networking – Problems with UPnP Inside Docker Container

On my personal server running Linux, I run a self-written program that uses the upnpc command to open an additional UDP port to point to my OpenVPN server running on UDP 1194. For quite some time now, I have used this program directly on the server without any issues aside from dependencies breaking on occasion. To finally fix the dependency breakage, I recently moved the application to a Docker container, and I am having problems with the UPnP component of the application. The problem is that, when a upnpc command is executed, the command will succeed and the router (ASUS RT-AC88U) will show the port as open in the list of ports opened via UPnP, but trying to access the application via that port will fail. Manually opening that port through the router’s UI works fine, however.

Here is an example of the upnpc command that I am trying to use:

upnpc -e "OpenVPN - UDP 1195" -a 192.168.1.169 1194 1195 UDP

One common reason for UPnP to not work from inside a Docker container is because the container is running in bridged networking mode instead of host networking mode. This is not the case for this container however, as the container is running in host networking mode. If it was running in bridged, the upnpc command that I shared above would not work at all, as it would fail to find the router.

I should also note that I have several other Docker containers which also run on the same server that make use of UPnP, and they are all fine. Those containers are not running self-built applications though. I am also confident that the issue does not lie in the service to which I am trying to forward, as I have tried forwarding to other services running on the server, and hit the same issue.

Does anyone have any advice on how to proceed with attempting to fix this?

Logging docker container logins, EC2 Host

I have an AWS EC2 instance with docker installed, running a default nginx container – docker run -it --rm -d -p 8080:80 --name web nginx.

I have an rsyslog setup that successfully captures the auth.log file for the host, so I can capture any login attempts to that machine. However, I’m wondering if there is any way I can capture container login attempts, i.e if someone gains access to the machine and runs docker exec -it web bash.

While the container is running, docker logs outputs anything the container is logging to stdout/err. But I haven’t found any documentation on container login attempts. Is docker exec the correct way to try “logging in” to the container? Is this something I can feasibly capture? Does it make sense to? When I run docker exec I haven’t seen it logged anywhere – host syslog, kernel.log, auth.log, docker logs, nothing at all.

So, it doesn’t seem like container “logins” are even captured anywhere, and as long as the container is not running with privileged access I can’t imagine it’s too important. It seems that protecting the host is far more important. Any insight would be greatly appreciated!

Authorizing docker for TeamCity agent under Windows 10

I have:

  • TeamCity CI
  • TeamCity agent, installed in Windows 10 as a Windows service
  • Some Java projects with integration tests, based on TestContainers framework.
  • Sonatype Nexus instance, configured as private docker registry

TestContainers based tests require docker to be available during project’s build. All necessary images for the tests execution are located in Nexus. Which in turn means – in order to execute tests on CI, I should authenticate docker into Nexus in order to be able to pull them. And that’s where the problem comes from.

I don’t understand how should I authenticate docker for something, that is windows service (TeamCity agent).

Usually, it’s done by docker login. I tried executing docker login from administrator’s PowerShell, and it did succeeded – I am able now to pull images from administrator’s console. But attempt to run the tests on the TeamCity agent fail, facing 401 Unauthorized on attempt to pull the images from Nexus. Like, the service is executed from somewhat user, for which docker login was not done.

How should I make docker authorized into private docker registry for Windows 10 TeamCity agent service?

8 – Migrating content from live to development environment with Docker

I’m trying to create a localhost development server with a dockerized drupal 8 environment and need to transfer the content from the live site to localhost.

I have followed the instructions for dockerization here: https://www.drupal.org/docs/develop/local-server-setup/docker-with-solr-integration/docker-configuration

And now I have to migrate the content from the live site into the dev server, and I’m confused about the process.

Any information would be highly appreciated!

iptables – Only allowing a Docker container to access and be accessed from just one IP

I want to run an app that I do not trust inside a Docker container. To minimize risks, I want this container to only be able to access one IP address (both to receive and to send messages). In that way, the app cannot start scanning my net, contacting the outside world, or be contacted by other apps in my network.

So, say, that the container runs on IP 192.168.0.10 (using macvlan) and the computer that I’ll using for accessing it runs on IP 192.168.0.20. I want 192.168.0.10 to only have access to and from 192.168.0.20. For maximum security, the only port that needs to be open is 5000/UDP.

I guess this requires configuring iptables inside the Dockerfile but I don’t know how to set it up. Any ideas?

Docker not working on macOS Big Sur

Docker not working on macOS Big Sur – Ask Different

docker – SmallStep step-ca and Traefik – could not connect to validation target

I’m trying to set up a Let’s Encrypt type service in a private network with the Smallstep step-ca and traefik.
And I’m stuck because step-ca fails to validate the certificate request from traefik..

Here is what I have done so far.

I launched a step-ca service in a docker container like explained in this documentation on a server with ip “172.16.4.5”. I’ve also followed this documentation to add the acme entry point.

On another server “172.16.4.4”, I launched a docker-compose configuration with Traefik 2.4 and a “whoami” service (Like here the official exemple).

All internal domains names are served by a private DNS Server. And each server resolved domain name without problem.

The server and the step-ca container can reach the server 172.16.4.4 on port 80 and 443. The server 172.16.4.4 and the traefik container can reach the 172.16.4.5. I installed in traefik container the root certificate made with step-ca during its initialization.

