Hello,
How do I configure Docker to listen and respond over a specific IP attached to an interface device? If Docker listens to all IPs, it interferes with other services listening to specific IPs on the same host.
Thanks for any advice
Share and learn in the Docker community.
Hello,
How do I configure Docker to listen and respond over a specific IP attached to an interface device? If Docker listens to all IPs, it interferes with other services listening to specific IPs on the same host.
Thanks for any advice
Inspecting the default docker0
network, I notice
“com.docker.network.bridge.host_binding_ipv4” : “0.0.0.0”
Which is presumable the setting causing it to bind to all networks. I believe I need to set this to the specific IP it should bind to.
Also, when I run iptables --list
I get this output
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
…
I’m not sure where these rules are configured or which to change
I’ve also tried the following edit /etc/docker/daemon.json
{
"ip" : "[ip address]"
}
To confirm, i inspect the network docker network inspect [id]
"Options": {
"com.docker.network.bridge.host_binding_ipv4": "[ip address]",
"com.docker.network.bridge.name": "docker0",
},
Yet somehow all docker0
is still responding other ips on the server
Taking this a step further, I tried putting in a completely random IP that should fail, but the containers still succeed.
Here is the output of iptables --list
perhaps this is useful to someone out there?
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
From the docker manual
Or if you always want Docker port forwards to bind to one specific IP address, you can edit your system-wide Docker server settings and add the option --ip=IP_ADDRESS. Remember to restart your Docker server after editing this setting.
Isn’t daemon.json
doing just that?
Is including the interface’s IP address in docker run -p
not working? docker run -p 10.20.30.40:8888:80
?