Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Localhost acl rule fails because docker push is using server ip not localhost #64

Closed
tjenkinson opened this issue Feb 2, 2016 · 5 comments
Closed

Localhost acl rule fails because docker push is using server ip not localhost #64

tjenkinson opened this issue Feb 2, 2016 · 5 comments

Comments

@tjenkinson
Copy link

Any idea how to make docker push run with the source address "127.0.0.1"?
@carsonoid
Copy link
Contributor

It sounds like all you need to do is add an acl to allow pushes from your server ip.

So for example if you are logged into a server with the host "myserver.com" and running docker push myserver.com/img:tag You can add an acl to allow pushes from whichever ip myserver.com has.

Or you could add entry into your server's /etc/hosts to make sure that myserver.com resolves to 127.0.0.1 instead of it's other ip. So it might look like:

/etc/hosts

127.0.0.1   localhost
127.0.0.1   myserver.com

@tjenkinson
Copy link
Author

Thanks @carsonoid. I would prefer not to do the first method in case the server ip changes. The second one looks good but still doesn't work for some reason.

Without the "127.0.0.1 myserver.com" entry when I do a pull I get this in the log

 Auth request: {:@<<public server ip here>>:44991 { pull repository dashboard}}

With I now get this

Auth request: {:@172.17.0.1:42483 { pull repository dashboard}}

It still doesn't work because "172.17.0.1" is not in a rule. Any ideas why it's now "172.17.0.1" not "127.0.0.1"?

@tjenkinson
Copy link
Author

I'm really new to docker but googling looks like that might be the ip that the host has on dockers bridged network?

@tjenkinson
Copy link
Author

Can someone confirm that in the having "127.0.0.1" in an acl actually can work?
I'm thinking maybe it can't because the docker container running the auth server might have it's own "127.0.0.1", which is different to the hosts "127.0.0.1", hence why it's now seeing the ip that the host has on the bridge network. That sound like it could be a valid theory?

@tjenkinson
Copy link
Author

Ok yes so it looks like the default docker bridge network is what containers get put onto, which is basically a nat network, and the gateway ip on this network (ie the host) is 172.17.0.1.

So I now have:

- match: {ip: "172.17.0.1"}
actions: ["*"]
command: "Allow everything from localhost (on docker bridge)"

and it works!

So my question now is should this be the ip in the default config, not 127.0.0.1?

@tjenkinson tjenkinson mentioned this issue Feb 3, 2016
Closed
@rojer rojer closed this as completed in b92d9f2 Feb 13, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@carsonoid @tjenkinson