cmer Posted February 11, 2018 Share Posted February 11, 2018 I am trying to setup a container with Network Type: br0. Oddly, I cannot reach my Unraid IP from inside the container. My pings just never make it to the host. I can reach it just fine when the container is in Bridge mode. Is there anything else I should be doing? Both IPs are on the same subnet (10.0.0.0/24). Thanks in advance. 1 Quote Link to comment
Hoopster Posted February 11, 2018 Share Posted February 11, 2018 (edited) There are several posts in these forums explaining that if an IP address is assigned to a docker, it has no communication with the host whether or not they are on the same subnet. This is by design with Docker. From user bonienl (designed docker networking configuration in unRAID): "Docker containers can not access the host address, this is by Docker design. They are segregated. unRAID will allow ssh, telnet and GUI on any active network interface (VLAN or physical). If you don't want this ssh, telnet or GUI access via the VLAN interface (or physical interface) then you should create corresponding firewall rules and block the specific ports. It is possible that unRAID binds ssh, telnet and GUI to a single interface (IP address) only, but this requires manual changes in the service creation." And here is more explanation of the separation: Edited February 11, 2018 by Hoopster 1 Quote Link to comment
cmer Posted February 11, 2018 Author Share Posted February 11, 2018 (edited) Thanks for pointing me to it. Edited February 11, 2018 by cmer Quote Link to comment
brunnels Posted February 19, 2018 Share Posted February 19, 2018 (edited) This is doable if you add a host route to the container and also to unraid. Here's my setup: container IP is 10.0.0.200 unraid IP is 10.0.0.199 router IP is 10.0.0.254 container name is smb4ad Unraid part is easy, I just go to the network settings and add a route: IP: 10.0.0.200 Gateway: 10.0.0.254 metric: 1 Next I create a script: /boot/config/smb4ad_route.sh containing the following: pid=$(docker inspect -f '{{.State.Pid}}' smb4ad) mkdir -p /var/run/netns ln -s /proc/${pid}/ns/net /var/run/netns/${pid} ip netns exec ${pid} ip -4 route add 10.0.0.199 via 10.0.0.254 rm -rf /var/run/netns Then I edit /boot/config/go and add the following to the end: docker events --filter "container=smb4ad" | awk '/container start/ { system("/boot/config/smb4ad_route.sh") }' & Finally, because I don't want to reboot unraid, I run the same command but use nohup to detach it from the terminal: nohup docker events --filter "container=smb4ad" | awk '/container start/ { system("/boot/config/smb4ad_route.sh") }' & What the command is doing is monitoring docker start events for my container and running the script to add the route to the container. The same result could also be accomplished by adding "--cap-add NET_ADMIN" to the container options and running a startup script in the container to add the route but that gives your container special permissions that aren't really desirable. Edited August 14, 2018 by brunnels 2 Quote Link to comment
Osiris Posted March 6, 2018 Share Posted March 6, 2018 (edited) I wish to thank all 3 of you for making me understand this. For several reasons (fw security) I wished to keep my poste docker accessible on my lan as a separate ip (through the integrated macvlan network) There's a roundcube+webserver within the poste docker. I wanted to point my letsencrypt-nginx reverse proxy to this container, adding https. Thanks to you, I found a way. I have another issue, though. When I ping my container from the host, I get this. And then nothing anymore. Whenever I do this, the icmp_seq is always the same: 2,3,4,5,6,8,11,17 Is this my router/firewall inhibiting traffic? Edited March 12, 2018 by Osiris Quote Link to comment
brunnels Posted March 11, 2018 Share Posted March 11, 2018 I would check your routes in the container and host because I didn't see anything like that. To get into the container do "docker exec -it container-name /bin/sh" then type "ip route". Quote Link to comment
popwebz Posted November 23, 2019 Share Posted November 23, 2019 On 2/19/2018 at 4:20 PM, brunnels said: This is doable if you add a host route to the container and also to unraid. Here's my setup: container IP is 10.0.0.200 unraid IP is 10.0.0.199 router IP is 10.0.0.254 container name is smb4ad Unraid part is easy, I just go to the network settings and add a route: IP: 10.0.0.200 Gateway: 10.0.0.254 metric: 1 Next I create a script: /boot/config/smb4ad_route.sh containing the following: pid=$(docker inspect -f '{{.State.Pid}}' smb4ad) mkdir -p /var/run/netns ln -s /proc/${pid}/ns/net /var/run/netns/${pid} ip netns exec ${pid} ip -4 route add 10.0.0.199 via 10.0.0.254 rm -rf /var/run/netns Then I edit /boot/config/go and add the following to the end: docker events --filter "container=smb4ad" | awk '/container start/ { system("/boot/config/smb4ad_route.sh") }' & Finally, because I don't want to reboot unraid, I run the same command but use nohup to detach it from the terminal: nohup docker events --filter "container=smb4ad" | awk '/container start/ { system("/boot/config/smb4ad_route.sh") }' & What the command is doing is monitoring docker start events for my container and running the script to add the route to the container. The same result could also be accomplished by adding "--cap-add NET_ADMIN" to the container options and running a startup script in the container to add the route but that gives your container special permissions that aren't really desirable. This works when run manually, but I keep finding that with container restarts are not handled and so the container cannot locate the host Quote Link to comment
frakman1 Posted July 5, 2020 Share Posted July 5, 2020 (edited) @brunnels I did all that but when I restart the container, I see this error message in the unraid terminal: root@Tower:/boot/config# sh: /boot/config/xxx_route.sh: Permission denied Doing a "chmod +x filename" and even chmod 777 on the file doesn't change it. I even killed the no hup process to make sure it's really stopped but the changes won't stick. Quote What the command is doing is monitoring docker start events for my container and running the script to add the route to the container. The script adds the route to 10.0.0.199 which is the IP address of the Unraid server so how is it adding a route to the container? That script actually runs on the server right? Not the container since it is doing a "docker inspect". Or is the "ip netns exec" command actually run inside the container? Edited July 5, 2020 by frakman1 Quote Link to comment
itimpi Posted July 6, 2020 Share Posted July 6, 2020 12 hours ago, frakman1 said: t@Tower:/boot/config# sh: /boot/config/xxx_route.sh: Permission denied Doing a "chmod +x filename" and even chmod 777 on the file doesn't change it. I even killed the no hup process to make sure it's really stopped but the changes won't stick. Security enhancements in UnRAID means that files on the boot drive are not allowed to have execute permission. Script files therefore either needed to be preceded by the command name e.g. sh path-to-script-file or they need to be copied elsewhere and their execute bit set (typically using entries in the config/go file on the flash drive) before trying to use them. If they do not need to run as part of the boot sequence then the User Scripts plugin is another way to run them. Quote Link to comment
frakman1 Posted July 6, 2020 Share Posted July 6, 2020 Thank you. I changed it to use: system("/usr/bin/bash /boot/config/xxxx_route.sh") and that worked. Quote Link to comment
geekazoid Posted January 1, 2023 Share Posted January 1, 2023 (edited) The script didn't work at all for my unraid 6.11.5 host and pihole container. Should it? Thanks for the script. It works great after a reboot! Edited January 1, 2023 by geekazoid it works now Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.