Setting up networking between containers and host.
Stunnel networking configuration:
The stunnel server is running in a Docker container. Here is the stunnel server configuration file:
# server config, # stunnel server will listen for stunnel clients connecting on port 443 # traffic will be decrypted and forwarded to local port 22 output = /var/log/stunnel4/stunnel.log cert = /etc/stunnel/stunnel.fullchain.pem key = /etc/stunnel/stunnel.key.pem pid = /var/run/stunnel4/stunnel.pid client = no [ssh] accept = 443 connect = 127.0.0.1:22
Note this is the same as is in the d-stunnel repo on git.charlesreid1.com: https://charlesreid1.com:3000/docker/d-stunnel
Binding Ports 443 and 22
Stunnel server listens on port 443 (internal). This is mapped to port 443 (external) on the host using the
-p 443:443 flag when executing docker run.
Stunnel forwards traffic on to 127.0.0.1 port 22. This port needs to be bound, somehow, to somewhere. Keep it simple: bind container port 22 (internal) to host port 22 (external) using
-p 22:22 when executing docker run.
Now the container should be started up, and stunnel should be run from within the container:
docker run \ --network=host \ -p 443:443 -p 22:22 \ -ti cmr_stunnel \ /bin/bash
Note: if you leave out the
--network=host flag, and you try and listen on port 22, you will see an error:
$ ./run_docker.sh docker: Error response from daemon: driver failed programming external connectivity on endpoint adoring_torvalds (53df66409442dab5e2a035d16238927ad004a34e410035878042a22f57af623f): Error starting userland proxy: listen tcp 0.0.0.0:22: bind: address already in use.
This is because you're asking the host to dedicate port 22 to listening to the Docker container, but there is already a service (SSH) running on the host, independent of Docker, that is listening for connections.
By specifying that the docker container should use the network host, you are avoiding the need for the host to listen on the network interface itself, and forward any traffic along to other ports. The host and container are simply utilizing the same port, on the same network interface. This allows the Docker container to communicate with the host using port 22 - the host is listening on port 22, and the docker container is forwarding traffic to port 22.
Checking Container Networking
Use two commands to check that the container has been correctly bound to the two ports:
$ nmap localhost $ netstat -tulpn
Here is what the output of nmap looks like after running the Docker container:
$ nmap localhost Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-30 23:27 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.00012s latency). Other addresses for localhost (not scanned): ::1 Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
And here is the output of the netstat command:
$ netstat -tulpn (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN -
Note that the SSH service is not run in a Docker container, it is run on the host machine.
Connecting to Container
Now set up an stunnel client to connect to the stunnel server and test out the port mapping:
$ cat stunnel.conf # client config, # will ssh directly to local port 2222 # ssh -p 2222 root@localhost # stunnel client connects to remote stunnel server at IP A.B.C.D over external port 443 output = /var/log/stunnel4/stunnel.log cert = /usr/local/etc/stunnel/fullchain.pem key = /usr/local/etc/stunnel/privkey.pem pid = /var/run/stunnel4/stunnel.pid client = yes [ssh] accept = 2222 connect = A.B.C.D:443
Now start stunnel on the client to establish a connection with the server:
(Make sure you check the error log and resolve any error messages that are printed. See Stunnel/Client for more.)
Once the stunnel connection is made, you should be able to connect to the remote server via a local port:
$ ssh -p 2222 root@localhost The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established. ECDSA key fingerprint is SHA256:9DL2ohTkZFI9oaqUtMlA5X7gTJW/mmWbC+z7DyrZHzo. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts. root@localhost's password: Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.9.7-x86_64-linode80 x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Last login: Wed Mar 29 06:44:50 2017 from 127.0.0.1 root@localhost:~# ifconfig <shows IP config information for remote stunnel server>
Network Equals Host Flag
Note that you can also configure the container to share networks with the host, by adding
--network=host when executing docker run.
dockernotes on the virtual microservice container platform
Installing the docker platform: Docker/Installing
Docker Hello World: Docker/Hello World
Creating Docker Containers:
Getting docker containers from docker hub: Docker/Dockerhub
Creating docker containers with dockerfiles: Docker/Dockerfiles
Managing Dockerfiles using git: Docker/Dockerfiles/Git
Running Docker Containers:
Running docker containers: Docker/Basics
Dealing with volumes in Docker images: Docker/Volumes
Removing Docker images: Docker/Removing Images
Rsync Docker Container: Docker/Rsync
Networking with Docker Containers:
Flags · Template:DockerFlag · e
docker podspods are groups of docker containers that travel together
Docker pods are collections of Docker containers that are intended to run in concert for various applications.
Wireless Sensor Data Acquisition Pod
The wireless sensor data acquisition pod deploys containers
This pod uses the following technologies:
Deep Learning Pod
This pod utilizes the following technologies:
Flags · Template:DockerPodsFlag · e