Can't access host from Docker container when using br0


cmer

Recommended Posts

I am trying to setup a container with Network Type: br0. Oddly, I cannot reach my Unraid IP from inside the container. My pings just never make it to the host. I can reach it just fine when the container is in Bridge mode.

 

Is there anything else I should be doing? Both IPs are on the same subnet (10.0.0.0/24).

 

Thanks in advance.

  • Upvote 1
Link to comment

There are several posts in these forums explaining that if an IP address is assigned to a docker, it has no communication with the host whether or not they are on the same subnet.  This is by design with Docker.

 

From user bonienl (designed docker networking configuration in unRAID):

 

"Docker containers can not access the host address, this is by Docker design. They are segregated.

unRAID will allow ssh, telnet and GUI on any active network interface (VLAN or physical). If you don't want this ssh, telnet or GUI access via the VLAN interface (or physical interface) then you should create corresponding firewall rules and block the specific ports.

It is possible that unRAID binds ssh, telnet and GUI to a single interface (IP address) only,  but this requires manual changes in the service creation."

 

And here is more explanation of the separation:

 

Edited by Hoopster
  • Upvote 1
Link to comment

This is doable if you add a host route to the container and also to unraid.  Here's my setup:

  • container IP is 10.0.0.200
  • unraid IP is 10.0.0.199
  • router IP is 10.0.0.254
  • container name is smb4ad

Unraid part is easy, I just go to the network settings and add a route:

IP: 10.0.0.200 Gateway: 10.0.0.254 metric: 1

Next I create a script:

/boot/config/smb4ad_route.sh

containing the following:

pid=$(docker inspect -f '{{.State.Pid}}' smb4ad)
mkdir -p /var/run/netns
ln -s /proc/${pid}/ns/net /var/run/netns/${pid}
ip netns exec ${pid} ip -4 route add 10.0.0.199 via 10.0.0.254
rm -rf /var/run/netns

Then I edit /boot/config/go and add the following to the end:

docker events --filter "container=smb4ad" | awk '/container start/ { system("/boot/config/smb4ad_route.sh") }' &

Finally, because I don't want to reboot unraid, I run the same command but use nohup to detach it from the terminal:

nohup docker events --filter "container=smb4ad" | awk '/container start/ { system("/boot/config/smb4ad_route.sh") }' &

 

What the command is doing is monitoring docker start events for my container and running the script to add the route to the container. 

 

The same result could also be accomplished by adding "--cap-add NET_ADMIN" to the container options and running a startup script in the container to add the route but that gives your container special permissions that aren't really desirable.

 

Edited by brunnels
  • Upvote 1
Link to comment
  • 2 weeks later...

I wish to thank all 3 of you for making me understand this.
For several reasons (fw security) I wished to keep my poste docker accessible on my lan as a separate ip (through the integrated macvlan network)

There's a roundcube+webserver within the poste docker.
I wanted to point my letsencrypt-nginx reverse proxy to this container, adding https.

Thanks to you, I found a way.

 

I have another issue, though.
When I ping my container from the host, I get this.
 

image.png.4cc8b2a3afcc9d3c7ac8407ba02e0b49.png

 

And then nothing anymore.

Whenever I do this, the icmp_seq is always the same: 2,3,4,5,6,8,11,17

Is this my router/firewall inhibiting traffic?

Edited by Osiris
Link to comment
  • 1 year later...
On 2/19/2018 at 4:20 PM, brunnels said:

This is doable if you add a host route to the container and also to unraid.  Here's my setup:

  • container IP is 10.0.0.200
  • unraid IP is 10.0.0.199
  • router IP is 10.0.0.254
  • container name is smb4ad

Unraid part is easy, I just go to the network settings and add a route:


IP: 10.0.0.200 Gateway: 10.0.0.254 metric: 1

Next I create a script:


/boot/config/smb4ad_route.sh

containing the following:


pid=$(docker inspect -f '{{.State.Pid}}' smb4ad)
mkdir -p /var/run/netns
ln -s /proc/${pid}/ns/net /var/run/netns/${pid}
ip netns exec ${pid} ip -4 route add 10.0.0.199 via 10.0.0.254
rm -rf /var/run/netns

Then I edit /boot/config/go and add the following to the end:


docker events --filter "container=smb4ad" | awk '/container start/ { system("/boot/config/smb4ad_route.sh") }' &

Finally, because I don't want to reboot unraid, I run the same command but use nohup to detach it from the terminal:


nohup docker events --filter "container=smb4ad" | awk '/container start/ { system("/boot/config/smb4ad_route.sh") }' &

 

What the command is doing is monitoring docker start events for my container and running the script to add the route to the container. 

 

The same result could also be accomplished by adding "--cap-add NET_ADMIN" to the container options and running a startup script in the container to add the route but that gives your container special permissions that aren't really desirable.

 

This works when run manually, but I keep finding that with container restarts are not handled and so the container cannot locate the host

Link to comment
  • 7 months later...

@brunnels I did all that but when I restart the container, I see this error message in the unraid terminal:

 

root@Tower:/boot/config# sh: /boot/config/xxx_route.sh: Permission denied

 

Doing a "chmod +x filename" and even chmod 777 on the file doesn't change it. I even killed the no hup process to make sure it's really stopped but the changes won't stick.

 

Quote

What the command is doing is monitoring docker start events for my container and running the script to add the route to the container. 

 

The script adds the route to 10.0.0.199 which is the IP address of the Unraid server so how is it adding a route to the container? That script actually runs on the server right? Not the container since it is doing a "docker inspect". Or is the "ip netns exec" command actually run inside the container?

Edited by frakman1
Link to comment
12 hours ago, frakman1 said:

t@Tower:/boot/config# sh: /boot/config/xxx_route.sh: Permission denied

 

Doing a "chmod +x filename" and even chmod 777 on the file doesn't change it. I even killed the no hup process to make sure it's really stopped but the changes won't stick.

Security enhancements in UnRAID means that files on the boot drive are not allowed to have execute permission.    Script files therefore either needed to be preceded by the command name

e.g.  sh path-to-script-file

or they need to be copied elsewhere and their execute bit set (typically using entries in the config/go file on the flash drive) before trying to use them.    If they do not need to run as part of the boot sequence then the User Scripts plugin is another way to run them.

Link to comment
  • 2 years later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.