Exposing the docker network to the local network
This is problem I'm trying to solve for some time now. I've tried as many resources as I could try, but nothing has yet worked for me. :/
Here's what I'm trying to tackle:
I want to be able to deploy Docker containers and access them from a machine that resides in the same local network. That means that the IP addresses that Docker handouts to the containers have to be reachable from a client computer on the same LAN as the computer that host Docker.
Ideally, people would just have to add a route that points to the Docker host as a gateway for the Docker network, like:
client@lan$ sudo route add -net <docker-network>/<mask> gw <docker-host>
And boom, they can access the containers just by typing their IP. This route can also be set up from the router, of course.
I've seen that network bridges help doing this, but I could not get one to work this way.
How do you get all of this to work ?
linux networking docker
add a comment |
This is problem I'm trying to solve for some time now. I've tried as many resources as I could try, but nothing has yet worked for me. :/
Here's what I'm trying to tackle:
I want to be able to deploy Docker containers and access them from a machine that resides in the same local network. That means that the IP addresses that Docker handouts to the containers have to be reachable from a client computer on the same LAN as the computer that host Docker.
Ideally, people would just have to add a route that points to the Docker host as a gateway for the Docker network, like:
client@lan$ sudo route add -net <docker-network>/<mask> gw <docker-host>
And boom, they can access the containers just by typing their IP. This route can also be set up from the router, of course.
I've seen that network bridges help doing this, but I could not get one to work this way.
How do you get all of this to work ?
linux networking docker
That route you show above should not reside on the clients, but in your LAN router's routing table instead. If it is not in your LAN router, traffic to this net block will go to the default route (possibly the internet).
– diametralpitch
May 11 '17 at 19:32
Have you seen this one? stackoverflow.com/questions/25036895/…
– diametralpitch
May 11 '17 at 19:33
@diametralpitch I've read your link, the second answer is closer to what I'm looking for (bridging), but I can't get it to work. Does the containers linked to the bridge need to have an IP address on the same network as the LAN or not? My goal is that, without any intervention that goes further than the network setup, the containers that gets created are given a unique IP address that people on my private network can access.
– iiPLD
May 12 '17 at 10:03
add a comment |
This is problem I'm trying to solve for some time now. I've tried as many resources as I could try, but nothing has yet worked for me. :/
Here's what I'm trying to tackle:
I want to be able to deploy Docker containers and access them from a machine that resides in the same local network. That means that the IP addresses that Docker handouts to the containers have to be reachable from a client computer on the same LAN as the computer that host Docker.
Ideally, people would just have to add a route that points to the Docker host as a gateway for the Docker network, like:
client@lan$ sudo route add -net <docker-network>/<mask> gw <docker-host>
And boom, they can access the containers just by typing their IP. This route can also be set up from the router, of course.
I've seen that network bridges help doing this, but I could not get one to work this way.
How do you get all of this to work ?
linux networking docker
This is problem I'm trying to solve for some time now. I've tried as many resources as I could try, but nothing has yet worked for me. :/
Here's what I'm trying to tackle:
I want to be able to deploy Docker containers and access them from a machine that resides in the same local network. That means that the IP addresses that Docker handouts to the containers have to be reachable from a client computer on the same LAN as the computer that host Docker.
Ideally, people would just have to add a route that points to the Docker host as a gateway for the Docker network, like:
client@lan$ sudo route add -net <docker-network>/<mask> gw <docker-host>
And boom, they can access the containers just by typing their IP. This route can also be set up from the router, of course.
I've seen that network bridges help doing this, but I could not get one to work this way.
How do you get all of this to work ?
linux networking docker
linux networking docker
asked May 11 '17 at 18:03
iiPLDiiPLD
1315
1315
That route you show above should not reside on the clients, but in your LAN router's routing table instead. If it is not in your LAN router, traffic to this net block will go to the default route (possibly the internet).
– diametralpitch
May 11 '17 at 19:32
Have you seen this one? stackoverflow.com/questions/25036895/…
– diametralpitch
May 11 '17 at 19:33
@diametralpitch I've read your link, the second answer is closer to what I'm looking for (bridging), but I can't get it to work. Does the containers linked to the bridge need to have an IP address on the same network as the LAN or not? My goal is that, without any intervention that goes further than the network setup, the containers that gets created are given a unique IP address that people on my private network can access.
– iiPLD
May 12 '17 at 10:03
add a comment |
That route you show above should not reside on the clients, but in your LAN router's routing table instead. If it is not in your LAN router, traffic to this net block will go to the default route (possibly the internet).
