Coding With Fun
Home Docker Django Node.js Articles Python pip guide FAQ Policy

Docker container access control

May 22, 2021 Docker From entry to practice

Container access control is managed and implemented primarily iptables firewall on Linux. iptables is the default firewall software on Linux and brings its own in most distributions.

The container accesses the external network

For containers to access the external network, forwarding support from the local system is required. In a Linux system, check that forwarding is turned on. 

$sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

If it's 0, you don't have forwarding turned on, so you need to open it manually. 

$sysctl -w net.ipv4.ip_forward=1

If you set --ip-forward=true Docker service, Docker automatically sets the ip_forward parameter 1.

Access between containers

Containers are accessible to each other and require support from both sides.

  • Whether the network topology of the container is interconnected. By default, all containers are connected docker0 bridge.
  • Whether the local system's firewall iptables is allowed to pass.

Access all ports

When the Docker service is started, a forwarding policy is added to the FORWARD chain of iptables by default. W hether the policy passes ACCEPT or DROP depends on the configuration --icc=true (default) --icc=false Of course, if you --iptables=false the iptables

As you can see, network interoperability is allowed between different containers by default. If for security reasons, you can configure DOCKER_OPTS=--icc=false to disable it. /etc/default/docker

Access the specified port

After you -icc=false you can also access the open port of the container through the --link=CONTAINER_NAME:ALIAS option.

For example, when you start the Docker service, you can icc=false --iptables=true the same time to turn off network access that allows each other and allows Docker to modify the iptables system.

At this point, the iptables system may be similar 

$ sudo iptables -nL
...
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0
...

After that, start the docker run --link=CONTAINER_NAME:ALIAS option. Docker adds an ACCEPT rule to each other's containers in iptable ACCEPT mutual access to open ports (depending on the EXPOSE row in Dockerfile).

When you add --link=CONTAINER_NAME:ALIAS option, the iptables 

$ sudo iptables -nL
...
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  172.17.0.2           172.17.0.3           tcp spt:80
ACCEPT     tcp  --  172.17.0.3           172.17.0.2           tcp dpt:80
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Note: --link=CONTAINER_NAME:ALIAS CONTAINER_NAME in CONTAINER_NAME must now be a name assigned by Docker, or a name --name parameter. The host name is not recognized.


Related

How Docker containers are interconnected

Docker Appendix III: Useful resources

Docker lists the mirrors

Docker Hub

Docker customizes the bridge

Docker creates a mirror

Docker's other security features

Docker Appendix I: Command inquiry

Dockerfile basic structure

Configure the docker0 bridge