Docker Community Forums

Share and learn in the Docker community.

HELP! Docker seems to listen on all IPs coming into the interface despite configuration [edit]

docker

(Badaei) #1

Hello,

How do I configure Docker to listen and respond over a specific IP attached to an interface device? If Docker listens to all IPs, it interferes with other services listening to specific IPs on the same host.

Thanks for any advice


(Badaei) #2

Inspecting the default docker0 network, I notice

“com.docker.network.bridge.host_binding_ipv4” : “0.0.0.0”

Which is presumable the setting causing it to bind to all networks. I believe I need to set this to the specific IP it should bind to.


(Badaei) #3

Also, when I run iptables --list I get this output

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

I’m not sure where these rules are configured or which to change


(Badaei) #4

I’ve also tried the following edit /etc/docker/daemon.json

{
  "ip" : "[ip address]"
}

To confirm, i inspect the network docker network inspect [id]

"Options": {
   "com.docker.network.bridge.host_binding_ipv4": "[ip address]",
   "com.docker.network.bridge.name": "docker0",
},

Yet somehow all docker0 is still responding other ips on the server


(Badaei) #5

Taking this a step further, I tried putting in a completely random IP that should fail, but the containers still succeed.

Here is the output of iptables --list perhaps this is useful to someone out there?

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

(Badaei) #6

From the docker manual

Or if you always want Docker port forwards to bind to one specific IP address, you can edit your system-wide Docker server settings and add the option --ip=IP_ADDRESS. Remember to restart your Docker server after editing this setting.

Isn’t daemon.json doing just that?


(David Maze) #7

Is including the interface’s IP address in docker run -p not working? docker run -p 10.20.30.40:8888:80?