Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
docker_notes:docker [2024-01-14 Sun wk02 11:23] – baumkp | docker_notes:docker [2024-09-28 Sat wk39 18:34] (current) – [Build Images] baumkp | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | {{tag> | + | {{tag> |
- | Much of this material was originally sourced from: [[https:// | + | |
======Docker====== | ======Docker====== | ||
Line 31: | Line 29: | ||
*[[https:// | *[[https:// | ||
- | =====Docker and iptables===== | + | =====Docker and iptables |
Docker applies iptables on the host machine, see [[https:// | Docker applies iptables on the host machine, see [[https:// | ||
Line 64: | Line 62: | ||
++++ | ++++ | ||
+ | |||
+ | =====DNS and nftable / iptables / netfilter within containers===== | ||
+ | Docker has to perform some interesting network filtering both on the container host, as noted above and within containers as outlined here. It looks like this is required to allow container DNS functionality on Docker containers using bridge networking. | ||
+ | |||
+ | The containers DNS (''/ | ||
+ | |||
+ | Further to this The container netfilter use NAT chains to operate on 127.0.0.11. | ||
+ | ++++nft list tables| | ||
+ | < | ||
+ | ++++ | ||
+ | ++++nft list table ip nat| | ||
+ | < | ||
+ | table ip nat { | ||
+ | chain DOCKER_OUTPUT { | ||
+ | meta l4proto tcp ip daddr 127.0.0.11 xt match " | ||
+ | meta l4proto udp ip daddr 127.0.0.11 xt match " | ||
+ | } | ||
+ | |||
+ | chain OUTPUT { | ||
+ | type nat hook output priority dstnat; policy accept; | ||
+ | ip daddr 127.0.0.11 counter packets 329 bytes 20249 jump DOCKER_OUTPUT | ||
+ | } | ||
+ | |||
+ | chain DOCKER_POSTROUTING { | ||
+ | meta l4proto tcp ip saddr 127.0.0.11 xt match " | ||
+ | meta l4proto udp ip saddr 127.0.0.11 xt match " | ||
+ | } | ||
+ | |||
+ | chain POSTROUTING { | ||
+ | type nat hook postrouting priority srcnat; policy accept; | ||
+ | ip daddr 127.0.0.11 counter packets 329 bytes 20249 jump DOCKER_POSTROUTING | ||
+ | } | ||
+ | } | ||
+ | / # </ | ||
+ | ++++ | ||
+ | |||
+ | On VPN setup, at least openvpn, the / | ||
+ | |||
+ | On the other hand where Docker bridge network DNS container name resolution is desirable then these netfilter chains must basically remain unadulterated. | ||
+ | | ||
=====Portainer===== | =====Portainer===== | ||
Line 84: | Line 122: | ||
* Then remove the agent container: '' | * Then remove the agent container: '' | ||
* Then pull the latest portainer/ | * Then pull the latest portainer/ | ||
- | <code yaml> | + | <code yaml> |
- | -v / | + | |
- | -v / | + | |
- | portainer/ | + | |
- | =====Build Images===== | ||
=====Docker CLI===== | =====Docker CLI===== | ||
+ | Much of this material was originally sourced from: [[https:// | ||
**Run Containers** | **Run Containers** | ||
Line 198: | Line 234: | ||
|'' | |'' | ||
+ | ====docker ps command==== | ||
+ | The '' | ||
+ | *'' | ||
+ | < | ||
+ | *'' | ||
+ | < | ||
+ | *'' | ||
+ | < | ||
+ | |||
+ | ===reference=== | ||
+ | *[[https:// | ||
+ | *Docker Docs | ||
+ | *[[https:// | ||
+ | *[[https:// | ||
====Backup a container==== | ====Backup a container==== | ||
Backup docker data from inside container volumes and package it in a tarball archive.\\ | Backup docker data from inside container volumes and package it in a tarball archive.\\ | ||
Line 250: | Line 300: | ||
- Overlay network, an even more obscure network arrangement I know nothing about. | - Overlay network, an even more obscure network arrangement I know nothing about. | ||
- None network - no assigned network, container has no external network connectivity | - None network - no assigned network, container has no external network connectivity | ||
+ | |||
+ | ====network troubleshooting==== | ||
+ | A lot of containers are setup to be small and hence do not include many, if any of the tools required to diagnose problems. | ||
+ | *'' | ||
+ | |||
====Troubleshooting==== | ====Troubleshooting==== | ||
*[[https:// | *[[https:// |