I want to run a docker container with central log and fail2ban service to prevent from dos/ddos attacks.
I'm having a problem to run a container with such capabilities that it could also modify the hosts iptables.
There is a project ianblenke/docker-fail2ban however it does not work...
Giving the container flag privileged only allows me to control iptables on this container. Is there any way to control hosts iptables through container?
Regards.
--privileged flag is not required anymore.
Starting with Docker 1.2 you can now run your image with parameters --cap-add=NET_ADMIN and --cap-add=NET_RAW which will allow internal iptables.
It might be also worth noticing that in official Ubuntu images from Docker Hub iptables package is not installed.
So general instruction should be
apt-get install iptables
run docker container with --net=host and --cap-add=NET_ADMIN --cap-add=NET_RAW options.
Also, if you have a docker image that is missing iptables package, and you don't want to create a custom image from it, you may run container with iptables in the same network space. E.g. if you have container container-without-iptables running, and you want to start some container-with-iptables in the same network namespace, you can do:
docker run -it --pid=container:container-without-iptables --net=container:container-without-iptables --cap-add sys_admin container-with-iptables
Docker containers, by default, run inside an isolated network namespace where they do not have access to the host network configuration (including iptables).
If you want your container to be able to modify the network configuration of the host, you need to pass the --net=host option to docker run. From the docker-run(1) man page:
--net="bridge"
Set the Network mode for the container
'bridge': creates a new network stack for the container on the docker bridge
'none': no networking for this container
'container:': reuses another container network stack
'host': use the host network stack inside the container.
Note: the host mode gives the container full access to
local system services such as D-bus and is therefore
considered insecure.
You will need to run with both --privileged and --net=host.
Related
I want to run a docker container. This container must be isolated from the host computer.
This means the container should not access to files and memory of the host computer.
The container will only access to network throught mapped port (-p option) and nat.
So i run this command:
docker run -it --cap-drop ALL myimage
There is something very strange because i can't run a basic command like "apt-get update" on the container.
I have setgroups, seteuid errors.
I do not understand why i have to add capabilities for that !
I understand docker needs capabilities on the container, for the container itself. But i do not want to allow capabilities on the host system.
How should i do to disable all capabilities for host interaction and allow all capabilities for the container itself ?
Thanks a lot
I'm working with Docker containers for a while now but can't figure out how to ping docker containers which are part of my host network.
So until now I created my containers specifing the name and networks flags like described in many tutorials like: https://www.digitalocean.com/community/questions/how-to-ping-docker-container-from-another-container-by-name
Where I am able to create a network and afterwards run my containers in these networks for example like:
docker run -d --name web1 -n testnetwork
docker run -d --name web2 -n testnetwork
That would enable me to ping my containers from each other with:
docker exec -it web1 bash # enter container
ping web2 #ping second container
Now I have to use a given application which only runs in the "host" network for now. To access this container from my other containers they have to be in the same network (== "host").
But It seems like I cant ping my containers from each other anymore. I'm also unable to ping my containers from my host machine using their name.
Did I overlooked something?
Any help would be appreciated!
Best regards
If you set --network host, you basically disable Docker's entire networking stack. Among other things, that disables normal inter-container communications: if you're using host networking you can't call another container by its name. Host networking is very rarely necessary (and doesn't work well on some host platforms); the first thing I'd look at is whether you can switch back to standard (bridged) networking.
If you do run a container with --network host, it's indistinguishable from other processes running on that host. That means you can't directly send ICMP packets to it, any more than you can ping(1) your ssh daemon or Web browser. You need to connect to the container using the host's IP address or DNS name, even from other containers on the same host. From inside of a Docker container, how do I connect to the localhost of the machine? discusses several ways to do this.
(I don't think you can customize the behavior of Docker or Linux when a container receives an ICMP ECHO packet; ping(1) a container doesn't seem that useful.)
I have a basic question about Docker that is probably due to lack of knowledge on my part about networking. The Docker container networking documentation states:
By default, when you create a container, it does not publish any of its ports to the outside world. To make a port available to services outside of Docker, or to Docker containers which are not connected to the container’s network, use the --publish or -p flag. This creates a firewall rule which maps a container port to a port on the Docker host.
It sounds like, when you install a container on your computer without mapping any ports from the container to the host machine, the container should not be able to access the internet. However, for example, I install the Ubuntu container with:
docker pull ubuntu
Then I enter the container's command line with:
docker run -ti ubuntu bash
At that point, I can run apt-get update and the container starts pulling information from the internet without mapping any ports (e.g. -p 80:80). How is this possible?
Publishing a port allows machines external to the docker host to access the container, inbound connectivity. By default, containers can access the network with outbound connectivity.
To restrict a container from accessing the network, you can either run the container with no network (note: this still creates a loopback interface, and you can later connect it to another network):
docker run --net none ...
Or you can create a network with the --internal option and run containers on that network:
docker network create --internal internal
docker run --net internal ...
The internal network is created without a gateway interface on the bridge network.
When they talk about publishing ports, they mean inbound ports.
Outbound ports work - depending on your network type - see here for more:
https://docs.docker.com/network/
I have a program which has two mandatory arguments -d and -t, both of them mean that bind to a specific network device (IP address), i.e.: ./myprogram -d 172.17.0.2 -t 172.17.0.3, and they can't be the same.
Now, I need to run this program in a docker container, how could I config the container so that I can run this program inside the container and for peer endpoint it is the same as I run this program in the host?
Thanks!
if your container needs to access your network device, you need to share the network devices
docker run --net-host...
extract from
docs.docker.com/engine/reference/run/#ipc-settings---ipc
Network: host With the network set to host a container will share the host’s network stack and all interfaces from the host will be available to the container.
an example, extract from this image using nethogs for network monitoring
https://hub.docker.com/r/k3ck3c/nethogs/
docker run -it --net=host -- --rm k3ck3c/nethogs
I want to setup a VPN with docker container? I find a popular image mobtitude/vpn-pptp.
This is the start options.
# docker run -d --privileged -p 1723:1723 -v {local_path_to_chap_secrets}:/etc/ppp/chap-secrets mobtitude/vpn-pptp
I am confused why add the --privileged flat.
Some quotes from Docker official references
By default, Docker containers are “unprivileged” and cannot, for example, run a Docker daemon inside a Docker container. This is because by default a container is not allowed to access any devices, but a “privileged” container is given access to all devices (see the documentation on cgroups devices).
When the operator executes docker run --privileged, Docker will enable to access to all devices on the host as well as set some configuration in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host. Additional information about running with --privileged is available on the Docker Blog.