I'm exploring creating a gateway that can start and stop docker containers on a rhel7 system upon. I've made changes to my /usr/lib/systemd/system/docker.service to start docker on an interface with the following.
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:23751 --containerd=/run/containerd/containerd.sock
I'm unable to connect to dockerd to get the status of the containers unless I disable the firewall. But if I disable the firewall, I can't start conatiners.
Caused by: com.amihaiemil.docker.UnexpectedResponseException: Expected status 204 but got 500 when calling
http://192.168.1.70:23751/v1.35/containers/e3f0f09269a699ec27bbac8a5027d1383ae15cf64b5e6b649e76be1297cc2535/start.
Response body was {"message":"driver failed programming external connectivity on endpoint hello-service
(eef135f889322f1899800f19612404e9d8b1f39c7866f31ca5059562aa501bf6):
(iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 34570 -j DNAT --to-destination 192.168.10.40:8080 ! -i br-4982fe847356: iptables: No chain/target/match by that name.\n (exit status 1))"}
I realize there are consequences of running an open tcp port for dockerd. Before, I get everything secure, I would like to get an idea of how a gateway might do something like this.
Does anyone else have experience doing something like this?
After much trial and error, I found out that firewalld is blocking that port.
To enable the port, do the following.
sudo firewall-cmd --zone=public --add-port=2375/tcp
Please note, doing this opens a very large security vulnerability as the commenter above has pointed out. In my case, this was done behind a firewall where no outside connections can make a connection to inside my network's firewall. This is still a bad idea, but in this case it is being used to explore some concepts and is turned off when not being used. Please explore the security implications when doing this. Also, the firewall will not save the configuration in the above command unless you use the --permanent argument