# ip route add default via 10.12.7.254 dev br-em1 Now, add this device to your bridge: # brctl addif br-em1 em1Ĭonfigure the bridge with the address that used to belong toĪnd move the default route to the bridge: # ip route del default Look at your current routes and note the default route: # ip routeġ0.12.0.0/21 dev em1 proto kernel scope link src 10.12.0.76 Look at the configuration of interface em1 and note the existing ipĢ: em1: mtu 1500 qdisc mq master br-em1 state UP group default qlen 1000 WARNING: This is not something you should do remotely, especiallyįor the first time, and making this persistent varies fromĭistribution to distribution, so this will not be a persistent We’re going to add em1 to this bridge, and move the ip address from This solution uses a Linux bridge device, created using brctl, toĬonnect your containers directly to a physical network. You have an application that needs to be on the same layer 2 broadcastĭomain as other devices on your network, NAT rules aren’t going to If you need to configure an interface using DHCP, or if The previous example was relatively easy to configure, but has a few With these rules in place, traffic to 10.12.0.117 (port 80) isĭirected to our web container, and traffic originating in the webĬontainer will appear to come from 10.12.0.117. Need to place our rule earlier in the POSTROUTING chain for it to
POSTROUTING chain: -A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADEīecause this MASQUERADE rule matches traffic from any container, we
This is necessary because, byĭefault, Docker has already added the following rule to the top of the Note here the use of -I POSTROUTING, which places the rule at the POSTROUTING chain to modify the source address: # iptables -t nat -I POSTROUTING -s $(docker-ip web) \ We can fix that my adding a SNAT rule to the System, that connection would appear to originate with ip address of If our container were to initiate a network connection with another It’s destination set to the address of our docker container ( -j DNAT -to-destination 172.17.0.4:80).įrom a host elsewhere on the network, we can now access the web server Originating on the docker0 bridge ( ! -i docker0) destined for This matches traffic TO our target address ( -d 10.12.0.117/32) not Will also create the following rule in the nat table DOCKERĬhain (which is run from the PREROUTING chain): -A DOCKER -d 10.12.0.117/32 ! -i docker0 -p tcp -m tcp Assign an ip address from the network used by the docker0 bridge.īecause we added -p 10.12.0.117:80:80 to our command line, Docker.Place the other inside the container namespace as eth0.With this command, Docker will set up the standard network model: Ports to an ip address and port on the host: # docker run -d -name web -p 10.12.0.117:80:80 larsks/simpleweb Start your docker container, using the -p option to bind exposed Your host to redirect inbound traffic to/outbound traffic from theĪssign our target address to your host interface: # ip addr add 10.12.0.117/21 dev em1 This uses the standard Docker network model combined with NAT rules on In order to make this convenient, drop the following into a scriptĬalled docker-pid, place it somewhere on your PATH, and make itĮxec docker inspect -format '' now we can get the ip address of a container like this: $ docker-ip web In this article we will often refer to the PID of a docker container. If you don’t have that handy, there is aĬonvenient Docker recipe to build it for you at jpetazzo/nsenter That my utils-linux package is recent enough to include the I am running Fedora 20 with Docker 1.1.2. We are creating a Docker container that we In the following examples, we have a host with address 10.12.0.76 on Other than a technology demonstration, you might look to the pipework script, which can automate many of these configurations. If you were actually going to use one of these solutions as anything These are not suggested as practical solutions, butĪre meant to illustrate some of the underlying network technology This article discusses four ways to make a Docker container appear onĪ local network. I’ve written an article about working with the macvlan Supported mechanism for direct connectivity to a local layer 2
HOW TO KNOW DOCKER IP ADDRESS UPDATE
Update () Since I wrote this document back in 2014,