HowTo:Docker 172 Fix: Difference between revisions

From Computer Science Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
Rhunter (talk | contribs)
Staff, Techstaff
342 edits
Rhunter (talk | contribs)
Staff, Techstaff
342 edits
No edit summary
 
(14 intermediate revisions by 2 users not shown)
Line 3: Line 3:


== The Fix ==
== The Fix ==
To apply the docker fix, create a file called /etc/docker/daemon.json with the following:
To apply the docker fix on the machine running docker, create a file called /etc/docker/daemon.json with the following:


<pre>
<pre>
{
{
  "iptables": false
   "default-address-pools":
   "default-address-pools":
   [
   [
Line 17: Line 16:


sudo service docker restart
sudo service docker restart
== Docker exposed ports Fix ==
== Background ==
Docker ignores most firewall rules and opens ports directly to the external network interface.  Certain ports should NEVER be exposed like Databases and Administrative services.
== The Fix ==
Instead of globally defining the port (which also opens it externally):
<pre>
  docker run -p 6379:6379/tcp redis # !!! WRONG !!!
</pre>
Bind the port to the localhost only using the following:
<pre>
  docker run -p 127.0.0.1:6379:6379/tcp redis
</pre>

Latest revision as of 11:04, 11 December 2025

Background

VT uses a chunk of the 172 private network address space for it's internal private addressing. Docker comes pre-configured to also uses 172.17.0.0/12 which will cause the internal system to ignore any external 172.17.x.x/12 address trying to access the system. To fix this you need to reconfigure your docker to use a different address space like 192.168.x.x/16 or a 10.1.x.x/16 (tech also uses 10.6+.x.x for their networking so this is less safe although 10.5 and lower are guaranteed to be free).

The Fix

To apply the docker fix on the machine running docker, create a file called /etc/docker/daemon.json with the following: 

{
  "default-address-pools":
  [
    {"base":"10.1.0.0/16","size":24}
  ]
}

Followed by:

sudo service docker restart

Docker exposed ports Fix

Background

Docker ignores most firewall rules and opens ports directly to the external network interface. Certain ports should NEVER be exposed like Databases and Administrative services.


The Fix

Instead of globally defining the port (which also opens it externally): 

  docker run -p 6379:6379/tcp redis # !!! WRONG !!!

Bind the port to the localhost only using the following: 

  docker run -p 127.0.0.1:6379:6379/tcp redis
Retrieved from "http://wiki.cs.vt.edu/index.php?title=HowTo:Docker_172_Fix&oldid=4953"