Docker Networking

scott · March 12, 2022, 5:21pm

In the past, I have covered virtualization for VMs, LXD containers and Docker. This presentation focuses on how to present Docker containers on the MAIN LAN and also on VLANs. By default, Docker runs all containers on the host IP address and exposes unique port numbers.

Here are commands used in the presentation. Addresses used are for example only. Yours will differ.

For example:

docker run -d -p 8080:8080 rofl256/whiteboard

If you have several containers on your Docker host that want to run on port 8080, you need to expose different ports to avoid conflicts.

Helpful commands:

ip route show - learn the names of your host interface
docker ps - List all running docker containers
docker network ls - List Docker networks
docker image ls - List Docker images

Create Interactive container on Docker LAN

docker run -it --name=test ubuntu bash
apt update
apt install iputils-ping
apt install net-tools
ifconfig

Create Docker Interactive container on Untagged LAN example

In this example, 172.16.0.0/16 is the MAIN LAN address range and 172.16.0.1 is the gateway address on the router. The 172.16.1.200 address is an example address of a container on the MAIN LAN.

docker network create -d macvlan --subnet=172.16.0.0/16 --gateway=172.16.0.1 -o parent=enp4s0 exposed
docker network ls
docker run -it --name=test --net=exposed --ip=172.16.1.200 ubuntu bash
apt update
apt install iputils-ping
apt install net-tools
ping 172.16.1.225

Create Docker Interactive container on VLAN example

In this example, the assumption is that VLAN 80 exists on the current managed network. The address 192.168.80.111 is chosen as the address of the new VLAN80 network device on the Docker host.

sudo ip link add link enp4s0 name VLAN80 type vlan id 80
sudo ip addr add 192.168.80.111/24 dev VLAN80
sudo ip link set VLAN80 up

Next, a Docker network is created in the VLAN address range of 192.168.80.0/24 and the parent device is the host VLAN80 device.

docker network create -d macvlan --subnet=192.168.80.0/24 --gateway=192.168.80.1 -o parent=VLAN80 vlan80

Finally, the container is run on the vlan80 network. Note that I made the host device name in uppercase and the docker network name is in lowercase just to point out the difference. You can use two different names if you like.

docker run -it --name=test --net=vlan80 --ip=192.168.80.112 ubuntu bash
apt update
apt install iputils-ping
apt install net-tools

To delete the docker network once no containers are using it: docker network rm vlan80

To delete the host device:

Stop containers using it.

sudo ip link set VLAN80 down
sudo ip link delete VLAN80

Stop all running containers (DANGER): docker stop $(docker ps -aq)

Remove all containers (DANGER): docker rm $(docker ps -aq)

Delete all images from your Docker system (DANGER): docker rmi $(docker images -q)

ElectronicsNut · March 14, 2022, 3:33pm

Hi,
I have a UDM-Pro and have been using a Local VPN / VLAN that I created for remote access. I am looking at Docker as I have a few things running on different Pi’s that would probably do best in Docker, running on a Pi 4. With Docker and since I am using VPN are there still ports that will need to be left open for other things. Trying to secure the network as much as possible. I have to see if there is a Linux program to check for open ports. I also need to look at Fire Wall rules. Have a GREAT day!

scott · March 14, 2022, 4:11pm

You have mixed a few things together here. A VPN on the UDM Pro uses L2TP and can be used to remotely access your network securely making it look like you are on your local network. A VLAN is not related to a VPN. A VLAN is the concept of running another network over the same physical cable with its own address range. A VLAN is used to either divide traffic for performance reasons or for security reasons.

On my channel I have covered both Docker and LXD. LXD is a virtual operating system without virtual hardware as in a Virtual machine, so LXD is much more lightweight and efficient on resources. Consider Docker to be a virtual application without having to virtualize the hardware or the operating system.

Docker is the most lightweight virtualization system and so it uses the fewest resources. A Raspberry Pi 4 can run docker reasonably well and depending on the size of the docker application container in terms of memory and CPU requirements, a Raspberry PI might be able to run 5 to 7 docker apps.

A VPN does not at all play into Docker or VLANs. If you are wanting to host your own services for use from outside your network, look into using NginX Proxy Manager (NPM) which is a dockerized application that enables reverse proxy and manages self signed SSL certificates.

Opening ports on the UDM Pro for hosted applications other than for reverse proxy access is a risky security proposition. If you want to discuss more, meet me on my RocketChat at https://chat.scottibyte.com.