Let docker access internet

Hi,

I’m tryng to make wake work the lscr.io/linuxserver/swag Docker container on GL-MT6000.

opkg dockerd docker

docker network create lsio

docker run \
  --rm \
  --name=swag \
  --cap-add=NET_ADMIN \
  --net=lsio \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Europe/Paris \
  -e URL= xxxxxx \
  -e SUBDOMAINS=yyyyy \
  -e VALIDATION=http \
  -p 443:443 \
  -p 80:80 \
  -v /root/appdata/swag:/config \
  lscr.io/linuxserver/swag

But swag won’t run because it can’t access internet to create a letsencrypt cert.

docker container exec swag curl -L www.free.fr
rl: (6) Could not resolve host: www.free.fr

What should tweak to make my docker stack acces the intenet ?

Is this a host container or a container?

I believe if it has its own subnet other than 172.17.0.0/24 or what is reflected in dockerman it is a hosted one.

This means if you go in luci into the network tab->interfaces and then click on devices tab.

You see a bridge with a weird name, you can make a unmanaged interface which then holds this bridge device and then assign a firewall zone to it.

Also on dockerman if you go into networks the bridge name is the same as what it shows there

A other way is to recreate the container as non host then it falls under the docker firewall zone.

Also if you want to continue using the bridge and get errors in the log that a veth device cannot be added, this is because the bridge was down, the checkbox keep up bridge would solve it, if after all there is no internet after the bridge configuration, then you may need to restart (this is something I observed myself with a lancache docker image on a Mochabin)

I planned to use a docker network in bridge mode.

docker network inspect  lsio 
[
    {
        "Name": "lsio",
        "Id": "3f508309fb2a009a7f8a4f4030463533638473e222884b066cb04e6856047665",
        "Created": "2023-12-09T11:19:03.443051954Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.18.0.0/16",
                    "Gateway": "172.18.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "41cee238213d7857c8e4257a4355691468f0c45f2487bf28040e62d350154d3f": {
                "Name": "swag",
                "EndpointID": "9f1e409861a62497ec9bc9abdcb538d561d807d042d5b4abe48221be47536b51",
                "MacAddress": "02:42:ac:12:00:02",
                "IPv4Address": "172.18.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]

I don’t know dockerman. I’ll give it a try.

If luci-app-dockerman doesn’t show containers sometimes it takes some time or a restart eventually it will show up, it was also reported as a bug I believe.

You can also see the network names with command docker network list then the bridge is just br-<networkid>

Right, I found the network:

image895×689 41.7 KB

When I open docker0 device I get this:

image895×689 39.4 KB

Is that OK?

That is the correct one.

For the docker0 you can leave this one alone, this is only for containers on the main subnet, only docker containers with their own network generate these bridge devices.

Now you can create a new interface with protocol unmanaged and select br-3f50… then you only have to assign a new firewall zone, and then edit the firewall zone to forward to wan.

Also its wise to check the checkbox keep up bridge/bring up empty bridge in your screenshot.

this veth device gets automaticly generated and hooks into the bridge, but docker is unaware that the bridge can also go down and fails adding it, this solves the issue because docker expects it to be forever up.

If all is right configurated and no internet, you may need to reboot the full device.

Well I did that, and I still not succeeded

Could you show your network config and firewall config?

Let’s start over

I created a docker network called lsio. Now it’s ID is f070ecbfda20.

# docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
8a79f496469d   bridge    bridge    local
e716af459012   host      host      local
f070ecbfda20   lsio      bridge    local
86a23bc102b6   none      null      local

I start this docker-compose file:

version: "2.1"
services:
  swag:
    image: lscr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Paris
      - URL=xxxxx.xxxxx.com
      - SUBDOMAINS=adguard
      - VALIDATION=http
    volumes:
      - /root/appdata/swag:/config
    ports:
      - 443:443
      - 80:80
    networks:
      - lsio
    restart: unless-stopped

networks:
  lsio:
    external: true

(note: the admin panel listens on other ports than 80 and 443)

Here is the network device:

image904×688 43.8 KB

I created an interface called lsio and attached it to a new firewall zone also called lsio:

image904×217 19.9 KB

Finally, I allowed lsio zone to forward to wan:

image959×396 38.9 KB

Ah i think i see your issue

Your setup is good, but your firewall zone is probably not, the input rule needs to be set to accept, it is because global settings have input to reject which is fine but new zones automaticly reflect those rules.

You might need a device restart after but maybe not, for me if I play to much with the bridge there is some bug it doesn’t want to connect.

I changed INPUT rule to accept and restarted the router.

Now it works I’ve got an https enabled RP.

Thank you for your time @xize11

Hi, I;m considering buying the GL-MT6000 Flint 2 - is it easy to install docker?

Hi, yes it is. Installation is easy. You just have to use the package manager.
Configuration of the network part without breaking security is more complicated.