I want to run a docker container in my server, and expose a specific port to other server in the same intranet. But I don't want my container can be accessed by internet outside.
Is there any solution for my situation?
Any help will be appreciated.
If your host computer is running on Windows, you can configure firewall to allow that specific port to be accessed only from that machine.
Another option is to configure boot2docker (via iptables) to restrict access only to specific IP address. But I think it works only for the current session: you have to edit boot2docker image and add it to be used permanently. And the drawback is that all docker images running in docker inside boot2docker would be affected with this change.
So, my suggestion is to restrict access on host computer side, such as:
c:\>boot2docker init
c:\>boot2docker up
c:\>boot2docker ssh -L 0.0.0.0:8080:localhost:8080
docker#boot2docker:~$ docker run -p 8080:8080 myContainer
And restrict port 8080 on firewall level of your host computer.
Related
I just set up a Docker Container with the Docker Toolbox and ran jupyter notebook inside the container using
docker run --name container -v %somedirectory%:%someotherdir% -d -p 127.0.0.1:8888:8888 quay.io/fenicsproject/stable:2017.2.0 'jupyter-notebook --ip=0.0.0.0'
Afterwards I can check the log of the container to see the URL and token that jupyter notebook created.
If I now go ahead and copy the link to my browser, it won't be able to connect to localhost. Accessing 127.0.0.1 does not work either.
Since the Docker Toolbox relies on Virtual Box VMs, I also tried to use the IP address of the VM, in this case 192.168.99.100:2376. According to the Kitematic UI, this is the IP:Port combination that is being published by the docker-machine and indeed this does not lead to a generic connection error. Instead the browser's output is:
Client sent an HTTP request to an HTTPS server.
I don't really know what to do from this point on. What does this "error" mean? Does it even make sense to use the VM's IP address? And most importlanty: what else can I do in order to finally get access to the jupyter notebook?
PS: I also tried the suggestions made in the threads Can't access jupyter notebook from docker and Access Jupyter notebook running on Docker container and couldn't make any of them work unfortunately.
I hope someone can help, thank you very much in advance.
You need to do two things to make this work:
Remove the 127.0.0.1 part of the port mapping; docker run -p 8888:8888 ...
Connect to the docker-machine ip address with the published port; http://192.168.99.100:8888.
Docker Toolbox runs Docker in a separate Linux virtual machine. Any docker run -p options will get interpreted from the point of view of that VM. If you docker run -p 127.0.0.1:... then the published port will be bound to the VM's lo0 localhost interface, so it won't be reachable from outside the VM.
Once you have the port published, you need to connect to that specific port. Port 2376 is typically the port to reach the Docker daemon inside the VM, with mutual TLS security; you only need this for manual docker commands. To reach services running inside the VM you need to connect to the published port (the first number in the docker run -p option).
I have a process running on a host that needs to communicate with a docker and I want it to be done by some parameter that can't change (like docker name or host name) unlike IP (prefer not to make the IP of the docker static or install external dockers for this).
I'm aware that dockers can resolve addressees by name in a private network and that's what I want but not between dockers but between process running on the host and docker.
couldn't find a solution, can it be done ?
Edit:
I'm not allowed to use host network and open additional ports on the host for security reasons.
You're welcome to choose the way which fits your needs better.
Option 1. Use host's networking. In this case Docker does not create separate net for container and you connect to container's services as if they would run on your host:
docker run --network=host <image_name>
Drawback of this approach - low isolation and thus security. You dont need to expose any ports here - if service listens on 8080, just open localhost:8080 and enjoy.
Second approach is more correct - you expose (somehow forward) internal ports in container and map them onto ports in the host.
docker run -p 8080:80 <image_name>
This will map port 80 from container to port 8080 on the host. As in previous example, you still connect using localhost, e.g. localhost:8080.
How to access or connect to a process running on docker on host A from a remote host B
consider a Host A with ip 192.168.0.3 which is running a application on docker on port 3999 .
If i want to access that application from remote machine with IP 192.168.0.4 in same subnet.
To be precise i am running Kafka producer on the server and i am trying to receive using Kafka-console-Consumer.
Use --net=host to run your container and it'll use the host's network stack, then you can connect to the application running inside container like it's running on host directly.
Port mapping, use option -p to map the port inside your container to a port of your host. e.g. docker run -d -p <container port>:<host port> <image>, then you can connect to <host>:<host port> to connect your application inside container
Docker's built-in multi-host network. In early releases the network driver is isolated from docker's core, you have to use 3rd party tools like flannel or weave for multi-host connection, but from release 1.9, it has been merged into docker. You can follow it's guide to set it up.
Hope this is helpful :-)
First you need to bind docker container's port to the Host A:
docker run -d -p 3999:3999 kafka-producer
Then you need to access Host A from Host B using IP:Port
192.168.0.3:3999
What could be the reason for Docker containers not being able to connect via ports to the host system?
Specifically, I'm trying to connect to a MySQL server that is running on the Docker host machine (172.17.0.1 on the Docker bridge). However, for some reason port 3306 is always closed.
The steps to reproduce are pretty simple:
Configure MySQL (or any service) to listen on 0.0.0.0 (bind-address=0.0.0.0 in ~/.my.cnf)
run
$ docker run -it alpine sh
# apk add --update nmap
# nmap -p 3306 172.17.0.1
That's it. No matter what I do it will always show
PORT STATE SERVICE
3306/tcp closed mysql
I've tried the same with an ubuntu image, a Windows host machine, and other ports as well.
I'd like to avoid --net=host if possible, simply to make proper use of containerization.
It turns out the IPs weren't correct. There was nothing blocking the ports and the services were running fine too. ping and nmap showed the IP as online but for some reason it wasn't the host system.
Lesson learned: don't rely on route in the container to return the correct host address. Instead check ifconfig or ipconfig on the Linux or Windows host respectively and pass this IP via environment variables.
Right now I'm transitioning to using docker-compose and have put all required services into containers, so the host system doesn't need to get involved and I can simply rely on Docker's DNS. This is much more satisfying.
I have installed docker on a CentOS machine. Now I am trying to run a MapR sandbox on it. After starting I get this:
Starting MapR Services.................
To manage this node go to: https://172.17.0.13:8443
But I am not able to access this URL from the windows machine in the same network as the CentOS machine.
This is an internal docker network inaccessible outside of the box. In order to access this container you need:
EXPOSE command in container (most likely it is already there)
run container with -p option
If you just specify -p port will be random - you could find it with inspect command, or you could use permanent port -p hostIp:externalPort:8443 where hostIp is address of your docker host.
After that you could access container from network as https://hostIp:externalPort