Running Docker With Outbound IP Firewalling

I am trying to deploy Docker inside a network with severe restrictions on outbound IP connectivity. The default is to deny all outbound IP traffic; trusted networks may be whitelisted one by one.

I’ve whitelisted port 5000 + http + https on Docker’s IP range (162.242.195.64/26) and apt-get installed lxc-docker from the official Docker package repo.

My first task is to install Docker Registry so we can have a private image repository. Following the instructions I write a config file and tell Docker to get then run the image.

root@box:~# docker run -i -p 5000 -v /srv/docker-registry:/srv/docker-registry -v /etc/docker-registry:/registry-conf -e DOCKER_REGISTRY_CONFIG=/registry-conf/config.yml registry
Unable to find image 'registry:latest' locally
latest: Pulling from registry

511136ea3c5a: Pulling fs layer
511136ea3c5a: Error pulling dependent layers
5f92234dcf1e: Pulling fs layer
.....
c55308716b36: Pulling fs layer
c55308716b36: Error pulling image (latest) from registry, endpoint: https://registry-1.docker.io/v1/, Server error: Status 0 while fetching imac55308716b36: Error pulling image (latest) from registry, Server error: Status 0 while fetching image layer (511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158)
FATA[0850] Error pulling image (latest) from registry, Server error: Status 0 while fetching image layer (511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158)

Docker fetches several fs layers but eventually fails with a network error.

I’ve tested network access to https://registry-1.docker.io/ and it is working:

root@box:~# curl https://registry-1.docker.io/
"docker-registry server (prod) (v0.8.2)"

And so my question: how can I find out what IP’s and ports I need to whitelist for Docker to work in a heavily firewalled environment?

3 Likes

Did you worked this out? How? I’m having the same problem.

I’m having the same problem. Were you able to get this to work?

Sadly no; I had to resort to giving my Docker hosts an HTTP proxy to use for outbound access. From a security perspective this is not good; Docker really needs to offer better control for installations where outbound connectivity must be limited.