– diametralpitch
May 11 '17 at 19:32
Have you seen this one? stackoverflow.com/questions/25036895/…
– diametralpitch
May 11 '17 at 19:33
@diametralpitch I've read your link, the second answer is closer to what I'm looking for (bridging), but I can't get it to work. Does the containers linked to the bridge need to have an IP address on the same network as the LAN or not? My goal is that, without any intervention that goes further than the network setup, the containers that gets created are given a unique IP address that people on my private network can access.
– iiPLD
May 12 '17 at 10:03
That route you show above should not reside on the clients, but in your LAN router's routing table instead. If it is not in your LAN router, traffic to this net block will go to the default route (possibly the internet).
– diametralpitch
May 11 '17 at 19:32
That route you show above should not reside on the clients, but in your LAN router's routing table instead. If it is not in your LAN router, traffic to this net block will go to the default route (possibly the internet).
– diametralpitch
May 11 '17 at 19:32
Have you seen this one? stackoverflow.com/questions/25036895/…
– diametralpitch
May 11 '17 at 19:33
Have you seen this one? stackoverflow.com/questions/25036895/…
– diametralpitch
May 11 '17 at 19:33
@diametralpitch I've read your link, the second answer is closer to what I'm looking for (bridging), but I can't get it to work. Does the containers linked to the bridge need to have an IP address on the same network as the LAN or not? My goal is that, without any intervention that goes further than the network setup, the containers that gets created are given a unique IP address that people on my private network can access.
– iiPLD
May 12 '17 at 10:03
@diametralpitch I've read your link, the second answer is closer to what I'm looking for (bridging), but I can't get it to work. Does the containers linked to the bridge need to have an IP address on the same network as the LAN or not? My goal is that, without any intervention that goes further than the network setup, the containers that gets created are given a unique IP address that people on my private network can access.
– iiPLD
May 12 '17 at 10:03
add a comment |
3 Answers
3
active
oldest
votes
If all you want to do is make sure applications in Docker containers are reachable by other hosts on the network, it would be easiest to set the Docker network mode to host:
docker run --net=host image/toRun:1.0
This will expose the ports in the image on the host's IP address (make sure to avoid port collisions)
Thanks for your reply, but this is not the solution I seek for, because of port collisions. To give more details, I want to create a kind of "cloud" for my school, where students can create containers like they would buy a VPS or something alike. Therefore, I need that every containers that gets created are automatically a unique IP on a private network (the school) in order for them to do whatever they would like with the "servers" they create without minding about NAT or stuff like this.
– iiPLD
May 12 '17 at 10:07
add a comment |
Adding a route on the clients to reach your containers through the host should work as long as you enable IPv4 forwarding on your Docker host using:
sysctl -w net.ipv4.ip_forward=1
Be aware of the security implications, though, because without the proper firewall this will route traffic from any interface to any interface.
Docker automatically set this up when the daemon starts. Maybe walk me through how you set up the interfaces et configure Docker in order to get the behavior I'm desperately seeking for, it would be of great help.
– iiPLD
May 14 '17 at 22:32
add a comment |
This works if you configure the DOCKER-USER
chain to ACCEPT traffic from "not the bridge adapter" to "the bridge adapter", optionally limited to a protocol and port like tcp port 80 (-p tcp --dport 80
). This chain is called from the FORWARD
chain in the filter
table and it governs packets that are not destined to the (Docker) host, but routed through it.
Then the LAN router needs to be configured with a static route for the Docker network to be routed through the Docker host acting as a gateway. The router could do three things with this information:
Send ICMP REDIRECT packets for traffic destined to a container.
Hand out a static route in DHCP leases (option 121)
Route packets through the Docker host, but this leads to route assymetry: client → router → host → container, whereas responses will go container → host → client.
Neither of these seems like a really attractive option to me.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1208291%2fexposing-the-docker-network-to-the-local-network%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
If all you want to do is make sure applications in Docker containers are reachable by other hosts on the network, it would be easiest to set the Docker network mode to host:
docker run --net=host image/toRun:1.0
This will expose the ports in the image on the host's IP address (make sure to avoid port collisions)
Thanks for your reply, but this is not the solution I seek for, because of port collisions. To give more details, I want to create a kind of "cloud" for my school, where students can create containers like they would buy a VPS or something alike. Therefore, I need that every containers that gets created are automatically a unique IP on a private network (the school) in order for them to do whatever they would like with the "servers" they create without minding about NAT or stuff like this.
