Exposing the docker network to the local network












2















This is problem I'm trying to solve for some time now. I've tried as many resources as I could try, but nothing has yet worked for me. :/



Here's what I'm trying to tackle:

I want to be able to deploy Docker containers and access them from a machine that resides in the same local network. That means that the IP addresses that Docker handouts to the containers have to be reachable from a client computer on the same LAN as the computer that host Docker.



Ideally, people would just have to add a route that points to the Docker host as a gateway for the Docker network, like:



client@lan$ sudo route add -net <docker-network>/<mask> gw <docker-host>



And boom, they can access the containers just by typing their IP. This route can also be set up from the router, of course.



I've seen that network bridges help doing this, but I could not get one to work this way.



How do you get all of this to work ?










share|improve this question























  • That route you show above should not reside on the clients, but in your LAN router's routing table instead. If it is not in your LAN router, traffic to this net block will go to the default route (possibly the internet).

    – diametralpitch
    May 11 '17 at 19:32











  • Have you seen this one? stackoverflow.com/questions/25036895/…

    – diametralpitch
    May 11 '17 at 19:33











  • @diametralpitch I've read your link, the second answer is closer to what I'm looking for (bridging), but I can't get it to work. Does the containers linked to the bridge need to have an IP address on the same network as the LAN or not? My goal is that, without any intervention that goes further than the network setup, the containers that gets created are given a unique IP address that people on my private network can access.

    – iiPLD
    May 12 '17 at 10:03
















2















This is problem I'm trying to solve for some time now. I've tried as many resources as I could try, but nothing has yet worked for me. :/



Here's what I'm trying to tackle:

I want to be able to deploy Docker containers and access them from a machine that resides in the same local network. That means that the IP addresses that Docker handouts to the containers have to be reachable from a client computer on the same LAN as the computer that host Docker.



Ideally, people would just have to add a route that points to the Docker host as a gateway for the Docker network, like:



client@lan$ sudo route add -net <docker-network>/<mask> gw <docker-host>



And boom, they can access the containers just by typing their IP. This route can also be set up from the router, of course.



I've seen that network bridges help doing this, but I could not get one to work this way.



How do you get all of this to work ?










share|improve this question























  • That route you show above should not reside on the clients, but in your LAN router's routing table instead. If it is not in your LAN router, traffic to this net block will go to the default route (possibly the internet).

    – diametralpitch
    May 11 '17 at 19:32











  • Have you seen this one? stackoverflow.com/questions/25036895/…

    – diametralpitch
    May 11 '17 at 19:33











  • @diametralpitch I've read your link, the second answer is closer to what I'm looking for (bridging), but I can't get it to work. Does the containers linked to the bridge need to have an IP address on the same network as the LAN or not? My goal is that, without any intervention that goes further than the network setup, the containers that gets created are given a unique IP address that people on my private network can access.

    – iiPLD
    May 12 '17 at 10:03














2












2








2


1






This is problem I'm trying to solve for some time now. I've tried as many resources as I could try, but nothing has yet worked for me. :/



Here's what I'm trying to tackle:

I want to be able to deploy Docker containers and access them from a machine that resides in the same local network. That means that the IP addresses that Docker handouts to the containers have to be reachable from a client computer on the same LAN as the computer that host Docker.



Ideally, people would just have to add a route that points to the Docker host as a gateway for the Docker network, like:



client@lan$ sudo route add -net <docker-network>/<mask> gw <docker-host>



And boom, they can access the containers just by typing their IP. This route can also be set up from the router, of course.



I've seen that network bridges help doing this, but I could not get one to work this way.



How do you get all of this to work ?










share|improve this question














This is problem I'm trying to solve for some time now. I've tried as many resources as I could try, but nothing has yet worked for me. :/



Here's what I'm trying to tackle:

I want to be able to deploy Docker containers and access them from a machine that resides in the same local network. That means that the IP addresses that Docker handouts to the containers have to be reachable from a client computer on the same LAN as the computer that host Docker.



Ideally, people would just have to add a route that points to the Docker host as a gateway for the Docker network, like:



client@lan$ sudo route add -net <docker-network>/<mask> gw <docker-host>



And boom, they can access the containers just by typing their IP. This route can also be set up from the router, of course.



I've seen that network bridges help doing this, but I could not get one to work this way.



How do you get all of this to work ?







linux networking docker






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked May 11 '17 at 18:03









iiPLDiiPLD

1315




1315













  • That route you show above should not reside on the clients, but in your LAN router's routing table instead. If it is not in your LAN router, traffic to this net block will go to the default route (possibly the internet).

