connecting to exposed docker container

Question

I'm trying to expose a docker container to the outside world, not just the host machine. When I created the image from a base CentOS image it looks like this:

# install openssh server and ssh client
RUN yum install -y openssh-server
RUN yum install -y openssh-clients

RUN echo 'root:password' | chpasswd

RUN sed -ri 's/UsePAM yes/#UsePAM yes/g' /etc/ssh/sshd_config
RUN sed -ri 's/#UsePAM no/UsePAM no/g' /etc/ssh/sshd_config

EXPOSE 22
CMD ["/usr/sbin/sshd", "-D"]

I run this image like so:

sudo docker run -d -P crystal/ssh

When I try to look at the container with sudo docker ps , I see Ports:

0.0.0.0:49154->22tcp

If I ifconfig on the host machine (ubuntu), I see docker0 inet addr:172.17.42.1. I can ping this from my host machine, but not from any other machine. What am I doing wrong in setting up the container to look at the outside world? Thanks.

Edit:

I have tried inspecting the IPAddress of the container and I see IPAddress: 172.17.0.28, but I cannot ping that either...

If I try nmap , that seems to return the ports. So does that mean it is open and I should be able to ssh into it if I have ssh set up? Thanks.

nmap -p 49154 10.211.55.1 shows that the port is open with an unknown service.

I tried to ssh in by ssh -l root -p 49154 10.211.55.1 and I get

Read from socket failed: Connection reset by peer.

Answer 1

UPDATE

Your Dockerfile is wrong. Your sshd is not properly configured, it does not start properly and thats the reason while container does not respond on port 22 correctly. See errors:

Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_dsa_key

You need to generate host keys. This line will do the magic:

RUN ssh-keygen -P "" -t dsa -f /etc/ssh/ssh_host_dsa_key

PREVIOUS ANSWER

You probably need to look up IP address of eth0 interface (that is accessible from network) and you need to connect to your container via this IP address. Traffic from/to docker0 bridge should be forwarded by default to your eth interfaces.

Also, you better check if you have ip forwarding enabled:

cat /proc/sys/net/ipv4/ip_forward

This command should return 1, otherwise you should execute:

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

Q: Why you can connect this way to container?

If you have ip forwarding enabled, packets incoming from eth0 interface are forwarded to virtual docker0 interface. Magic happens and packet is received at correct container. See Docker Advanced Networking for more details:

But docker0 is no ordinary interface. It is a virtual Ethernet bridge that automatically forwards packets between any other network interfaces that are attached to it. This lets containers communicate both with the host machine and with each other. Every time Docker creates a container, it creates a pair of “peer” interfaces that are like opposite ends of a pipe — a packet sent on one will be received on the other. It gives one of the peers to the container to become its eth0 interface and keeps the other peer, with a unique name like vethAQI2QT, out in the namespace of the host machine. By binding every veth* interface to the docker0 bridge, Docker creates a virtual subnet shared between the host machine and every Docker container.

Answer 2

You can't ping 172.17.42.1 from outside your host because it is a private ip so it can be accessed only in private network as it is the one created by the host on which you run the docker container, the virtual switch docker0 and the docker container which is attached with a virtual interface to the bridge docker0...

Moreover 172.17.42.1 is the ip of the bridge docker0, not the ip of your docker instance. If you want to know the ip of the docker instance you have to run ifconfig inside it or you can use docker inspect

I'm not an expert about port mapping, but up to me that means that to access the docker container on port 22 you have to connect to port 49154 of the host and all the traffic will be forwarded.