-1

I'm exploring creating a gateway that can start and stop docker containers on a rhel7 system upon. I've made changes to my /usr/lib/systemd/system/docker.service to start docker on an interface with the following. 

ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:23751 --containerd=/run/containerd/containerd.sock

I'm unable to connect to dockerd to get the status of the containers unless I disable the firewall. But if I disable the firewall, I can't start conatiners. 

Caused by: com.amihaiemil.docker.UnexpectedResponseException: Expected status 204 but got 500 when calling
 http://192.168.1.70:23751/v1.35/containers/e3f0f09269a699ec27bbac8a5027d1383ae15cf64b5e6b649e76be1297cc2535/start. 
Response body was {"message":"driver failed programming external connectivity on endpoint hello-service 
(eef135f889322f1899800f19612404e9d8b1f39c7866f31ca5059562aa501bf6):  
(iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 34570 -j DNAT --to-destination 192.168.10.40:8080 ! -i br-4982fe847356: iptables: No chain/target/match by that name.\n (exit status 1))"}

I realize there are consequences of running an open tcp port for dockerd. Before, I get everything secure, I would like to get an idea of how a gateway might do something like this.

Does anyone else have experience doing something like this?

Thomas Lann
  • 1,124
  • 5
  • 17
  • 35
  • "There are consequences" ==> "anyone who can reach that port has unrestricted root-level access over your system". "Docker cryptojacking" is a good search term. – David Maze May 28 '19 at 23:23
  • Understood. I don't plan on making this a finished product without securing it. This is an exploration of a gateway to start containers. – Thomas Lann May 28 '19 at 23:28

1 Answers1

0

After much trial and error, I found out that firewalld is blocking that port.
To enable the port, do the following. 

sudo firewall-cmd --zone=public --add-port=2375/tcp

Please note, doing this opens a very large security vulnerability as the commenter above has pointed out. In my case, this was done behind a firewall where no outside connections can make a connection to inside my network's firewall. This is still a bad idea, but in this case it is being used to explore some concepts and is turned off when not being used. Please explore the security implications when doing this. Also, the firewall will not save the configuration in the above command unless you use the --permanent argument

Thomas Lann
  • 1,124
  • 5
  • 17
  • 35