- What version of Docker are you using?
- What version of Ubuntu are you using?
- Are you running Ubuntu on a physical server?
- What are the exact arguments that you're using to run that aren't working?
- Are you running more than one DVR on your system?
1 Like
As I understand it, it's not about misconfiguring iptables, but rather a bug and vulnerability in Docker's bridged networking implementation and how it interacts with iptables. Meaning, this is to mitigate a security issue.
When someone runs a Docker container on a Docker host that does not have the proper iptables configuration to setup reverse NAT, the docker container will receive the IP address of the gateway as the source address for all packets. This is not done via a proxy that adds headers, it's done as simple TCP/UDP packet forwarding.
This means that the Docker container cannot tell what the source IP is at all. All connections appear to be coming from the same local IP (the gateway of the Docker container).
If someone exposes this container to the internet by setting up their router to manually forward a port to the container, all connections, locally or remotely, all appear they're coming from the local Docker gateway address and there is no way to get the real IP.
We have no way to accommodate this deployment while also ensuring that installations are not accessible publicly without authentication.
3 Likes
Thanks for the heads-up announcement and explanation of the issue.
2 Likes
- Docker 24.0.7
- Ubuntu 22.04
- Yes, Ubuntu is running on a Dell laptop
- Docker CLI command:
docker run \
--env=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
--name=channels_dvr_8089 \
--network=host \
--volume=/home/scott/channels-dvr:/channels-dvr \
--volume=/media/scott/dvr_data:/shares/DVR \
--env=TZ=America/Chicago \
--restart=unless-stopped \
--runtime=runc -d fancybits/channels-dvr:tve
When I run this docker command, I am not able to connect to the Channels DVR admin page at localhost:8089/admin
- I do have another DVR running in network host mode on an Unraid server. I am able to access this DVR instance and connect from my AppleTV client.
Thanks for the help.
@runithome Are you trying to work around something to add that PATH=? It should not be needed.
What happens when you try to connect?
Are you able to submit diagnostics from the DVR that you're having trouble with?
I removed the PATH line. Thanks.
But I am still in the same situation:
If I start the Docker not in hosted mode and specify the port, I can access the DVR admin page on localhost, but the AppleTV client cannot connect. The logs on the server do not show anything when trying to connect with the AppleTV.
If I start the Docker in network hosted mode, I can not connect to the DVR admin page or connect with AppleTV.
Thanks for any suggestions.
Yes, I submitted logs as d5a3e4b5-3dc3-452c-8263-00ae5885df62
@runithome It looks like you have some funny things going on with the firewall on your system. I see some "network is unreachable" errors that I suspect is coinciding with when you switched to host networking. Considering you said you're running Ubuntu (and not Synology) you should have a system that can properly modify the iptables rules to configure the reverse NAT to work.
I'm not certain about the --runtime=runc argument and if that's impacting your setup, but if you google for people running into NAT issues with your versions of ubuntu, docker and runtime, you may get to the bottom of it.
Stable release will be going out later today.
I added this to my docker container in Unraid for my 2nd DVR server. The port works - however when I click on WebUI from the Docker page for that specific docker, it only pulls up 8089 port.
You also need to change the published port for the container. Something like -e CHANNELS_PORT=8080 -p 8080:8080 will change the server's port, and the container's.
@eric I am not familiar with Docker commands. I think I copied the basics of that command from this forum. So I did not use that —runtime=runc argument intentionally or with any design.
Is there a cleaner Docker CLI command that I should be using to install the Docker DVR container?
That is used to change the port channels-dvr listens on if you're using docker host networking.
If you're using docker bridged networking, you don't need it.
What does your docker run command look like.
Thanks for poking at this release before we released it fully!