    – diametralpitch
    May 11 '17 at 19:32











  • Have you seen this one? stackoverflow.com/questions/25036895/…

    – diametralpitch
    May 11 '17 at 19:33











  • @diametralpitch I've read your link, the second answer is closer to what I'm looking for (bridging), but I can't get it to work. Does the containers linked to the bridge need to have an IP address on the same network as the LAN or not? My goal is that, without any intervention that goes further than the network setup, the containers that gets created are given a unique IP address that people on my private network can access.

    – iiPLD
    May 12 '17 at 10:03



















  • That route you show above should not reside on the clients, but in your LAN router's routing table instead. If it is not in your LAN router, traffic to this net block will go to the default route (possibly the internet).

    – diametralpitch
    May 11 '17 at 19:32











  • Have you seen this one? stackoverflow.com/questions/25036895/…

    – diametralpitch
    May 11 '17 at 19:33











  • @diametralpitch I've read your link, the second answer is closer to what I'm looking for (bridging), but I can't get it to work. Does the containers linked to the bridge need to have an IP address on the same network as the LAN or not? My goal is that, without any intervention that goes further than the network setup, the containers that gets created are given a unique IP address that people on my private network can access.

    – iiPLD
    May 12 '17 at 10:03

















That route you show above should not reside on the clients, but in your LAN router's routing table instead. If it is not in your LAN router, traffic to this net block will go to the default route (possibly the internet).

– diametralpitch
May 11 '17 at 19:32





That route you show above should not reside on the clients, but in your LAN router's routing table instead. If it is not in your LAN router, traffic to this net block will go to the default route (possibly the internet).

– diametralpitch
May 11 '17 at 19:32













Have you seen this one? stackoverflow.com/questions/25036895/…

– diametralpitch
May 11 '17 at 19:33





Have you seen this one? stackoverflow.com/questions/25036895/…

– diametralpitch
May 11 '17 at 19:33













@diametralpitch I've read your link, the second answer is closer to what I'm looking for (bridging), but I can't get it to work. Does the containers linked to the bridge need to have an IP address on the same network as the LAN or not? My goal is that, without any intervention that goes further than the network setup, the containers that gets created are given a unique IP address that people on my private network can access.

– iiPLD
May 12 '17 at 10:03





@diametralpitch I've read your link, the second answer is closer to what I'm looking for (bridging), but I can't get it to work. Does the containers linked to the bridge need to have an IP address on the same network as the LAN or not? My goal is that, without any intervention that goes further than the network setup, the containers that gets created are given a unique IP address that people on my private network can access.

– iiPLD
May 12 '17 at 10:03










3 Answers
3






active

oldest

votes


















1














If all you want to do is make sure applications in Docker containers are reachable by other hosts on the network, it would be easiest to set the Docker network mode to host:



docker run --net=host image/toRun:1.0


This will expose the ports in the image on the host's IP address (make sure to avoid port collisions)






share|improve this answer
























  • Thanks for your reply, but this is not the solution I seek for, because of port collisions. To give more details, I want to create a kind of "cloud" for my school, where students can create containers like they would buy a VPS or something alike. Therefore, I need that every containers that gets created are automatically a unique IP on a private network (the school) in order for them to do whatever they would like with the "servers" they create without minding about NAT or stuff like this.

    – iiPLD
    May 12 '17 at 10:07



















0














Adding a route on the clients to reach your containers through the host should work as long as you enable IPv4 forwarding on your Docker host using:



sysctl -w net.ipv4.ip_forward=1


Be aware of the security implications, though, because without the proper firewall this will route traffic from any interface to any interface.






share|improve this answer
























  • Docker automatically set this up when the daemon starts. Maybe walk me through how you set up the interfaces et configure Docker in order to get the behavior I'm desperately seeking for, it would be of great help.

    – iiPLD
    May 14 '17 at 22:32



















0














This works if you configure the DOCKER-USER chain to ACCEPT traffic from "not the bridge adapter" to "the bridge adapter", optionally limited to a protocol and port like tcp port 80 (-p tcp --dport 80). This chain is called from the FORWARD chain in the filter table and it governs packets that are not destined to the (Docker) host, but routed through it.



Then the LAN router needs to be configured with a static route for the Docker network to be routed through the Docker host acting as a gateway. The router could do three things with this information:




  • Send ICMP REDIRECT packets for traffic destined to a container.


  • Hand out a static route in DHCP leases (option 121)


  • Route packets through the Docker host, but this leads to route assymetry: client → router → host → container, whereas responses will go container → host → client.



