In single host mode (no swarm and more complicated stuff) I have a host with multiple public IPs. It seems there is no way to configure which of those IPs containers use for outbound communication. Always the primary IP on the host is used. So I would need that different containers are seen on the Internet as using different IPs.
My use case is a mail server. I have an extra IP allocated to the server to use for sending e-mails so that forward and backwards DNS entries can match. The other IP address is used for HTTP virtual hosting and has many different DNS entries. Additionally using an extra IP for a dedicated mail server is in general a good practice.
Tried with Docker 1.12.5 on Linux (Ubuntu 16.04.1 LTS) with 4.8.0 kernel.
cc @kostko, @gw0
/cc @sanimej ptal
@mitar For external connectivity docker programs a MASQUERADE. It works better than an SNAT rule since its not tied to a particular IP. Currently there is no option to change this behavior.
One work around I can suggest is..
OK, but marking would be based on e-mail traffic port, not on the container. There is no way currently to ask Docker to mark all traffic from a container with some mark?
Yes, this custom marking is something you have to do yourself.
Is there a way to make the container's internal IP static? Or a preferred way to run a command on the host each time the container starts? If yes, then some simple iptables rules on the host would be enough.
Another idea is to mark traffic with iptables inside the mail container. Is it possible?
The docker events command (or API) can be used to listen for containers that are started / stopped, or connected/disconnected from a network
Oh, I hoped we could get rid of dynamic configuration of the network stack now that there is support for Docker networks. We made this daemon in the past to configure custom network configuration so that we could use custom routing inside Docker. But with Docker networks this is more or less obsolete. The only open case is this outbound/external IP.
I think it would be great if this could be something supported by Docker directly.
If someone can write a proposal for this functionality, including what the UX would look like, it could be looked into to see if there's a way to implement.