I want to setup a VPN with docker container? I find a popular image mobtitude/vpn-pptp.
This is the start options.
# docker run -d --privileged -p 1723:1723 -v {local_path_to_chap_secrets}:/etc/ppp/chap-secrets mobtitude/vpn-pptp
I am confused why add the --privileged flat.
Some quotes from Docker official references
By default, Docker containers are “unprivileged” and cannot, for example, run a Docker daemon inside a Docker container. This is because by default a container is not allowed to access any devices, but a “privileged” container is given access to all devices (see the documentation on cgroups devices).
When the operator executes docker run --privileged, Docker will enable to access to all devices on the host as well as set some configuration in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host. Additional information about running with --privileged is available on the Docker Blog.
Related
I've come across the --privileged flag for docker exec, but the manual does not provide much of an explanation:
--privileged Give extended privileges to the command
That's all. No more explanation or example.
Searching the web for more info, I only found descriptions of containers running in privileged mode, but it appears to me that this doesn't have to do anything with the privileged mode of docker exec. I assume that these privileges apply to the executed command, and I could image that it means that it is run under a privileged user (root). But then, I wonder what the difference would be compared to docker exec -u 0?
By default container runtimes go to great lengths to shield a container from the host system. Running in --privileged mode disables/bypasses most of these checks. This basically means that if you are root in a container you have the privileges of root on the host system. Is is only meant for special cases such as running Docker in Docker (for example in pipeline for sharing docker socket from the host) and should be avoided.
I have an app that launches a docker container and automates a few of the routines.
Now I have dockerized this app which is not able to talk to other containers over localhost. I tried setting
--network host
when launching the container and now not able to access the containerized webapp over localhost:.
Any pointers?
localhost won't work. Suppose, you are running a VM and try to talk to your host/ other VMs running in your machine. If you call localhost from one of the VMs, it's localhost for that VM only, not to your host. So, you won't be able to talk from one VM to another by calling localhost. Docker works same in regard to the localhost. You have two options,
Use a network
If you are using network, create a network and add all the containers to that network. This is the new suggested way by docker.
docker network create <your-network-name>
docker run --network <your-network-name> --name <container-name1> <image>
docker run --network <your-network-name> --name <container-name2> <image>
Then use the container name (container-name1) to talk to that service from other service (container-name2).
Use --link option
Or you could use --link option, which is a legacy system for docker. Docker docs says, unless you have a specific reason to use, don't use --link anymore.
docker run --name <container1> <image>
docker run --name <container2> <image>
You could use container1 to talk from container2 and vice versa. You could use these container name in places like DB host, etc.
did you try creating a common bridge network and attach your containers to the same network:
create network :-
docker network create networkname
and then in docker run command add this switch --network=networkname
I figured it later after going over a lot of other documents.
Step 1: install docker inside the container. Added following line to my dockerfile
RUN curl -sSL https://get.docker.com/ | sh
Step 2: provide volume-mapping in docker run command
-v /var/run/docker.sock:/var/run/docker.sock
Now hosts' docker commands are accessible from within my current container and without changing the --network for current docker container, I'm able to access other containers over localhost
Unable to login in iscsi initiator in docker container running inside a kubernetes cluster
I have installed open-iscsi package in a docker ubuntu container with privileged mode inside a kubeminion. The iscsi target is running and the iscsi initiator discovery returns the correct initiator name iqn. When I try to login, I get this:
ERROR :
iscsiadm: got read error (0/111), daemon died? iscsiadm: Could not
login to [iface: default, target: iqn.2016-09.com.abcdefg.xyza:name,
portal: 10.102.83.21,3260]. iscsiadm: initiator reported error (18 -
could not communicate to iscsid) iscsiadm: Could not log into all
portals
I tried service iscsid restart and debug with iscsid -d 8 -f command, still login is not successful
Adding --net=host flag and --privileged flag while docker run within the cluster, both iscsi discover and login will be successful. iscsi expects host's networking services to run with privileged access. The command should be,
docker run -it --privileged --net=host name:tag
With the network set to host a container will share the host’s network stack and all interfaces from the host will be available to the container. The container’s hostname will match the hostname on the host system.
For more details, refer the documentation :
https://docs.docker.com/engine/reference/run/#network-settings
Note:Flag --net works on older and latest versions of docker, --network works on latest docker version only.
I have some docker containers running on my docker environment (on a CentOS VM) which need docker inside. So I mount /var/run/docker.sock inside the containers.
Now I'm creating /etc/default/docker in which I put
DOCKER_OPTS="-H tcp://xx.xx.xx.xx:2376"
But now my question is: which IP is xx.xx.xx.xx? Is it the IP of the host or the IP of a container? + Is this the savest way to let a docker container use the socket? (=use docker in docker)
Running docker within docker is not so trivial an you might have a good reason for doing that.
The last time I was doing that, I was using dind (docker in docker) and had to mount the socket (/var/run/docker.sock) and used it in a combination with the --privileged flag. However things might have changed now (see https://github.com/docker/docker/pull/15596) and it should be able to run it without the socket mount:
docker run --privileged -d docker:dind
So be sure to check out this comprehensive guide at https://hub.docker.com/_/docker/
Working with Docker in Docker can be tricky. I would recommend using the official Docker image with the dind tag. You shouldn't need to specify the DOCKER_HOST in options as it will be correctly configured. For example running:
docker run -ti --name docker -v /var/run/docker.sock:/var/run/docker.sock --privileged docker:dind sh
Will drop you to a shell inside the container. Then if your run docker ps you should see a list of containers running on the host machine. Note the --privileged flag is required in this case as we are accessing the Docker daemon outside the container.
Hope this helps!
Dylan
Edit
Drop the --privileged flag from the above command due to security issues highlighted by Alexander in the comments. You also can drop the dind tag as its not required.
I want to run a docker container with central log and fail2ban service to prevent from dos/ddos attacks.
I'm having a problem to run a container with such capabilities that it could also modify the hosts iptables.
There is a project ianblenke/docker-fail2ban however it does not work...
Giving the container flag privileged only allows me to control iptables on this container. Is there any way to control hosts iptables through container?
Regards.
--privileged flag is not required anymore.
Starting with Docker 1.2 you can now run your image with parameters --cap-add=NET_ADMIN and --cap-add=NET_RAW which will allow internal iptables.
It might be also worth noticing that in official Ubuntu images from Docker Hub iptables package is not installed.
So general instruction should be
apt-get install iptables
run docker container with --net=host and --cap-add=NET_ADMIN --cap-add=NET_RAW options.
Also, if you have a docker image that is missing iptables package, and you don't want to create a custom image from it, you may run container with iptables in the same network space. E.g. if you have container container-without-iptables running, and you want to start some container-with-iptables in the same network namespace, you can do:
docker run -it --pid=container:container-without-iptables --net=container:container-without-iptables --cap-add sys_admin container-with-iptables
Docker containers, by default, run inside an isolated network namespace where they do not have access to the host network configuration (including iptables).
If you want your container to be able to modify the network configuration of the host, you need to pass the --net=host option to docker run. From the docker-run(1) man page:
--net="bridge"
Set the Network mode for the container
'bridge': creates a new network stack for the container on the docker bridge
'none': no networking for this container
'container:': reuses another container network stack
'host': use the host network stack inside the container.
Note: the host mode gives the container full access to
local system services such as D-bus and is therefore
considered insecure.
You will need to run with both --privileged and --net=host.