Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
docker_notes:docker [2024-01-14 Sun wk02 11:43] – [DNS and nftable / iptables / netfilter within containers] baumkp | docker_notes:docker [2024-04-01 Mon wk14 13:26] (current) – baumkp | ||
---|---|---|---|
Line 1: | Line 1: | ||
{{tag> | {{tag> | ||
- | Much of this material was originally sourced from: [[https:// | + | Much of this material was originally sourced from: [[https:// |
Line 66: | Line 66: | ||
=====DNS and nftable / iptables / netfilter within containers===== | =====DNS and nftable / iptables / netfilter within containers===== | ||
- | Docker has to perform some interesting network filtering both on the container host, as noted above and within containers as outlined here. | + | Docker has to perform some interesting network filtering both on the container host, as noted above and within containers as outlined here. It looks like this is required to allow container DNS functionality on Docker containers using bridge networking. |
- | The containers DNS is assigned to a proxy on 127.0.0.11: | + | |
+ | The containers DNS (''/ | ||
Further to this The container netfilter use NAT chains to operate on 127.0.0.11. | Further to this The container netfilter use NAT chains to operate on 127.0.0.11. | ||
++++nft list tables| | ++++nft list tables| | ||
Line 79: | Line 81: | ||
meta l4proto udp ip daddr 127.0.0.11 xt match " | meta l4proto udp ip daddr 127.0.0.11 xt match " | ||
} | } | ||
- | On VPN, at least | ||
chain OUTPUT { | chain OUTPUT { | ||
Line 99: | Line 100: | ||
++++ | ++++ | ||
+ | On VPN setup, at least openvpn, the / | ||
+ | |||
+ | On the other hand where Docker bridge network DNS container name resolution is desirable then these netfilter chains must basically remain unadulterated. | ||
| | ||
Line 234: | Line 238: | ||
|'' | |'' | ||
+ | ====docker ps command==== | ||
+ | The '' | ||
+ | *'' | ||
+ | < | ||
+ | *'' | ||
+ | < | ||
+ | *'' | ||
+ | < | ||
+ | |||
+ | ===reference=== | ||
+ | *[[https:// | ||
+ | *Docker Docs | ||
+ | *[[https:// | ||
+ | *[[https:// | ||
====Backup a container==== | ====Backup a container==== | ||
Backup docker data from inside container volumes and package it in a tarball archive.\\ | Backup docker data from inside container volumes and package it in a tarball archive.\\ | ||
Line 286: | Line 304: | ||
- Overlay network, an even more obscure network arrangement I know nothing about. | - Overlay network, an even more obscure network arrangement I know nothing about. | ||
- None network - no assigned network, container has no external network connectivity | - None network - no assigned network, container has no external network connectivity | ||
+ | |||
+ | ====network troubleshooting==== | ||
+ | A lot of containers are setup to be small and hence do not include many, if any of the tools required to diagnose problems. | ||
+ | *'' | ||
+ | |||
====Troubleshooting==== | ====Troubleshooting==== | ||
*[[https:// | *[[https:// |