Docker, nginx and firewalld example: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 11: | Line 11: | ||
For docker one needs the docker engine and docker compose. Both installation are documented on [https://docs.docker.com docs.docker.com]. At the time of this writing for the engine it is [https://docs.docker.com/engine/install/debian/ Install Docker Engine on Debian] and for docker compose [https://docs.docker.com/compose/install/linux/ Install the Compose plugin]. | For docker one needs the docker engine and docker compose. Both installation are documented on [https://docs.docker.com docs.docker.com]. At the time of this writing for the engine it is [https://docs.docker.com/engine/install/debian/ Install Docker Engine on Debian] and for docker compose [https://docs.docker.com/compose/install/linux/ Install the Compose plugin]. | ||
Since I do not want docker use iptables I apply the configuration like stated below. | Since I do not want docker to use iptables I apply the configuration like stated below. | ||
root@host:~# cat /etc/systemd/system/multi-user.target.wants/docker.service | grep iptables | root@host:~# cat /etc/systemd/system/multi-user.target.wants/docker.service | grep iptables | ||
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --iptables=false | ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --iptables=false | ||
After altering docker.service I rebooted to apply the changes. To see the changes do a <tt>iptables -L</tt> before and after reboot. | After altering docker.service I rebooted to apply the changes. To see the changes do a <tt>iptables -L</tt> before and after the reboot. | ||
= Run a nginx Container = | |||
root@host:~# docker run --name nginx1 -d nginx | |||
root@host:~# docker ps | cut -d' ' -f1 | |||
CONTAINER | |||
30d55f4783b1 | |||
root@host:~# docker container inspect 30d55f4783b1 | grep IPAddress | |||
"SecondaryIPAddresses": null, | |||
"IPAddress": "172.17.0.2", | |||
"IPAddress": "172.17.0.2", | |||
<tt>curl 172.17.0.2</tt> will return a welcome message. | |||
= Firewalld Configuration = | |||
The docker containers reside in <tt>172.17.0.0/16</tt>. So, the configuration below allows all containers to talk to the outside world. | |||
root@host:~# firewall-cmd --permanent --zone=public \ | |||
--add-rich-rule='rule family="ipv4" source address=172.17.0.0/16 masquerade' | |||
root@host:~# firewall-cmd --reload | |||
Finally, with the configuration below the outside world is allowed to access <tt>nginx1</tt>. | |||
root@host:~# firewall-cmd --zone=public \ | |||
--add-forward-port=port=80:proto=tcp:toport=80:toaddr=172.17.0.2 | |||
Revision as of 04:59, 17 December 2022
VPS Setup
See See Installing on BTRFS
Install Firewalld
root@host:~# apt install firewalld
Install Docker
For docker one needs the docker engine and docker compose. Both installation are documented on docs.docker.com. At the time of this writing for the engine it is Install Docker Engine on Debian and for docker compose Install the Compose plugin.
Since I do not want docker to use iptables I apply the configuration like stated below.
root@host:~# cat /etc/systemd/system/multi-user.target.wants/docker.service | grep iptables ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --iptables=false
After altering docker.service I rebooted to apply the changes. To see the changes do a iptables -L before and after the reboot.
Run a nginx Container
root@host:~# docker run --name nginx1 -d nginx
root@host:~# docker ps | cut -d' ' -f1
CONTAINER
30d55f4783b1
root@host:~# docker container inspect 30d55f4783b1 | grep IPAddress
"SecondaryIPAddresses": null,
"IPAddress": "172.17.0.2",
"IPAddress": "172.17.0.2",
curl 172.17.0.2 will return a welcome message.
Firewalld Configuration
The docker containers reside in 172.17.0.0/16. So, the configuration below allows all containers to talk to the outside world.
root@host:~# firewall-cmd --permanent --zone=public \ --add-rich-rule='rule family="ipv4" source address=172.17.0.0/16 masquerade' root@host:~# firewall-cmd --reload
Finally, with the configuration below the outside world is allowed to access nginx1.
root@host:~# firewall-cmd --zone=public \ --add-forward-port=port=80:proto=tcp:toport=80:toaddr=172.17.0.2