– iiPLD
May 12 '17 at 10:07
add a comment |
If all you want to do is make sure applications in Docker containers are reachable by other hosts on the network, it would be easiest to set the Docker network mode to host:
docker run --net=host image/toRun:1.0
This will expose the ports in the image on the host's IP address (make sure to avoid port collisions)
Thanks for your reply, but this is not the solution I seek for, because of port collisions. To give more details, I want to create a kind of "cloud" for my school, where students can create containers like they would buy a VPS or something alike. Therefore, I need that every containers that gets created are automatically a unique IP on a private network (the school) in order for them to do whatever they would like with the "servers" they create without minding about NAT or stuff like this.
– iiPLD
May 12 '17 at 10:07
add a comment |
If all you want to do is make sure applications in Docker containers are reachable by other hosts on the network, it would be easiest to set the Docker network mode to host:
docker run --net=host image/toRun:1.0
This will expose the ports in the image on the host's IP address (make sure to avoid port collisions)
If all you want to do is make sure applications in Docker containers are reachable by other hosts on the network, it would be easiest to set the Docker network mode to host:
docker run --net=host image/toRun:1.0
This will expose the ports in the image on the host's IP address (make sure to avoid port collisions)
answered May 11 '17 at 19:53
mtakmtak
11.1k23353
11.1k23353
Thanks for your reply, but this is not the solution I seek for, because of port collisions. To give more details, I want to create a kind of "cloud" for my school, where students can create containers like they would buy a VPS or something alike. Therefore, I need that every containers that gets created are automatically a unique IP on a private network (the school) in order for them to do whatever they would like with the "servers" they create without minding about NAT or stuff like this.
– iiPLD
May 12 '17 at 10:07
add a comment |
Thanks for your reply, but this is not the solution I seek for, because of port collisions. To give more details, I want to create a kind of "cloud" for my school, where students can create containers like they would buy a VPS or something alike. Therefore, I need that every containers that gets created are automatically a unique IP on a private network (the school) in order for them to do whatever they would like with the "servers" they create without minding about NAT or stuff like this.
– iiPLD
May 12 '17 at 10:07
Thanks for your reply, but this is not the solution I seek for, because of port collisions. To give more details, I want to create a kind of "cloud" for my school, where students can create containers like they would buy a VPS or something alike. Therefore, I need that every containers that gets created are automatically a unique IP on a private network (the school) in order for them to do whatever they would like with the "servers" they create without minding about NAT or stuff like this.
– iiPLD
May 12 '17 at 10:07
Thanks for your reply, but this is not the solution I seek for, because of port collisions. To give more details, I want to create a kind of "cloud" for my school, where students can create containers like they would buy a VPS or something alike. Therefore, I need that every containers that gets created are automatically a unique IP on a private network (the school) in order for them to do whatever they would like with the "servers" they create without minding about NAT or stuff like this.
– iiPLD
May 12 '17 at 10:07
add a comment |
Adding a route on the clients to reach your containers through the host should work as long as you enable IPv4 forwarding on your Docker host using:
sysctl -w net.ipv4.ip_forward=1
Be aware of the security implications, though, because without the proper firewall this will route traffic from any interface to any interface.
Docker automatically set this up when the daemon starts. Maybe walk me through how you set up the interfaces et configure Docker in order to get the behavior I'm desperately seeking for, it would be of great help.
– iiPLD
May 14 '17 at 22:32
add a comment |
Adding a route on the clients to reach your containers through the host should work as long as you enable IPv4 forwarding on your Docker host using:
sysctl -w net.ipv4.ip_forward=1
Be aware of the security implications, though, because without the proper firewall this will route traffic from any interface to any interface.
Docker automatically set this up when the daemon starts. Maybe walk me through how you set up the interfaces et configure Docker in order to get the behavior I'm desperately seeking for, it would be of great help.
– iiPLD
May 14 '17 at 22:32
add a comment |
Adding a route on the clients to reach your containers through the host should work as long as you enable IPv4 forwarding on your Docker host using:
sysctl -w net.ipv4.ip_forward=1
Be aware of the security implications, though, because without the proper firewall this will route traffic from any interface to any interface.
Adding a route on the clients to reach your containers through the host should work as long as you enable IPv4 forwarding on your Docker host using:
sysctl -w net.ipv4.ip_forward=1
Be aware of the security implications, though, because without the proper firewall this will route traffic from any interface to any interface.
answered May 14 '17 at 19:06
MartijnMartijn
1212
1212
Docker automatically set this up when the daemon starts. Maybe walk me through how you set up the interfaces et configure Docker in order to get the behavior I'm desperately seeking for, it would be of great help.