I’ve set up traefik to use TSL challenge. Traefik initialise the challenge and, I don’t know why the step-ca raise an error {“type”:”urn:ietf:params:acme:error:connection”,”detail”:”The server could not connect to validation target”}}

Below the full error raised by step-ca :

INFO(0126)     duration=63.427116ms duration-ns=63427116 fields.time="2021-07-13T09:55:33Z" method=POST name=ca nonce=XX path=/acme/company.int/authz/XX protocol=HTTP/1.1 referer= remote-address=172.16.4.4 request-id=xx response="{"identifier":{"type":"dns","value":"whoami.company.int"},"status":"pending","challenges":({"type":"dns-01","status":"pending","token":"XX","url":"https://acme.company.int:9000/acme/company.int/challenge/XX/XX"},{"type":"http-01","status":"pending","token":"XX","url":"https://acme.company.int:9000/acme/company.int/challenge/XX/XX"},{"type":"tls-alpn-01","status":"pending","token":"XX","url":"https://acme.company.int:9000/acme/company.int/challenge/XX/XX","error":{"type":"urn:ietf:params:acme:error:connection","detail":"The server could not validation target"}}),"wildcard":false,"expires":"2021-07-14T09:54:24Z"}" size=872 status=200 user-agent="containous-traefik/2.4.8 xenolf-acme/4.3.1 (release; linux; amd64)" user-id=

Here the Traefik config.toml

(api)
  insecure = true
  dashboard = true
  debug = true

(certificatesResolvers)
  (certificatesResolvers.myresolver)
    (certificatesResolvers.myresolver.acme)
      caServer = "https://acme.compagny.int:9000/acme/company.int/directory"
      email = "dude@mailthings.dn"
      storage = "/etc/traefik/acme/acme.json"
      (certificatesResolvers.myresolver.acme.tlsChallenge)

(providers)
  (providers.docker)
    watch = true
    network = "traefik_webgateway"
    swarmmode = false
    exposedbydefault = false
  (providers.file)
    filename = "traefik.toml"
    directory = "/etc/traefik"

Here the /home/step/config/ca.json for step-ca service:

{
    "root": "/home/step/certs/root_ca.crt",
    "federatedRoots": (),
    "crt": "/home/step/certs/intermediate_ca.crt",
    "key": "/home/step/secrets/intermediate_ca_key",
    "address": ":9000",
    "insecureAddress": "",
    "dnsNames": (
        "acme.company.int"
    ),
    "authority": {
        "provisioners": (
            {
                "type": "JWK",
                // (...)
                },
                "encryptedKey": "xxx"
            },
            {
                "type": "ACME",
                "name": "company.int",
                "forceCN": true,
                "claims": {
                    "maxTLSCertDuration": "2160h0m0s",
                    "defaultTLSCertDuration": "2160h0m0s"
                }
            },
            {
                "type": "ACME",
                "name": "acme"
            }
        ),
        "template": {},
        "backdate": "1m0s"
    },
    "tls": {
        "cipherSuites": (
            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        ),
        "minVersion": 1.2,
        "maxVersion": 1.3,
        "renegotiation": false
    }
}

Thank you for your help.

docker – nginx serving only / but not any other files

I have two docker containers as below:

nginx ==> working as proxy web server (nginx web server)
dist  ==> working as a php-fpm container

And this is my dist.conf:

server {
    server_name dist.me.com;
    root /var/www/html;

    location / {
        # try to serve file directly, fallback to index.php
        try_files $uri /index.php$is_args$args;
    }

    location ~ ^/index.php(/|$) {
        fastcgi_pass dist:9000;
        fastcgi_split_path_info ^(.+.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        internal;
    }

    location ~ .php$ {
        return 404;
    }

    error_log /var/log/nginx/dist_error.log;
    access_log /var/log/nginx/dist_access.log;
}

The issue is if I enter dist.me.com, it shows my index.php contents fine. But if I enter dist.me.com/index.php or dist.me.com/index2.php, I get error 404 Not Found.

I tried changing some values of conf file but it did not help me.

Both index.php and index2.php exist in /var/www/html path.

Is this docker entrypoint bash script for passing parameters to the containerized app ‘good’?

Source code located here

I am trying to pass extra parameters from a container to the contained application. The following bash script is working to pass extra variables, but I’m not sure that it’s optimal, or a standard method for running a containerized application. Any insight would be appreciated.

#!/bin/bash

# allow arguments to be passed to dnsmasq
if (( ${1:0:1} = '-' )); then
  EXTRA_ARGS="$@"
  set --
elif (( ${1} == dnsmasq || ${1} == $(which dnsmasq) )); then
  EXTRA_ARGS="${@:2}"
  set --
fi

# default behaviour is to launch dnsmasq
if (( -z ${1} )); then
  echo "Starting dnsmasq..."
  exec $(which dnsmasq) --log-facility=- --keep-in-foreground --no-resolv --no-hosts --strict-order ${EXTRA_ARGS}
else
  exec "$@"
fi

DreamProxies - Cheapest USA Elite Private Proxies 100 Private Proxies 200 Private Proxies 400 Private Proxies 1000 Private Proxies 2000 Private Proxies 5000 Private Proxies ExtraProxies.com - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies ProxiesLive.com Proxies-free.com New Proxy Lists Every Day Proxies123.com Buy Cheap Private Proxies; Best Quality USA Private Proxies