A couple of useful links:
https://github.com/wsargent/docker-cheat-sheet
https://blog.docker.com/2013/10/docker-0-6-5-links-container-naming-advanced-port-redirects-host-integration/
Also figured out where the interesting docker names come from:
https://github.com/docker/docker/blob/master/pkg/namesgenerator/names-generator.go
BTW, there is a lot of REM in the file with some Easter Egg kind of info in it.
https://docs.docker.com/engine/reference/commandline/attach/
You can create your own names using --name foo as in "docker run --name test -it alpine /bin/sh".
Resuming from Part 4….
First thing, I just simply didn't have it in me to continue to use a complete /16. So:
docker network create -d bridge --subnet 172.16.2.0/24
docker2
nelson@lab1:~$ docker network ls
NETWORK ID NAME DRIVER
5ef6f5f7f40f bridge bridge
11f4ac20d39d docker1 bridge
5d150019b8a9 docker2 bridge
d1a03332c0c1 host host
91b70cf2593b none null
I feel so much better…..
Also, I updated the Ubuntu system and rebooted it, so I'm going to need to recreate the containers I'm playing with.
Now that I know how to name the docker containers, I can re-create the lab setup rapidly with the following commands:
docker run --name=test1 --net=docker1 -it alpine /bin/sh
docker run --name=test2 --net=docker1 -it alpine /bin/sh
docker run --name=test3 --net=docker2 -it alpine /bin/sh
nelson@lab1:~$
docker ps
CONTAINER
ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9f9a5604108b alpine "/bin/sh" 2 minutes ago Up 2 minutes test3
61acf893dac5 alpine "/bin/sh" 2 minutes ago Up 2 minutes test2
b501988db295 alpine "/bin/sh" 3 minutes ago Up 2 minutes test1
 |
| Docker revised containers and networks |
From test1 to test3
/ # ping 172.16.2.2
PING
172.16.2.2 (172.16.2.2): 56 data bytes
^C
--- 172.16.2.2
ping statistics ---
8 packets
transmitted, 0 packets received, 100% packet loss
/ # ping 172.16.1.2
PING
172.16.1.2 (172.16.1.2): 56 data bytes
^C
--- 172.16.1.2
ping statistics ---
5 packets
transmitted, 0 packets received, 100% packet loss
What does it take to get the containers to be able to talk to each other.
https://docs.docker.com/v1.8/articles/networking/ -> Search "Communication between containers"
There's a nice section on the rules here, but basically it can be turned off if --iptables=false is evoked at docker start.
Be aware: This is not considered a secure way of allowing containers to communicate. Look up --icc=true and https://docs.docker.com/v1.8/userguide/dockerlinks/
Before:
nelson@lab1:/etc/default$ sudo iptables -L -n
[sudo]
password for nelson:
Chain INPUT
(policy ACCEPT)
target prot opt source destination
Chain FORWARD
(policy ACCEPT)
target prot opt source destination
DOCKER-ISOLATION all
-- 0.0.0.0/0 0.0.0.0/0
DOCKER all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
DOCKER all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
DOCKER all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT
(policy ACCEPT)
target prot opt source destination
Chain DOCKER
(3 references)
target prot opt source destination
Chain
DOCKER-ISOLATION (1 references)
target prot opt source destination
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
RETURN all
-- 0.0.0.0/0 0.0.0.0/0
Insert the following rule in /etc/default/docker using your favorite editor
#nelson - remove iptables remove masquerade
DOCKER_OPTS="--iptables=false --ip-masq=false"
Rebooting - in too much of a hurry to figure out iptables right now
update: sudo iptables -F -t nat -- flushes the nat table
sudo iptables -F -t filter -- flushes the filter table
Then re-start and re-attach the containers in each putty window
/ #
nelson@lab1:~$ docker start test1
test3
nelson@lab1:~$
docker attach test1
/ #
/ # ifconfig
-a
eth0 Link encap:Ethernet HWaddr 02:42:AC:10:01:02
inet addr:172.16.1.2
Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr:
fe80::42:acff:fe10:102%32734/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1
RX packets:24 errors:0 dropped:0
overruns:0 frame:0
TX packets:8 errors:0 dropped:0
overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5361 (5.2 KiB) TX bytes:648 (648.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1%32734/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536
Metric:1
RX packets:0 errors:0 dropped:0
overruns:0 frame:0
TX packets:0 errors:0 dropped:0
overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
nelson@lab1:~$
sudo iptables -L -n
Chain INPUT
(policy ACCEPT)
target prot opt source destination
Chain FORWARD
(policy ACCEPT)
target prot opt source destination
Chain OUTPUT
(policy ACCEPT)
target prot opt source destination
/ # ping 172.16.2.2
PING
172.16.2.2 (172.16.2.2): 56 data bytes
64 bytes from
172.16.2.2: seq=0 ttl=63 time=0.163 ms
64 bytes from
172.16.2.2: seq=1 ttl=63 time=0.138 ms
64 bytes from
172.16.2.2: seq=2 ttl=63 time=0.133 ms
^C
--- 172.16.2.2
ping statistics ---
3 packets
transmitted, 3 packets received, 0% packet loss
round-trip
min/avg/max = 0.133/0.144/0.163 ms
/ # ping 172.16.1.2
PING
172.16.1.2 (172.16.1.2): 56 data bytes
64 bytes from
172.16.1.2: seq=0 ttl=63 time=0.280 ms
64 bytes from
172.16.1.2: seq=1 ttl=63 time=0.126 ms
64 bytes from
172.16.1.2: seq=2 ttl=63 time=0.136 ms
64 bytes from
172.16.1.2: seq=3 ttl=63 time=0.129 ms
64 bytes from
172.16.1.2: seq=4 ttl=63 time=0.139 ms
^C
--- 172.16.1.2
ping statistics ---
5 packets
transmitted, 5 packets received, 0% packet loss
round-trip
min/avg/max = 0.126/0.162/0.280 ms
Update: from here, all isolation rules must be made specifically in iptables
make sure the FORWARD-DROP rules provide all of the required isolation
think direction AND address range
this method may be very useful if the network area is behind a sufficient perimeter
host routes for specific networks could be applied for connectivity
a routing function on the host would be used for communicating with the
outside world. Look at:
http://www.admin-magazine.com/Articles/Routing-with-Quagga
#-REM out the statement in the default docker file and rebooted
Once again all is right with the world.
nelson@lab1:~$
sudo iptables -L -n
[sudo]
password for nelson:
Chain INPUT
(policy ACCEPT)
target prot opt source destination
Chain FORWARD
(policy ACCEPT)
target prot opt source destination
DOCKER-ISOLATION all
-- 0.0.0.0/0 0.0.0.0/0
DOCKER all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
DOCKER all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
DOCKER all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
ACCEPT all
-- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT
(policy ACCEPT)
target prot opt source destination
Chain DOCKER
(3 references)
target prot opt source destination
Chain
DOCKER-ISOLATION (1 references)
target prot opt source destination
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
DROP all
-- 0.0.0.0/0 0.0.0.0/0
RETURN all
-- 0.0.0.0/0 0.0.0.0/0
nelson@lab1:~$
I found it really hard to understand, I need to check for more details or consult my mentor to get this stuff. Anyways, thanks for sharing it here
ReplyDeletewqe
ReplyDeleteWhat are the best casinos to play in 2021?
ReplyDeleteWhich casinos www.jtmhub.com offer slots? — Casino Sites. Best casino sites https://deccasino.com/review/merit-casino/ are those 토토 that allow players to try casinosites.one a game from anywhere. The most common online slots gri-go.com