.
You'll need the external IP address (either the one attached to the host or the one in front of the NAT allowing access to the ports).
As far as Docker is concerned, you've done what is required to open the ports to the service running in that container correctly.