| Both sides previous revision Previous revision Next revision | Previous revision |
| docker_notes:docker [2024-01-14 Sun wk02 12:03] – [DNS and nftable / iptables / netfilter within containers] baumkp | docker_notes:docker [2024-04-01 Mon wk14 13:26] (current) – baumkp |
|---|
| {{tag>linux docker cli installation network volume iptables nftables portainer}} | {{tag>linux docker cli installation network volume iptables nftables portainer}} |
| Much of this material was originally sourced from: [[https://github.com/xcad2k/cheat-sheets/blob/main/docker/docker.md|xcad2k cheat-sheets/docker/docker.md]] | Much of this material was originally sourced from: [[https://github.com/ChristianLempa/cheat-sheets/blob/main/docker/docker.md|cheat-sheets/docker/docker.md]] |
| |
| |
| On VPN setup, at least openvpn, the /etc/resolv.conf is overwritten anyway so the Docker netfilter chains become irrelevant. | On VPN setup, at least openvpn, the /etc/resolv.conf is overwritten anyway so the Docker netfilter chains become irrelevant. |
| |
| On the other hand where Docker bridge network DNS container name resolution is desirable then these netfilter chains must basically remain unadulterated. So in these cases where I need to used netfilter within the container, the simple solution is to simply add extra chains without using the nft ''flush ruleset'' command first. These means that if subsequent rule changes are made the container will need to be recreated. This is effectively only for simple basic input chains only, more complex netfilter works would need further consideration. | On the other hand where Docker bridge network DNS container name resolution is desirable then these netfilter chains must basically remain unadulterated. So in these cases where I need to used netfilter within the container, the simple solution is to simply add extra chains without using the nft ''flush ruleset'' command first. These means that if subsequent rule changes are made the container will need to be recreated. This is effectively only for simple basic filter (input, output & forward) chains only, more complex netfilter nat requirements would need further consideration. |
| | |
| |
| |''docker volume prune'' | Delete all volumes (not referenced by any container)| | |''docker volume prune'' | Delete all volumes (not referenced by any container)| |
| |
| | ====docker ps command==== |
| | The ''docker ps'' command output is long and often difficult to read on the terminal for this reason. |
| | *''%%docker ps --format 'table {{ .ID }}\t{{.Image}}\t{{ .Names }}'%%'' |
| | <code>CONTAINER ID IMAGE NAMES</code> |
| | *''%%docker ps -s --format 'table {{ .ID }}\t{{.Status}}\t{{.Image}}\t{{ .Names }}'%%'' |
| | <code>CONTAINER ID STATUS IMAGE NAMES</code> |
| | *''%%docker ps -s --format 'table {{ .ID }}\t{{.Status}}\t{{.Image}}\t{{ .Names }}\t{{.Size}}'%%'' |
| | <code>CONTAINER ID STATUS IMAGE NAMES SIZE</code> |
| | |
| | ===reference=== |
| | *[[https://devdojo.com/bobbyiliev/how-to-change-the-docker-ps-output-format|How to change the docker ps output format]] |
| | *Docker Docs |
| | *[[https://docs.docker.com/reference/cli/docker/container/ls/|docker container ls]] |
| | *[[https://docs.docker.com/storage/storagedriver/#container-size-on-disk|Container size on disk]] |
| ====Backup a container==== | ====Backup a container==== |
| Backup docker data from inside container volumes and package it in a tarball archive.\\ | Backup docker data from inside container volumes and package it in a tarball archive.\\ |
| - Overlay network, an even more obscure network arrangement I know nothing about. | - Overlay network, an even more obscure network arrangement I know nothing about. |
| - None network - no assigned network, container has no external network connectivity | - None network - no assigned network, container has no external network connectivity |
| | |
| | ====network troubleshooting==== |
| | A lot of containers are setup to be small and hence do not include many, if any of the tools required to diagnose problems. A small docker image ''netshoot'' includes the most common networking tools and when attached to the same docker network can be used to diagnose the network and containers networks thereon. |
| | *''%%docker run --rm --name netshoot --network proxy -it nicolaka/netshoot /bin/bash%%'' |
| | |
| ====Troubleshooting==== | ====Troubleshooting==== |
| *[[https://github.com/nicolaka/netshoot|netshoot: a Docker + Kubernetes network trouble-shooting swiss-army container]] ''%%docker run --name netshoot --rm -it nicolaka/netshoot /bin/bash%%'' | *[[https://github.com/nicolaka/netshoot|netshoot: a Docker + Kubernetes network trouble-shooting swiss-army container]] ''%%docker run --name netshoot --rm -it nicolaka/netshoot /bin/bash%%'' |