Assign IP address to docker container

Many times when working with docker containers I feel the need of assigning a known beforehand IP address to a container. This is a huge advantage if you want to control the network access to and from a container with a tool like iptables. However, current docker version (1.11.1) does not allow this operation out of the box, but there is an official way of achieving this. Thanks to docker network command a user may create a fully customizable network and connect a container to it. You may find full information at the official Docker site, here.

I will start with a clean docker installation on a test vagrant machine (Ubuntu Trusty). After installing docker, as usual, you may see docker0 network interface. This a default bridging interface. I will follow the documentation and create an isolated network using the same subnet, addresses and names.

So the first step is to create a new network:

$ docker network create -d bridge --subnet 172.25.0.0/16 isolated_nw

This network will allow me to use a 172.25.0.1 - 172.25.255.254 address range. If I run ifconfig now I will see that a new interface is created. In my case, docker calls it br-98446a2a4f1f. Just to be sure I reboot my machine to see if this network persists across reboots and it does.

Now I want to start nginx container with 172.25.0.2 address, I can do it with the following command:

$ docker run --net=isolated_nw --ip=172.25.0.2 -d --name=my_nginx_01 nginx

If I get inside the container and run ip addr command I will see that the assigned IP address is, in fact, the requested one:

root@597d1056bc32:/# ip addr
7: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:19:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.25.0.2/16 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe19:2/64 scope link
       valid_lft forever preferred_lft forever

Now, I will start another container just to check the connectivity between them:

$ docker run --net=isolated_nw --ip=172.25.0.3 -d --name=my_nginx_02 nginx

So, if I get inside a second container I'm able to perform ping and telnet with the first one:

root@47f62e6951db:/# ping 172.25.0.2
PING 172.25.0.2 (172.25.0.2): 56 data bytes
64 bytes from 172.25.0.2: icmp_seq=0 ttl=64 time=0.253 ms
64 bytes from 172.25.0.2: icmp_seq=1 ttl=64 time=0.103 ms
64 bytes from 172.25.0.2: icmp_seq=2 ttl=64 time=0.140 ms
--- 172.25.0.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.103/0.165/0.253/0.064 ms

root@47f62e6951db:/# telnet 172.25.0.2 80
Trying 172.25.0.2...
Connected to 172.25.0.2.
Escape character is '^]'.
Connection closed by foreign host.

Time to check that linking between containers also works, I will start my containers this way:

$ docker run --net=isolated_nw --ip=172.25.0.2 -d --name=my_nginx_01 nginx
$ docker run --net=isolated_nw --ip=172.25.0.3 --link my_nginx_01:my_nginx_01 -d --name=my_nginx_02 nginx

Then, if I connect to my_nginx_02 container I will be able to ping and telnet my_nginx_01 host.

root@6e36ce623842:/# ping my_nginx_01
PING my_nginx_01 (172.25.0.2): 56 data bytes
64 bytes from 172.25.0.2: icmp_seq=0 ttl=64 time=0.161 ms
64 bytes from 172.25.0.2: icmp_seq=1 ttl=64 time=0.173 ms
--- my_nginx_01 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.161/0.167/0.173/0.000 ms

root@6e36ce623842:/# telnet my_nginx_01 80
Trying 172.25.0.2...
Connected to my_nginx_01.
Escape character is '^]'.
Connection closed by foreign host.

As you can see my_nginx_01 resolves to the IP address assigned during the startup. With this configuration, you may be able to control your security perimeter using FORWARD chain in your iptables configuration.

Configuring msmtp on Ubuntu

At the time being communication through email is less important than 10 years ago. Facebook, Whatsapp, Telegram, Slack, etc there is a feeling like old good email has less importance now for a meaning of communication. However, there is a field where this way of communication still being very important, when not the only way of communication. I'm talking about servers here.

For example, when ssh server detects break-in attempt it will try to send an email notification (or at least it could be configured in this way), or when some crontab-job fails, it also will try to send an email. But there is a problem, sometimes installing full-fledged MTA is counter-productive. Think about Raspberry Pi, if you install Postfix there it will be eating precious (and limited) resources of the machine itself. And we are not talking about the effort you will need to invest in an administration of the email server.

For myself, I found a much simpler solution called msmtp. According to their website:

msmtp is an SMTP client.

In the default mode, it transmits a mail to an SMTP server (for example at a free mail provider) which takes care of further delivery. To use this program with your mail user agent (MUA), create a configuration file with your mail account(s) and tell your MUA to call msmtp instead of /usr/sbin/sendmail.

In other words, you may connect to any SMTP server and send messages to any directions as if they were users on localhost. I will be using gmail.com for this.

Installation

First of all, you will need to install it. Surprisingly for me, the version contained within Ubuntu repository is pretty old. However, you may build the latest version, this is not covered in this article.

$ sudo apt-get update
$ sudo apt-get install msmtp msmtp-mta

Then I created a new email address at Gmail just to receive notifications from servers.

Configuration

Configuration is pretty straightforward.

# File: /etc/msmtprc
# Set default values for all following accounts.
defaults
auth           on
tls            on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile        /var/log/msmtp.log

# Gmail
account        gmail
host           smtp.gmail.com
port           587

# If you're relaying through Gmail you can put here whatever you want. It's going to be ovewritten by your gmail's address.
from           xandnotify@gmail.com
user           xandnotify

# For me this password is not SO secret, but if you want to hide it there are many options.
password       myverysecretpassword

# Set a default account
account default : gmail

aliases         /etc/aliases

Please note the /etc/aliases file. We will need to use it later.

I'm not sure about the user which is going to execute msmtp command, so the log file should be created beforehand with proper permissions.

$ sudo touch /var/log/msmtp.log
$ sudo chmod 666 /var/log/msmtp.log

Now you can test the whole setup with the following command:

$ echo "Hello there" | msmtp --debug your@email.com

If everything is OK you should receive an email at your@email.com. If not, try to see the debug output and figure out what went wrong.

Fixing mail command

For mail command to work you will need to put the following in /etc/mail.rc. Please note that in order to have mail utility you will need to install mailutils package which, unfortunately, on Ubuntu also includes Postfix server.

# File: /etc/mail.rc
set sendmail="/usr/bin/msmtp -t"

You can test that mail works with following command:

$ echo "This is a message body" | mail -s "Hello there from mail command line" xand@xand.es

Fixing crontab

When crontab fails to execute some command it sends an email message. In order to perform the operation, it uses sendmail executable. If you remember, in the beginning, I also installed msmtp-mta package. Doing so also creates a link /usr/sbin/sendmail to /usr/bin/msmtp. This way crontab does not need any additional configuration.

The problem here is that crontab always sends a message to a local user. I mean, if I log in as admin user and create a crontab job for this user the email will be sent to admin at localhost. It can be fixed using the following approaches.

/etc/aliases

This file defines email aliases for user. For example:

# File: /etc/aliases
root: admin@myserver.com, supervisor@myserver.com
default: catch-all@myserver.com

Given this configuration, all emails which go to root@localhost will also be sent to admin@myserver.com and supervisor@myserver.com. Also, all messages to unknown (non-existent) users will be sent to catch-all@myserver.com.

MAILTO

Crontab offers a more elegant way of sending emails. In the beginning of the crontab file, you can edit it with crontab -e, declare MAILTO variable. Like this:

MAILTO="xand@xand.es"
* * * * * /tmp/aaa.sh

That's it. Your comments are welcome.