Unable to connect to container port with transparent network

Archive Windows Server 2016
1

Hi,

I’m currently looking at the transparent network capability of docker on 2016.

I have a 2016 VM setup in my virtual cluster that is running docker. Ideally i would like all my containers to be externally available and use my existing DCHP and DNS server

I think i have successfully configured my transparent network in docker as which i run a container (microsoft/iis) it gets and IP Address. plus when i connect to the container i can resolve and successfully ping externally (google.com etc).

But for some reason i cannot access the containers webserver. Running a port scan shows that their are no ports open.

Initially i though it was a firewall issue, that the container’s firewall was enabled and blocking everything.

Docker Version: 17.03.0-ee-1
Windows 2016: latest windows updates.

Docker Network
NETWORK ID NAME DRIVER SCOPE
b039e4cc801a Qxlva-Dev transparent local
90da8866a23c nat nat local
eefdc4431852 none null local

Container
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0e940b51ecfe microsoft/iis “C:\ServiceMonitor…” 2 hours ago Up 2 hours 80/tcp iisdemo5

Container NetStat

Proto Local Address Foreign Address State
TCP 0.0.0.0:80 0e940b51ecfe:0 LISTENING

TCPConfig - Container

Windows IP Configuration

Host Name . . . . . . . . . . . . : 0e940b51ecfe
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter vEthernet (Container NIC 091eb89e):

Connection-specific DNS Suffix . : domain.local
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #3
Physical Address. . . . . . . . . : 00-15-5D-49-7D-C4
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::192b:d9f9:d208:6b8c%22(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.166.166(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, April 4, 2017 3:12:24 PM
Lease Expires . . . . . . . . . . : Wednesday, April 12, 2017 3:12:24 PM
Default Gateway . . . . . . . . . : 192.168.166.254
DHCP Server . . . . . . . . . . . : 192.168.166.6
DNS Servers . . . . . . . . . . . : 192.168.166.6
NetBIOS over Tcpip. . . . . . . . : Disabled

2

@eleventhandy

So, from my understanding, you’re trying to access your containerized web instance via your container host and you are unable to. How did you configure the port mapping for your web instance? Did you run the container manually using the “-p” option? Or did you use EXPOSE in the Dockerfile or Compose file?

3

Well I assumed that port 80 was exposed in the dockerfile, I just pulled
Microsoft/is from docker hub. I don’t think you can set the -p parameter
when the network is transparent.

I will try creating my own dockerfile tomorrow and set the expose.

4

@eleventhandy

With a transparent network, there are a few ways you can handle exposed ports. To ensure firewall rules are automatically created, a simple way is to use the EXPOSE directive in your dockerfile, and to run your container with the “-P” argument (e.g. docker run -it -P --network MyTransparentNetwork iis-web-image). If you do this, things should work smoothly for you.

5

Can’t use -P

PS C:\Windows\system32> docker run --name=iisdemo5 -itd --net=Qxlva-Dev -P microsoft/iis cmd.exe
26ced8cbc965723e609d7eeed60a35613c9fb6f6650fe05a977c553880098132
C:\Program Files\Docker\docker.exe: Error response from daemon: failed to create endpoint iisdemo5 on network Qxlva-Dev: HNS failed with error : Port mapping is not supported on the given network.

6

OK I think i have found the issue, It seems to be firewall related.

When using transparent mode, any exposed ports are not setup in the windows firewall on the container host. It enables ICMP and DHCP etc automatically for each container. I tired to create a rule for my exposed port (8161) in this case, but it didn’t work and i don’t know how to specify it for a specific container, I guess this is hidden away from you.

It works if i turn the firewall off, but I don’t really want to-do that.

Think I might need to raise it as a docker issue?