https://bugzilla.redhat.com/show_bug.cgi?id=1045173
Bug ID: 1045173 Summary: Accessing Docker containers from outside network - adding firewall exceptions problem Product: Fedora EPEL Version: el6 Component: docker-io Assignee: lsm5@redhat.com Reporter: ajinkya@ajinkyakulkarni.com QA Contact: extras-qa@fedoraproject.org CC: golang@lists.fedoraproject.org, lsm5@redhat.com, mattdm@redhat.com, mgoldman@redhat.com, skottler@redhat.com, vbatts@redhat.com
I am using Docker 0.7.0 to create containers on RedHat Enterprise Linux 6.5. When firewall is turned off containers can talk to outside world, but when firewall is on, container cannot be accessed from outside.
This is how I am running the docker and mapping a port from host to container
$ docker run -i -t -p 3838:3838 shiny "shiny-server"
Without firewall, I can access Node.js server running inside a container on port 3838 from outside network as http://servername:3838, but not with firewall turned on.
These are my default firewall rules –
============================================== # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT ==============================================
I have tried opening a port 3838 by adding a rule as below, but it does not work
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3838 -j ACCEPT
Docker is creating a virtual NAT on the host machine, I am feeling that somehow firewall is blocking the packet forwarding from eth0 to docker 0
This is the output of $ifconfig (I have masked the server IP)
docker0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:172.17.42.1 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::87d:8dff:fed0:f16d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:408321 errors:0 dropped:0 overruns:0 frame:0 TX packets:681809 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:126511933 (120.6 MiB) TX bytes:924200959 (881.3 MiB)
eth0 Link encap:Ethernet HWaddr 00:25:64:A8:5B:8F inet addr:XXX.XXX.XXX.XXX Bcast:XXX.XXX.XXX.XXX Mask:255.255.240.0 inet6 addr: XXXX::XXX:XXXX:XXXX:XXXX/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:29786186 errors:0 dropped:0 overruns:0 frame:0 TX packets:1137982 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4209047011 (3.9 GiB) TX bytes:234657696 (223.7 MiB) Interrupt:17
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:8444 errors:0 dropped:0 overruns:0 frame:0 TX packets:8444 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4701771 (4.4 MiB) TX bytes:4701771 (4.4 MiB)
Output of $docker version :
Client version: 0.7.0 Go version (client): go1.1.2 Git commit (client): 0ff9bc1/0.7.0 Server version: 0.7.0 Git commit (server): 0ff9bc1/0.7.0 Go version (server): go1.1.2 Last stable version: 0.7.2, please update docker
Output of $docker info: Containers: 321 Images: 278 Driver: devicemapper Pool Name: docker-8:17-13239310-pool Data file: /var/lib/docker/devicemapper/devicemapper/data Metadata file: /var/lib/docker/devicemapper/devicemapper/metadata Data Space Used: 56464.5 Mb Data Space Total: 102400.0 Mb Metadata Space Used: 59.5 Mb Metadata Space Total: 2048.0 Mb
I need help in making docker containers accessible from outside network without turning off the entire firewall.
https://bugzilla.redhat.com/show_bug.cgi?id=1045173
--- Comment #1 from Lokesh Mandvekar lsm5@redhat.com --- hi ajinkya, docker-io 0.7.2-1.el6 should be in epel-testing repo. Could you please check with this?
Please add +1 or -1 karma based on how it works for you here: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-12416/docker-io-0.7...
https://bugzilla.redhat.com/show_bug.cgi?id=1045173
--- Comment #2 from ajinkya@ajinkyakulkarni.com --- Hi Lokesh,
I just tested it with docker-io 0.7.2-1.el6 and I am still having the same issue.
https://bugzilla.redhat.com/show_bug.cgi?id=1045173
bugzilla@consolejunkie.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bugzilla@consolejunkie.net
--- Comment #3 from bugzilla@consolejunkie.net --- This is a Docker bug if you ask me. So this RedHat issue should be closed.
Docker should create the iptables rules it needs.
I had already created a Docker issue a few days ago:
https://github.com/dotcloud/docker/issues/3416
https://bugzilla.redhat.com/show_bug.cgi?id=1045173
Josh Poimboeuf jpoimboe@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jpoimboe@redhat.com
--- Comment #4 from Josh Poimboeuf jpoimboe@redhat.com --- This has been fixed upstream with https://github.com/dotcloud/docker/pull/3810.
https://bugzilla.redhat.com/show_bug.cgi?id=1045173
--- Comment #5 from bugzilla@consolejunkie.net --- The Docker 0.8 release has the fixes.
After someone tests this on CentOS or RHEL and it works this bug should be closed.
https://bugzilla.redhat.com/show_bug.cgi?id=1045173
Daniel Walsh dwalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |CURRENTRELEASE Last Closed| |2014-05-28 13:57:03
golang@lists.fedoraproject.org