Container port/service accessible from all host IP's with docker custom bridge linked to IPv4 alias on...
up vote
1
down vote
favorite
Good day all.
I Have a question regarding Docker on a Synology NAS (Linux).
I have a Ubiquity Unifi Controller container running on this NAS. (jacobalberti/unifi) This image needs specific ports to be available to the network for communicating to Unifi hardware. The idea is to make this container available through a different IP-address than the one where all the NAS services run behind.
I am not a network engineer and have limited knowledge of the possibilities and pitfalls regarding networking, but I did some research and found that there are a few possibilities:
-Map ports 1:1 to a host IP-address like:
docker run-p 192.168.1.3:8443:8443
-Create a docker bridge network and bind this to a specific host IP-address like:
docker network create --driver=bridge --gateway=10.0.0.1
--subnet=10.0.0.0/24 --ip-range=10.0.0.2/24
-o "com.docker.network.bridge.name"="br_UUC"
-o "com.docker.network.bridge.host_binding_ipv4"="192.168.1.3" UUC_bridge
I chose to create a bridge network, as this network shows up in the Synology Docker GUI and I can, this way, still manage the container in this GUI.
Following the creation of the new network, I can link the container to the bridge network UUC_bridge and do a 1:1 port mapping.
I expect to be able to access the container port 8443 behind IP-address 192.168.1.3, while the NAS host IP-address 192.168.1.2 has port 8443 stil free, or used by antoher service.
Now I need a way to have the second IP address 192.169.1.3 on the host NIC. As I do not need isolated networking, I think VLAN's are not the solution. I read that they would need a different docker network driver, too. (macvlan)
I created an alias on the NAS' NIC by executing the following command:
ifconfig eth0:0 192.168.1.3 up netmask 255.255.252.0 name UUC
(I do this before creating the docker bridge)
I know there are other ways to do this using ip address add
, but the old way still works.
The neworks show up as:
eth0 and eth0:0 ifconfig
UUC_bridge ifconfig
and the bridge config is:
docker network inspect UUC_bridge
Now to the problems I am facing:
In netstat
I find an entry that looks like: tcp6 0 0 :::8443 :::* LISTEN 0 6783321 -
Now it seems that, looking at the ifconfig output, the bridge is IPv6. I don't know how the IPv4 <> IPv6 linking works, but I would say it should not be a problem, because I told Docker that it should link the bridge to that one IPv4 address 192.168.1.3.
I can now access the UUC interface through 192.168.1.3:8443.
The thing is, that I can also access the same UUC interface through 192.168.1.2:8443. I do not want that, and I do not see why it would do this.
Maybe the UUC container uses 0.0.0.0 internally to expose 8443 to all (container)host interfaces, but I configured the bridge to just be linked to the 192.168.1.3 IPv4-address.
Does anybody know what I might be missing here?
The other problem That I am facing is that all the Synology services seem to use 0.0.0.0 as port binding IP, so all Synology services are available behind 192.168.1.3, too. Is there any way to remove the 192.168.1.3 address from the group of host IP-addresses that the 0.0.0.0 address of the NAS link to?
Many thanks in advance!
linux networking ip ipv6 docker
New contributor
add a comment |
up vote
1
down vote
favorite
Good day all.
I Have a question regarding Docker on a Synology NAS (Linux).
I have a Ubiquity Unifi Controller container running on this NAS. (jacobalberti/unifi) This image needs specific ports to be available to the network for communicating to Unifi hardware. The idea is to make this container available through a different IP-address than the one where all the NAS services run behind.
I am not a network engineer and have limited knowledge of the possibilities and pitfalls regarding networking, but I did some research and found that there are a few possibilities:
-Map ports 1:1 to a host IP-address like:
docker run-p 192.168.1.3:8443:8443
-Create a docker bridge network and bind this to a specific host IP-address like:
docker network create --driver=bridge --gateway=10.0.0.1
--subnet=10.0.0.0/24 --ip-range=10.0.0.2/24
-o "com.docker.network.bridge.name"="br_UUC"
-o "com.docker.network.bridge.host_binding_ipv4"="192.168.1.3" UUC_bridge
I chose to create a bridge network, as this network shows up in the Synology Docker GUI and I can, this way, still manage the container in this GUI.
Following the creation of the new network, I can link the container to the bridge network UUC_bridge and do a 1:1 port mapping.
