A couple of useful links:
https://github.com/wsargent/docker-cheat-sheet
https://blog.docker.com/2013/10/docker-0-6-5-links-container-naming-advanced-port-redirects-host-integration/
Also figured out where the interesting docker names come from:
https://github.com/docker/docker/blob/master/pkg/namesgenerator/names-generator.go
BTW, there is a lot of REM in the file with some Easter Egg kind of info in it.
https://docs.docker.com/engine/reference/commandline/attach/
You can create your own names using --name foo as in "docker run --name test -it alpine /bin/sh".
Resuming from Part 4….
First thing, I just simply didn't have it in me to continue to use a complete /16. So:
docker network create -d bridge --subnet 172.16.2.0/24
docker2
nelson@lab1:~$ docker network ls
NETWORK ID NAME DRIVER
5ef6f5f7f40f bridge bridge
11f4ac20d39d docker1 bridge
5d150019b8a9 docker2 bridge
d1a03332c0c1 host host
91b70cf2593b none null
I feel so much better…..
Also, I updated the Ubuntu system and rebooted it, so I'm going to need to recreate the containers I'm playing with.
Now that I know how to name the docker containers, I can re-create the lab setup rapidly with the following commands:
docker run --name=test1 --net=docker1 -it alpine /bin/sh
docker run --name=test2 --net=docker1 -it alpine /bin/sh
docker run --name=test3 --net=docker2 -it alpine /bin/sh
nelson@lab1:~$
docker ps
CONTAINER
ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9f9a5604108b alpine "/bin/sh" 2 minutes ago Up 2 minutes test3
61acf893dac5 alpine "/bin/sh" 2 minutes ago Up 2 minutes test2
b501988db295 alpine "/bin/sh" 3 minutes ago Up 2 minutes test1
 |
| Docker revised containers and networks |
From test1 to test3
/ # ping 172.16.2.2
PING
172.16.2.2 (172.16.2.2): 56 data bytes
^C
--- 172.16.2.2
ping statistics ---
8 packets
transmitted, 0 packets received, 100% packet loss
/ # ping 172.16.1.2
PING
172.16.1.2 (172.16.1.2): 56 data bytes
^C
--- 172.16.1.2
ping statistics ---
5 packets
transmitted, 0 packets received, 100% packet loss
What does it take to get the containers to be able to talk to each other.
https://docs.docker.com/v1.8/articles/networking/ -> Search "Communication between containers"
There's a nice section on the rules here, but basically it can be turned off if --iptables=false is evoked at docker start.
Be aware: This is not considered a secure way of allowing containers to communicate. Look up --icc=true and https://docs.docker.com/v1.8/userguide/dockerlinks/
Before:
nelson@lab1:/etc/default$ sudo iptables -L -n
[sudo]
password for nelson:
Chain INPUT
(policy ACCEPT)
target prot opt source destination
Chain FORWARD
(policy ACCEPT)
target prot opt source destination
DOCKER-ISOLATION all
-- 0.0.0.0/0 0.0.0.0/0
DOCKER all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
DOCKER all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
DOCKER all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT
(policy ACCEPT)
target prot opt source destination
Chain DOCKER
(3 references)
target prot opt source destination
Chain
DOCKER-ISOLATION (1 references)
target prot opt source destination
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
RETURN all
-- 0.0.0.0/0 0.0.0.0/0
Insert the following rule in /etc/default/docker using your favorite editor
#nelson - remove iptables remove masquerade
DOCKER_OPTS="--iptables=false --ip-masq=false"
Rebooting - in too much of a hurry to figure out iptables right now
update: sudo iptables -F -t nat -- flushes the nat table
sudo iptables -F -t filter -- flushes the filter table
Then re-start and re-attach the containers in each putty window
/ #
nelson@lab1:~$ docker start test1
test3
nelson@lab1:~$
docker attach test1
/ #
/ # ifconfig
-a
eth0 Link encap:Ethernet HWaddr 02:42:AC:10:01:02
inet addr:172.16.1.2
Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr:
fe80::42:acff:fe10:102%32734/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1
RX packets:24 errors:0 dropped:0
overruns:0 frame:0
TX packets:8 errors:0 dropped:0
overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5361 (5.2 KiB) TX bytes:648 (648.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1%32734/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536
Metric:1
RX packets:0 errors:0 dropped:0
overruns:0 frame:0
TX packets:0 errors:0 dropped:0
overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
nelson@lab1:~$
sudo iptables -L -n
Chain INPUT
(policy ACCEPT)
target prot opt source destination
Chain FORWARD
(policy ACCEPT)
target prot opt source destination
Chain OUTPUT
(policy ACCEPT)
target prot opt source destination
/ # ping 172.16.2.2
PING
172.16.2.2 (172.16.2.2): 56 data bytes
64 bytes from
172.16.2.2: seq=0 ttl=63 time=0.163 ms
64 bytes from
172.16.2.2: seq=1 ttl=63 time=0.138 ms
64 bytes from
172.16.2.2: seq=2 ttl=63 time=0.133 ms
^C
--- 172.16.2.2
ping statistics ---
3 packets
transmitted, 3 packets received, 0% packet loss
round-trip
min/avg/max = 0.133/0.144/0.163 ms
/ # ping 172.16.1.2
PING
172.16.1.2 (172.16.1.2): 56 data bytes
64 bytes from
172.16.1.2: seq=0 ttl=63 time=0.280 ms
64 bytes from
172.16.1.2: seq=1 ttl=63 time=0.126 ms
64 bytes from
172.16.1.2: seq=2 ttl=63 time=0.136 ms
64 bytes from
172.16.1.2: seq=3 ttl=63 time=0.129 ms
64 bytes from
172.16.1.2: seq=4 ttl=63 time=0.139 ms
^C
--- 172.16.1.2
ping statistics ---
5 packets
transmitted, 5 packets received, 0% packet loss
round-trip
min/avg/max = 0.126/0.162/0.280 ms
Update: from here, all isolation rules must be made specifically in iptables
make sure the FORWARD-DROP rules provide all of the required isolation
think direction AND address range
this method may be very useful if the network area is behind a sufficient perimeter
host routes for specific networks could be applied for connectivity
a routing function on the host would be used for communicating with the
outside world. Look at:
http://www.admin-magazine.com/Articles/Routing-with-Quagga
#-REM out the statement in the default docker file and rebooted
Once again all is right with the world.
nelson@lab1:~$
sudo iptables -L -n
[sudo]
password for nelson:
Chain INPUT
(policy ACCEPT)
target prot opt source destination
Chain FORWARD
(policy ACCEPT)
target prot opt source destination
DOCKER-ISOLATION all
-- 0.0.0.0/0 0.0.0.0/0
DOCKER all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
DOCKER all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
DOCKER all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT
(policy ACCEPT)
target prot opt source destination
Chain DOCKER
(3 references)
target prot opt source destination
Chain
DOCKER-ISOLATION (1 references)
target prot opt source destination
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
RETURN all
-- 0.0.0.0/0 0.0.0.0/0
nelson@lab1:~$
I found it really hard to understand, I need to check for more details or consult my mentor to get this stuff. Anyways, thanks for sharing it here
ReplyDeletewqe
ReplyDelete