I have been battling for a while on this! Given the following Dockerfile, if I leave the RUN iptables... lines out, then execute them manually inside the running docker container they work fine. But if I leave them in Dockerfile I get a permissions error.
FROM ubuntu
RUN apt-get update
RUN apt-get install -y iptables
RUN iptables -I INPUT -p tcp --dport 27015 -j ACCEPT
RUN iptables -A INPUT -i eth0 -j QUEUE
The output of docker build gives:
[ ] Building 0.4s (7/8)
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 199B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/ubuntu:latest 0.0s
=> [1/5] FROM docker.io/library/ubuntu 0.0s
=> CACHED [2/5] RUN apt-get update 0.0s
=> CACHED [3/5] RUN apt-get install -y iptables 0.0s
=> ERROR [4/5] RUN iptables -I INPUT -p tcp --dport 27015 -j ACCEPT 0.3s
------
> [4/5] RUN iptables -I INPUT -p tcp --dport 27015 -j ACCEPT:
#7 0.256 getsockopt failed strangely: Operation not permitted
------
executor failed running [/bin/sh -c iptables -I INPUT -p tcp --dport 27015 -j ACCEPT]: exit code: 1
But if I use:
FROM ubuntu
RUN apt-get update
RUN apt-get install -y iptables
Docker build completes OK, then I run the image with:
docker run -i -t --cap-add NET_RAW --cap-add NET_ADMIN 094d0bb9befb
The container opens and at the command prompt I can type in the iptables rules as above. They are accepted and work exactly as I require.
Any ideas how I can apply these iptable rules directly from the Dockerfile?
CodePudding user response:
how I can apply these iptable rules directly from the Dockerfile?
You can't. And they make little sense - they are affecting the temporary container created for building the image.
Each container has a separate network namespace, which includes separate interfaces and firewall. On container startup, a separate network space is created.
Create a script that will be run on CMD
or ENTRYPOINT
or manually on container startup and in that script add commands that should affect the current container environment..