I expect to be able to access the container port 8443 behind IP-address 192.168.1.3, while the NAS host IP-address 192.168.1.2 has port 8443 stil free, or used by antoher service.
Now I need a way to have the second IP address 192.169.1.3 on the host NIC. As I do not need isolated networking, I think VLAN's are not the solution. I read that they would need a different docker network driver, too. (macvlan)
I created an alias on the NAS' NIC by executing the following command:
ifconfig eth0:0 192.168.1.3 up netmask 255.255.252.0 name UUC
(I do this before creating the docker bridge)
I know there are other ways to do this using ip address add
, but the old way still works.
The neworks show up as:
eth0 and eth0:0 ifconfig
UUC_bridge ifconfig
and the bridge config is:
docker network inspect UUC_bridge
Now to the problems I am facing:
In netstat
I find an entry that looks like: tcp6 0 0 :::8443 :::* LISTEN 0 6783321 -
Now it seems that, looking at the ifconfig output, the bridge is IPv6. I don't know how the IPv4 <> IPv6 linking works, but I would say it should not be a problem, because I told Docker that it should link the bridge to that one IPv4 address 192.168.1.3.
I can now access the UUC interface through 192.168.1.3:8443.
The thing is, that I can also access the same UUC interface through 192.168.1.2:8443. I do not want that, and I do not see why it would do this.
Maybe the UUC container uses 0.0.0.0 internally to expose 8443 to all (container)host interfaces, but I configured the bridge to just be linked to the 192.168.1.3 IPv4-address.
Does anybody know what I might be missing here?
The other problem That I am facing is that all the Synology services seem to use 0.0.0.0 as port binding IP, so all Synology services are available behind 192.168.1.3, too. Is there any way to remove the 192.168.1.3 address from the group of host IP-addresses that the 0.0.0.0 address of the NAS link to?
Many thanks in advance!
linux networking ip ipv6 docker
New contributor
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
Good day all.
I Have a question regarding Docker on a Synology NAS (Linux).
I have a Ubiquity Unifi Controller container running on this NAS. (jacobalberti/unifi) This image needs specific ports to be available to the network for communicating to Unifi hardware. The idea is to make this container available through a different IP-address than the one where all the NAS services run behind.
I am not a network engineer and have limited knowledge of the possibilities and pitfalls regarding networking, but I did some research and found that there are a few possibilities:
-Map ports 1:1 to a host IP-address like:
docker run-p 192.168.1.3:8443:8443
-Create a docker bridge network and bind this to a specific host IP-address like:
docker network create --driver=bridge --gateway=10.0.0.1
--subnet=10.0.0.0/24 --ip-range=10.0.0.2/24
-o "com.docker.network.bridge.name"="br_UUC"
-o "com.docker.network.bridge.host_binding_ipv4"="192.168.1.3" UUC_bridge
I chose to create a bridge network, as this network shows up in the Synology Docker GUI and I can, this way, still manage the container in this GUI.
Following the creation of the new network, I can link the container to the bridge network UUC_bridge and do a 1:1 port mapping.
I expect to be able to access the container port 8443 behind IP-address 192.168.1.3, while the NAS host IP-address 192.168.1.2 has port 8443 stil free, or used by antoher service.
Now I need a way to have the second IP address 192.169.1.3 on the host NIC. As I do not need isolated networking, I think VLAN's are not the solution. I read that they would need a different docker network driver, too. (macvlan)
I created an alias on the NAS' NIC by executing the following command:
ifconfig eth0:0 192.168.1.3 up netmask 255.255.252.0 name UUC
(I do this before creating the docker bridge)
I know there are other ways to do this using ip address add
, but the old way still works.
The neworks show up as:
eth0 and eth0:0 ifconfig
UUC_bridge ifconfig
and the bridge config is:
docker network inspect UUC_bridge
Now to the problems I am facing:
In netstat
I find an entry that looks like: tcp6 0 0 :::8443 :::* LISTEN 0 6783321 -
Now it seems that, looking at the ifconfig output, the bridge is IPv6. I don't know how the IPv4 <> IPv6 linking works, but I would say it should not be a problem, because I told Docker that it should link the bridge to that one IPv4 address 192.168.1.3.
I can now access the UUC interface through 192.168.1.3:8443.
