container_networking

Docker Container Networking

This guide explores various aspects of Docker container networking, from inspecting IP addresses to creating custom networks, exposing ports, and using Docker Compose for multi-container setups.

(Assumption: The examples use a custom Docker image named hackon:v1. If this image is not available, you can substitute it with a standard image like alpine or busybox and install necessary tools like iproute2 for ip a, curl, or siege if needed.)

1. Basic Network Commands and Concepts

1.1 Check a Container's IP Address

Run a container and check its IP address using the ip a command within the container.

docker run -it --rm hackon:v1 ip a

(Note: --rm is added to automatically remove the container when it exits.)

1.2 Create and Use a Custom Docker Network

User-defined bridge networks are recommended for communication between containers.

Create a new Docker network:
```
docker network create my-net
```
Run a container in the new network: Containers on the same user-defined network can resolve each other by name.
```
docker run -it --rm --network my-net hackon:v1 ip a
```

1.3 Attach a Running Container to Multiple Networks

A container can be connected to more than one network.

Create another network and a container (initially not started):

docker network create my-net2
# Create the container without starting it, using 'bash' to keep it alive if 'hackon:v1' exits immediately
docker container create --name hackon -it hackon:v1 bash

(Note: Removed --rm from create as it's not applicable here. Added bash as CMD to keep it alive.)

Connect the container to networks:

docker network connect my-net hackon
docker network connect my-net2 hackon

Start the container and inspect its interfaces:

docker container start hackon
docker exec -it hackon ip a
# Remember to stop and remove the container manually later if not using --rm on start
# docker stop hackon && docker rm hackon

1.4 Using Host Network Mode

A container can share the host's network stack. This means it uses the host's IP address and port space.

docker run -it --rm --network=host --name hackon-host hackon:v1 bash

Once inside the container's shell (hackon-host), you can run commands like:

# Inside the hackon-host container:
ip a  # Shows the host's network interfaces
ps aux # Shows processes within the container. To see all processes on the host, you would also need --pid=host.

(Clarified that ip a and ps are run inside the container. Clarified ps aux behavior with/without --pid=host.)

The comment "Maybe time to TCPdump correctly ..." suggests using tcpdump in such a container to see host traffic.

2. Inter-Container Communication and Exposing Ports

2.1 Communication on the Default Bridge Network

Let's create webservers and generate traffic. By default, containers (without a specified --network) are often attached to a default bridge network.

Start an Nginx web server:
```
docker run -d --name www --rm nginx
```
Inspect the Nginx container to find its IP address on the default bridge:(This IP is internal to Docker and can change.)
```
# Look for 'IPAddress' under 'Networks'.'bridge'.'IPAddress'
docker inspect www
```
Generate traffic from another container using the IP:(Replace 172.17.0.2 with the actual IP found from docker inspect www.)
```
docker run -it --rm hackon:v1 curl 'http://172.17.0.2'
# Using siege (if hackon:v1 has it, or use dockersec/siege image)
docker run -it --rm hackon:v1 siege -c1 -r1 'http://172.17.0.2'
```
Note: For reliable communication, user-defined networks are preferred, allowing resolution by container name (e.g., http://www).

2.2 Exposing Container Ports to the Host (`--publish`)

To make a container's service reachable from the host machine or externally:

Publish a specific port (host:container): This maps port 80 on the host to port 80 in the www2 container.
```
docker run -d --name www2 --rm --publish 80:80 nginx   # -p 80:80 is a shorthand
```
You can now access this Nginx instance via http://localhost:80 or http://<your-host-ip>:80.
Publish all exposed ports to random host ports (-P): This maps all ports EXPOSEd in the Nginx Dockerfile (port 80) to random high-numbered ports on the host.
```
docker run -d --name www3 --rm -P nginx
```
Inspect www3 to find the dynamically assigned host port:
```
docker inspect www3
# Look for 'HostPort' under 'NetworkSettings'.'Ports'.'80/tcp'[0].'HostPort'
```

Accessing published ports: Assuming www2 is on port 80 and www3 was assigned, for example, port 32768 by Docker:

# On the host machine
curl http://127.0.0.1:80   # Accesses www2
curl http://127.0.0.1:32768 # Accesses www3 (replace 32768 with actual port)

From a browser on your network (replace studentx-4.training.dockerhack.me with your host's actual DNS name or IP):

http://studentx-4.training.dockerhack.me       # Accesses www2
http://studentx-4.training.dockerhack.me:32768 # Accesses www3

3. Lab: Sniffing Traffic with tcpdump

This section outlines a small exercise for practicing with tcpdump.

Create a user-defined network, e.g., tcpdump-lab:
```
docker network create tcpdump-lab
```

Run an Nginx container on this network:

docker run -d --name webserver --network tcpdump-lab --rm nginx

Run a hackon:v1 (or similar) container on the same tcpdump-lab network. Can it reach the Nginx container by name (e.g., curl http://webserver)?
```
docker run -it --rm --network tcpdump-lab hackon:v1 curl http://webserver
```
Try to use tcpdump:
- Can you see all traffic on the host? (Requires tcpdump on the host or in a --network=host container).
- Can you see inter-container traffic on the tcpdump-lab network? (e.g., using a tcpdump container attached to this network, or on the host inspecting the tcpdump-lab bridge interface).
- Can you see traffic inside a specific container (e.g., webserver or the hackon:v1 client)? (e.g., using docker exec webserver tcpdump ... if tcpdump is installed in it, or a container in --network container:webserver mode).

Refer to external guides for detailed tcpdump usage with Docker, such as:How To TCPDump Effectively in Docker (Link from original document)

Appendix: Using Docker Compose

If you want to avoid starting multiple containers manually all the time, you can use Docker Compose.

Install Docker Compose:(Note: apt install docker-compose installs an older version. Modern Docker Desktop and Docker Engine often include docker compose (with a space) as a plugin. Refer to official Docker documentation for current installation methods.)
```
# For older systems or if specifically needed:
# sudo apt update && sudo apt install docker-compose -y
```

Create a docker-compose.yaml file: In a separate directory, create a file named docker-compose.yaml:

version: '3.8' # Updated version
services:
  web:
    image: nginx
    ports:
      - "80" # Docker Compose will pick a random host port. For specific port: "8080:80"
  siege:
    image: "dockersec/siege"
    # Example: siege the 'web' service after it starts
    command: -c 2 -r 5 http://web
    depends_on:
      - web

(Updated version, clarified port mapping, added depends_on and more specific siege command)

Start the application: (Assuming your file is named docker-compose.yaml or docker-compose.yml in the current directory)

# If using the plugin version (Docker Engine v20.10+): docker compose up -d
# If using standalone older docker-compose:
docker-compose up -d

Check running containers and networks:

docker ps
docker network ls

Stop the application: This will stop and remove containers, and networks created by Compose.
```
docker-compose down
```
Verify:
```
docker ps
docker network ls
```

Home

Previousbpf_labs Nextcreating_containers

Last updated 6 months ago