Neither of these seems like a really attractive option to me.






share|improve this answer

























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1208291%2fexposing-the-docker-network-to-the-local-network%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    If all you want to do is make sure applications in Docker containers are reachable by other hosts on the network, it would be easiest to set the Docker network mode to host:



    docker run --net=host image/toRun:1.0


    This will expose the ports in the image on the host's IP address (make sure to avoid port collisions)






    share|improve this answer
























    • Thanks for your reply, but this is not the solution I seek for, because of port collisions. To give more details, I want to create a kind of "cloud" for my school, where students can create containers like they would buy a VPS or something alike. Therefore, I need that every containers that gets created are automatically a unique IP on a private network (the school) in order for them to do whatever they would like with the "servers" they create without minding about NAT or stuff like this.

      – iiPLD
      May 12 '17 at 10:07
















    1














    If all you want to do is make sure applications in Docker containers are reachable by other hosts on the network, it would be easiest to set the Docker network mode to host:



    docker run --net=host image/toRun:1.0


    This will expose the ports in the image on the host's IP address (make sure to avoid port collisions)






    share|improve this answer
























    • Thanks for your reply, but this is not the solution I seek for, because of port collisions. To give more details, I want to create a kind of "cloud" for my school, where students can create containers like they would buy a VPS or something alike. Therefore, I need that every containers that gets created are automatically a unique IP on a private network (the school) in order for them to do whatever they would like with the "servers" they create without minding about NAT or stuff like this.

      – iiPLD
      May 12 '17 at 10:07














    1












    1








    1







    If all you want to do is make sure applications in Docker containers are reachable by other hosts on the network, it would be easiest to set the Docker network mode to host:



    docker run --net=host image/toRun:1.0


    This will expose the ports in the image on the host's IP address (make sure to avoid port collisions)






    share|improve this answer













    If all you want to do is make sure applications in Docker containers are reachable by other hosts on the network, it would be easiest to set the Docker network mode to host:



    docker run --net=host image/toRun:1.0


    This will expose the ports in the image on the host's IP address (make sure to avoid port collisions)







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered May 11 '17 at 19:53









    mtakmtak

    11.1k23353




    11.1k23353













    • Thanks for your reply, but this is not the solution I seek for, because of port collisions. To give more details, I want to create a kind of "cloud" for my school, where students can create containers like they would buy a VPS or something alike. Therefore, I need that every containers that gets created are automatically a unique IP on a private network (the school) in order for them to do whatever they would like with the "servers" they create without minding about NAT or stuff like this.

      – iiPLD
      May 12 '17 at 10:07



















    • Thanks for your reply, but this is not the solution I seek for, because of port collisions. To give more details, I want to create a kind of "cloud" for my school, where students can create containers like they would buy a VPS or something alike. Therefore, I need that every containers that gets created are automatically a unique IP on a private network (the school) in order for them to do whatever they would like with the "servers" they create without minding about NAT or stuff like this.

      – iiPLD
      May 12 '17 at 10:07

















    Thanks for your reply, but this is not the solution I seek for, because of port collisions. To give more details, I want to create a kind of "cloud" for my school, where students can create containers like they would buy a VPS or something alike. Therefore, I need that every containers that gets created are automatically a unique IP on a private network (the school) in order for them to do whatever they would like with the "servers" they create without minding about NAT or stuff like this.

    – iiPLD
    May 12 '17 at 10:07





    Thanks for your reply, but this is not the solution I seek for, because of port collisions. To give more details, I want to create a kind of "cloud" for my school, where students can create containers like they would buy a VPS or something alike. Therefore, I need that every containers that gets created are automatically a unique IP on a private network (the school) in order for them to do whatever they would like with the "servers" they create without minding about NAT or stuff like this.

    – iiPLD
    May 12 '17 at 10:07













    0














    Adding a route on the clients to reach your containers through the host should work as long as you enable IPv4 forwarding on your Docker host using:



    sysctl -w net.ipv4.ip_forward=1


    Be aware of the security implications, though, because without the proper firewall this will route traffic from any interface to any interface.






    share|improve this answer
























    • Docker automatically set this up when the daemon starts. Maybe walk me through how you set up the interfaces et configure Docker in order to get the behavior I'm desperately seeking for, it would be of great help.

      – iiPLD
      May 14 '17 at 22:32
















    0














    Adding a route on the clients to reach your containers through the host should work as long as you enable IPv4 forwarding on your Docker host using:



    sysctl -w net.ipv4.ip_forward=1


    Be aware of the security implications, though, because without the proper firewall this will route traffic from any interface to any interface.






    share|improve this answer
























    • Docker automatically set this up when the daemon starts. Maybe walk me through how you set up the interfaces et configure Docker in order to get the behavior I'm desperately seeking for, it would be of great help.