– iiPLD
May 14 '17 at 22:32
add a comment |
Docker automatically set this up when the daemon starts. Maybe walk me through how you set up the interfaces et configure Docker in order to get the behavior I'm desperately seeking for, it would be of great help.
– iiPLD
May 14 '17 at 22:32
Docker automatically set this up when the daemon starts. Maybe walk me through how you set up the interfaces et configure Docker in order to get the behavior I'm desperately seeking for, it would be of great help.
– iiPLD
May 14 '17 at 22:32
Docker automatically set this up when the daemon starts. Maybe walk me through how you set up the interfaces et configure Docker in order to get the behavior I'm desperately seeking for, it would be of great help.
– iiPLD
May 14 '17 at 22:32
add a comment |
This works if you configure the DOCKER-USER
chain to ACCEPT traffic from "not the bridge adapter" to "the bridge adapter", optionally limited to a protocol and port like tcp port 80 (-p tcp --dport 80
). This chain is called from the FORWARD
chain in the filter
table and it governs packets that are not destined to the (Docker) host, but routed through it.
Then the LAN router needs to be configured with a static route for the Docker network to be routed through the Docker host acting as a gateway. The router could do three things with this information:
Send ICMP REDIRECT packets for traffic destined to a container.
Hand out a static route in DHCP leases (option 121)
Route packets through the Docker host, but this leads to route assymetry: client → router → host → container, whereas responses will go container → host → client.
Neither of these seems like a really attractive option to me.
add a comment |
This works if you configure the DOCKER-USER
chain to ACCEPT traffic from "not the bridge adapter" to "the bridge adapter", optionally limited to a protocol and port like tcp port 80 (-p tcp --dport 80
). This chain is called from the FORWARD
chain in the filter
table and it governs packets that are not destined to the (Docker) host, but routed through it.
Then the LAN router needs to be configured with a static route for the Docker network to be routed through the Docker host acting as a gateway. The router could do three things with this information:
Send ICMP REDIRECT packets for traffic destined to a container.
Hand out a static route in DHCP leases (option 121)
Route packets through the Docker host, but this leads to route assymetry: client → router → host → container, whereas responses will go container → host → client.
Neither of these seems like a really attractive option to me.
add a comment |
This works if you configure the DOCKER-USER
chain to ACCEPT traffic from "not the bridge adapter" to "the bridge adapter", optionally limited to a protocol and port like tcp port 80 (-p tcp --dport 80
). This chain is called from the FORWARD
chain in the filter
table and it governs packets that are not destined to the (Docker) host, but routed through it.
Then the LAN router needs to be configured with a static route for the Docker network to be routed through the Docker host acting as a gateway. The router could do three things with this information:
Send ICMP REDIRECT packets for traffic destined to a container.
Hand out a static route in DHCP leases (option 121)
Route packets through the Docker host, but this leads to route assymetry: client → router → host → container, whereas responses will go container → host → client.
Neither of these seems like a really attractive option to me.
This works if you configure the DOCKER-USER
chain to ACCEPT traffic from "not the bridge adapter" to "the bridge adapter", optionally limited to a protocol and port like tcp port 80 (-p tcp --dport 80
). This chain is called from the FORWARD
chain in the filter
table and it governs packets that are not destined to the (Docker) host, but routed through it.
Then the LAN router needs to be configured with a static route for the Docker network to be routed through the Docker host acting as a gateway. The router could do three things with this information:
Send ICMP REDIRECT packets for traffic destined to a container.
Hand out a static route in DHCP leases (option 121)
Route packets through the Docker host, but this leads to route assymetry: client → router → host → container, whereas responses will go container → host → client.
Neither of these seems like a really attractive option to me.
edited Feb 18 at 23:00
answered Feb 18 at 18:09
j0057j0057
1011
1011
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1208291%2fexposing-the-docker-network-to-the-local-network%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
That route you show above should not reside on the clients, but in your LAN router's routing table instead. If it is not in your LAN router, traffic to this net block will go to the default route (possibly the internet).
– diametralpitch
May 11 '17 at 19:32
Have you seen this one? stackoverflow.com/questions/25036895/…
– diametralpitch
May 11 '17 at 19:33
@diametralpitch I've read your link, the second answer is closer to what I'm looking for (bridging), but I can't get it to work. Does the containers linked to the bridge need to have an IP address on the same network as the LAN or not? My goal is that, without any intervention that goes further than the network setup, the containers that gets created are given a unique IP address that people on my private network can access.
– iiPLD
May 12 '17 at 10:03