The thing is, that I can also access the same UUC interface through 192.168.1.2:8443. I do not want that, and I do not see why it would do this.
Maybe the UUC container uses 0.0.0.0 internally to expose 8443 to all (container)host interfaces, but I configured the bridge to just be linked to the 192.168.1.3 IPv4-address.
Does anybody know what I might be missing here?
The other problem That I am facing is that all the Synology services seem to use 0.0.0.0 as port binding IP, so all Synology services are available behind 192.168.1.3, too. Is there any way to remove the 192.168.1.3 address from the group of host IP-addresses that the 0.0.0.0 address of the NAS link to?
Many thanks in advance!
linux networking ip ipv6 docker
New contributor
Good day all.
I Have a question regarding Docker on a Synology NAS (Linux).
I have a Ubiquity Unifi Controller container running on this NAS. (jacobalberti/unifi) This image needs specific ports to be available to the network for communicating to Unifi hardware. The idea is to make this container available through a different IP-address than the one where all the NAS services run behind.
I am not a network engineer and have limited knowledge of the possibilities and pitfalls regarding networking, but I did some research and found that there are a few possibilities:
-Map ports 1:1 to a host IP-address like:
docker run-p 192.168.1.3:8443:8443
-Create a docker bridge network and bind this to a specific host IP-address like:
docker network create --driver=bridge --gateway=10.0.0.1
--subnet=10.0.0.0/24 --ip-range=10.0.0.2/24
-o "com.docker.network.bridge.name"="br_UUC"
-o "com.docker.network.bridge.host_binding_ipv4"="192.168.1.3" UUC_bridge
I chose to create a bridge network, as this network shows up in the Synology Docker GUI and I can, this way, still manage the container in this GUI.
Following the creation of the new network, I can link the container to the bridge network UUC_bridge and do a 1:1 port mapping.
I expect to be able to access the container port 8443 behind IP-address 192.168.1.3, while the NAS host IP-address 192.168.1.2 has port 8443 stil free, or used by antoher service.
Now I need a way to have the second IP address 192.169.1.3 on the host NIC. As I do not need isolated networking, I think VLAN's are not the solution. I read that they would need a different docker network driver, too. (macvlan)
I created an alias on the NAS' NIC by executing the following command:
ifconfig eth0:0 192.168.1.3 up netmask 255.255.252.0 name UUC
(I do this before creating the docker bridge)
I know there are other ways to do this using ip address add
, but the old way still works.
The neworks show up as:
eth0 and eth0:0 ifconfig
UUC_bridge ifconfig
and the bridge config is:
docker network inspect UUC_bridge
Now to the problems I am facing:
In netstat
I find an entry that looks like: tcp6 0 0 :::8443 :::* LISTEN 0 6783321 -
Now it seems that, looking at the ifconfig output, the bridge is IPv6. I don't know how the IPv4 <> IPv6 linking works, but I would say it should not be a problem, because I told Docker that it should link the bridge to that one IPv4 address 192.168.1.3.
I can now access the UUC interface through 192.168.1.3:8443.
The thing is, that I can also access the same UUC interface through 192.168.1.2:8443. I do not want that, and I do not see why it would do this.
Maybe the UUC container uses 0.0.0.0 internally to expose 8443 to all (container)host interfaces, but I configured the bridge to just be linked to the 192.168.1.3 IPv4-address.
Does anybody know what I might be missing here?
The other problem That I am facing is that all the Synology services seem to use 0.0.0.0 as port binding IP, so all Synology services are available behind 192.168.1.3, too. Is there any way to remove the 192.168.1.3 address from the group of host IP-addresses that the 0.0.0.0 address of the NAS link to?
Many thanks in advance!
linux networking ip ipv6 docker
linux networking ip ipv6 docker
New contributor
New contributor
New contributor
asked Nov 16 at 11:01
Lars Beugelaar
61
61
New contributor
New contributor
add a comment |
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Lars Beugelaar is a new contributor. Be nice, and check out our Code of Conduct.
Lars Beugelaar is a new contributor. Be nice, and check out our Code of Conduct.
Lars Beugelaar is a new contributor. Be nice, and check out our Code of Conduct.
Lars Beugelaar is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375952%2fcontainer-port-service-accessible-from-all-host-ips-with-docker-custom-bridge-l%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown