Unable to choose outbound (external) IP for containers #30053

Open
mitar opened this Issue Jan 11, 2017 · 9 comments

Projects

None yet

4 participants

@mitar
mitar commented Jan 11, 2017 edited

In single host mode (no swarm and more complicated stuff) I have a host with multiple public IPs. It seems there is no way to configure which of those IPs containers use for outbound communication. Always the primary IP on the host is used. So I would need that different containers are seen on the Internet as using different IPs.

My use case is a mail server. I have an extra IP allocated to the server to use for sending e-mails so that forward and backwards DNS entries can match. The other IP address is used for HTTP virtual hosting and has many different DNS entries. Additionally using an extra IP for a dedicated mail server is in general a good practice.

Tried with Docker 1.12.5 on Linux (Ubuntu 16.04.1 LTS) with 4.8.0 kernel.

@mitar
mitar commented Jan 11, 2017
@thaJeztah
Member

/cc @sanimej ptal

@sanimej
Contributor
sanimej commented Jan 13, 2017 edited

@mitar For external connectivity docker programs a MASQUERADE. It works better than an SNAT rule since its not tied to a particular IP. Currently there is no option to change this behavior.

One work around I can suggest is..

  • create a new routing table with a default route to go via the interface you want for email traffic.,
  • add an iptables entry to mark the e-mail traffic
  • add an ip rule to direct the marked traffic to the new routing table
@mitar
mitar commented Jan 13, 2017

OK, but marking would be based on e-mail traffic port, not on the container. There is no way currently to ask Docker to mark all traffic from a container with some mark?

@sanimej
Contributor
sanimej commented Jan 13, 2017

Yes, this custom marking is something you have to do yourself.

@gw0
gw0 commented Jan 19, 2017

Is there a way to make the container's internal IP static? Or a preferred way to run a command on the host each time the container starts? If yes, then some simple iptables rules on the host would be enough.

Another idea is to mark traffic with iptables inside the mail container. Is it possible?

@thaJeztah
Member

The docker events command (or API) can be used to listen for containers that are started / stopped, or connected/disconnected from a network

@mitar
mitar commented Jan 19, 2017

Oh, I hoped we could get rid of dynamic configuration of the network stack now that there is support for Docker networks. We made this daemon in the past to configure custom network configuration so that we could use custom routing inside Docker. But with Docker networks this is more or less obsolete. The only open case is this outbound/external IP.

I think it would be great if this could be something supported by Docker directly.

@thaJeztah
Member

If someone can write a proposal for this functionality, including what the UX would look like, it could be looked into to see if there's a way to implement.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment