With TOS 6.0 installed, I dived quickly into trying the new docker support.
I managed to install docker, configuring data_root in /etc/config/dockerd so it points to my external HDD, and have portainer running, capable of spawing new containers. Amazing !
Now I realize my containers do not have access to Internet :
root@turris:~# docker run --rm busybox ping 8.8.8.8
^CPING 8.8.8.8 (8.8.8.8): 56 data bytes
--- 8.8.8.8 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss
I have tried uncommenting the extra_iptables_args in /etc/config/dockerd because it is commented with âallow outbound connectionsâ, but it does not seem to change anything.
Any idea how to allow the containers to access the Internet ?
Got the same with out of the box docker setup. I didnât play with it much though.
You can always fallback to host networking directly until default docker0 network get sorted out:
docker run --rm --network host busybox ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=121 time=10.148 ms
Looks like I was too quick â RTFM. The /etc/config/dockerd is relatively clear :
# firewall config changes are only additive i.e firewall will need to be restarted first to clear old changes,
# then docker restarted to load in new changes.
so, after uncommenting the option extra_iptables_args line in /etc/config/dockerd , you must do :
$ /etc/init.d firewall restart
[...]
$ /etc/init.d dockerd restart
[...]
$ docker run --rm busybox ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=115 time=12.341 ms
64 bytes from 8.8.8.8: seq=1 ttl=115 time=12.005 ms
64 bytes from 8.8.8.8: seq=2 ttl=115 time=12.420 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 12.005/12.255/12.420 ms
root@turris:~# cat /etc/config/dockerd
# The following settings require a restart of docker to take full effect, A reload will only have partial or no effect:
# bip
# blocked_interfaces
# extra_iptables_args
# device
config globals 'globals'
# option alt_config_file '/etc/docker/daemon.json'
option data_root '/opt/docker/'
option log_level 'warn'
option iptables '1'
# list hosts 'unix:///var/run/docker.sock'
# option bip '172.18.0.1/24'
# option fixed_cidr '172.17.0.0/16'
# option fixed_cidr_v6 'fc00:1::/80'
# option ipv6 '1'
# option ip '::ffff:0.0.0.0'
# list dns '172.17.0.1'
# list registry_mirrors 'https://<my-docker-mirror-host>'
# list registry_mirrors 'https://hub.docker.com'
# Docker ignores fw3 rules and by default all external source IPs are allowed to connect to the Docker host.
# See https://docs.docker.com/network/iptables/ for more details.
# firewall config changes are only additive i.e firewall will need to be restarted first to clear old changes,
# then docker restarted to load in new changes.
config firewall 'firewall'
option device 'docker0'
list blocked_interfaces 'wan'
option extra_iptables_args '--match conntrack ! --ctstate RELATED,ESTABLISHED' # allow outbound connections
The last line was commented after installation of dockerd.
It modifies the DOCKER-USER table like this :