      – iiPLD
      May 14 '17 at 22:32














    0












    0








    0







    Adding a route on the clients to reach your containers through the host should work as long as you enable IPv4 forwarding on your Docker host using:



    sysctl -w net.ipv4.ip_forward=1


    Be aware of the security implications, though, because without the proper firewall this will route traffic from any interface to any interface.






    share|improve this answer













    Adding a route on the clients to reach your containers through the host should work as long as you enable IPv4 forwarding on your Docker host using:



    sysctl -w net.ipv4.ip_forward=1


    Be aware of the security implications, though, because without the proper firewall this will route traffic from any interface to any interface.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered May 14 '17 at 19:06









    MartijnMartijn

    1212




    1212













    • Docker automatically set this up when the daemon starts. Maybe walk me through how you set up the interfaces et configure Docker in order to get the behavior I'm desperately seeking for, it would be of great help.

      – iiPLD
      May 14 '17 at 22:32



















    • Docker automatically set this up when the daemon starts. Maybe walk me through how you set up the interfaces et configure Docker in order to get the behavior I'm desperately seeking for, it would be of great help.

      – iiPLD
      May 14 '17 at 22:32

















    Docker automatically set this up when the daemon starts. Maybe walk me through how you set up the interfaces et configure Docker in order to get the behavior I'm desperately seeking for, it would be of great help.

    – iiPLD
    May 14 '17 at 22:32





    Docker automatically set this up when the daemon starts. Maybe walk me through how you set up the interfaces et configure Docker in order to get the behavior I'm desperately seeking for, it would be of great help.

    – iiPLD
    May 14 '17 at 22:32











    0














    This works if you configure the DOCKER-USER chain to ACCEPT traffic from "not the bridge adapter" to "the bridge adapter", optionally limited to a protocol and port like tcp port 80 (-p tcp --dport 80). This chain is called from the FORWARD chain in the filter table and it governs packets that are not destined to the (Docker) host, but routed through it.



    Then the LAN router needs to be configured with a static route for the Docker network to be routed through the Docker host acting as a gateway. The router could do three things with this information:




    • Send ICMP REDIRECT packets for traffic destined to a container.


    • Hand out a static route in DHCP leases (option 121)


    • Route packets through the Docker host, but this leads to route assymetry: client → router → host → container, whereas responses will go container → host → client.



    Neither of these seems like a really attractive option to me.






    share|improve this answer






























      0














      This works if you configure the DOCKER-USER chain to ACCEPT traffic from "not the bridge adapter" to "the bridge adapter", optionally limited to a protocol and port like tcp port 80 (-p tcp --dport 80). This chain is called from the FORWARD chain in the filter table and it governs packets that are not destined to the (Docker) host, but routed through it.



      Then the LAN router needs to be configured with a static route for the Docker network to be routed through the Docker host acting as a gateway. The router could do three things with this information:




      • Send ICMP REDIRECT packets for traffic destined to a container.


      • Hand out a static route in DHCP leases (option 121)


      • Route packets through the Docker host, but this leads to route assymetry: client → router → host → container, whereas responses will go container → host → client.



      Neither of these seems like a really attractive option to me.






      share|improve this answer




























        0












        0








        0







        This works if you configure the DOCKER-USER chain to ACCEPT traffic from "not the bridge adapter" to "the bridge adapter", optionally limited to a protocol and port like tcp port 80 (-p tcp --dport 80). This chain is called from the FORWARD chain in the filter table and it governs packets that are not destined to the (Docker) host, but routed through it.



        Then the LAN router needs to be configured with a static route for the Docker network to be routed through the Docker host acting as a gateway. The router could do three things with this information:




        • Send ICMP REDIRECT packets for traffic destined to a container.


        • Hand out a static route in DHCP leases (option 121)


        • Route packets through the Docker host, but this leads to route assymetry: client → router → host → container, whereas responses will go container → host → client.



        Neither of these seems like a really attractive option to me.






        share|improve this answer















        This works if you configure the DOCKER-USER chain to ACCEPT traffic from "not the bridge adapter" to "the bridge adapter", optionally limited to a protocol and port like tcp port 80 (-p tcp --dport 80). This chain is called from the FORWARD chain in the filter table and it governs packets that are not destined to the (Docker) host, but routed through it.



        Then the LAN router needs to be configured with a static route for the Docker network to be routed through the Docker host acting as a gateway. The router could do three things with this information:




        • Send ICMP REDIRECT packets for traffic destined to a container.


        • Hand out a static route in DHCP leases (option 121)


        • Route packets through the Docker host, but this leads to route assymetry: client → router → host → container, whereas responses will go container → host → client.



        Neither of these seems like a really attractive option to me.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Feb 18 at 23:00

























        answered Feb 18 at 18:09









        j0057j0057

        1011




        1011






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1208291%2fexposing-the-docker-network-to-the-local-network%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Probability when a professor distributes a quiz and homework assignment to a class of n students.

            Aardman Animations

            Are they similar matrix