Freitag, Dezember 20, 2024

Docker und Portainer remote über wireguard connection

Docker installieren

  1. Paketliste aktualisieren: 
    sudo apt update
  2. Voraussetzungen installieren: 
    sudo apt install -y apt-transport-https ca-certificates curl software-properties-common
  3. Docker GPG-Schlüssel hinzufügen: 
    curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg –dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
  4. Docker-Repository hinzufügen: 
    echo ”deb [arch=$(dpkg –print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable” | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
  5. Paketliste erneut aktualisieren: 
    sudo apt update
  6. Docker installieren: 
    sudo apt install -y docker-ce docker-ce-cli containerd.io
  7. Überprüfen, ob Docker läuft: 
    sudo systemctl status docker
  8. Optionale Berechtigung: Füge deinen Benutzer der Docker-Gruppe hinzu, um Befehle ohne sudo auszuführen: 
    sudo usermod -aG docker $USER
  9. Hinweis: Du musst dich ab- und wieder anmelden, damit die Änderungen wirksam werden.

WireGuard on the Host konfigurieren

  1. The easiest way to enable access from one host to isolated containers on another is to run WireGuard on the container host. First, set up a user-defined bridge network on the container host (Endpoint B), and connect to it the containers you want to expose to the remote host.

    With the Docker command-line (CLI) tools, create a new network like the following, with some private-use subnet that you’re not already using (like 192.168.123.0/24 in this example) and network name (wg-network):

    $ sudo docker network create 
    –subnet 192.168.123.0/24 
    wg-network 
  2. Then start up the containers you want to expose, specifying the network name and an available IP address in that network for each. Note that the first IP address in the subnet (192.168.123.0) is reserved for the subnet itself, and the second IP address (192.168.123.1) Docker will use by default for the network’s gateway — so we’ll use the next available address in the subnet (192.168.123.2) for our example container: 
    $ sudo docker run 
    –name example-web-server  
    –network wg-network 
    –ip 192.168.123.2  
    –rm 
    nginx 
  3. If you’ve already started the container without connecting it to the network, you can connect it later with the following command: 
    $ sudo docker network connect 
    –ip 192.168.123.2 
    wg-network 
    example-web-server 
  4. Make sure you specify an explicit IP address for each container (instead of letting Docker choose), as you will need to use the container’s IP address to access the network services exposed by the container.
  5. Alternatively, you can use Docker Compose to set up the network and containers. For example, using the Docker Compose version 3.5+ syntax, you can create a similar wg-network to the above, and connect a similar example-web-server container to it: 
    # /srv/wg-network/docker-compose.yml
version: ’3.5′

networks:
  wg-network:
    ipam:
      config:
      - subnet: 192.168.123.0/24

services:
  example-web-server:
    image: nginx
    networks:
      wg-network:
        ipv4_address: 192.168.123.2
  6. Start up the network and container by running sudo docker-compose up from the same directory as the docker-compose.yml file.
  7. You can access the example container by running the following command on the container host (Endpoint B): 
    $ curl 192.168.123.2:80
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
…
  8. The container will not be accessible outside of the container host, yet, however. So let’s set up the WireGuard network that will enable access to the container from the remote host, Endpoint A.
  9. First, on Endpoint A, create the following WireGuard configuration file at /etc/wireguard/wg0.conf: 
    # /etc/wireguard/wg0.conf

# local settings for Endpoint A
[Interface]
PrivateKey = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEE=
Address = 10.0.0.1/32
ListenPort = 51821

# remote settings for Endpoint B
[Peer]
PublicKey = fE/wdxzl0klVp/IR8UcaoGUMjqaWi3jAd7KzHKFS6Ds=
Endpoint = 203.0.113.2:51822
AllowedIPs = 10.0.0.2/32
AllowedIPs = 192.168.123.0/24
  10. Replace 203.0.113.2 in the Endpoint setting for Endpoint B with the actual IP address of Endpoint B from the perspective of Endpoint A. Also generate your own key pairs for Endpoint A and B, and use them instead. See the Point to Point Configuration guide for details.
  11. The only difference between the WireGuard configuration for Endpoint A here and in the Point to Point Configuration guide is that here we also include the subnet of the Docker network we just set up, 192.168.123.0/24, as an AllowedIPs setting for Endpoint A’s connection to Endpoint B.
  12. Next, on Endpoint B, create the following WireGuard configuration file at /etc/wireguard/wg0.conf (using your own keys for Endpoint A and B to match your config for Endpoint A): 
    # /etc/wireguard/wg0.conf

# local settings for Endpoint B
[Interface]
PrivateKey = ABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBFA=
Address = 10.0.0.2/32
ListenPort = 51822
PreUp = iptables -N DOCKER-USER || true
PreUp = iptables -I DOCKER-USER -i wg0 -d 192.168.123.0/24 -j ACCEPT
PostDown = iptables -D DOCKER-USER -i wg0 -d 192.168.123.0/24 -j ACCEPT

# remote settings for Endpoint A
[Peer]
PublicKey = /TOE4TKtAqVsePRVR+5AA43HkAK5DSntkOCO7nYq5xU=
AllowedIPs = 10.0.0.1/32
  13. The only difference between this and the Point to Point Configuration guide for Endpoint B is that here we also set up an iptables rule to allow access to our custom Docker network, 192.168.123.0/24, from this WireGuard interface (wg0): 
    iptables -I DOCKER-USER -i wg0 -d 192.168.123.0/24 -j ACCEPT
  14. Docker will usually set up the DOCKER-USER chain for us; but on system boot it might not have done so yet, so the first PreUp command in the above WireGuard config for Endpoint B makes sure the DOCKER-USER chain exists before the second PreUp command adds a rule to it. Note that we’re also using the -I flag for this rule instead of the -A flag, so that the rule will be inserted at the top of the DOCKER-USER chain, in case Docker has already created the chain and added its default rule to it.
  15. Start up these new WireGuard interfaces on Endpoint A and B (eg sudo wg-quick up wg0), and you’ll be able to access the example container by running the following command on the remote host (Endpoint A): 
    $ curl 192.168.123.2:80
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
…

Portainer installieren

  1. Docker starten, falls nicht aktiv: 
    sudo systemctl start docker
  2. Neues Docker-Volume für Portainer-Daten erstellen: 
    docker volume create portainer_data
  3. Portainer-Container starten: 
    sudo docker run -d 
  -p 8000:8000 
  -p 9443:9443 
  –name portainer 
  –network wg-network 
  –ip 192.168.123.3 
  –restart always 
  -v /var/run/docker.sock:/var/run/docker.sock 
  -v portainer_data:/data 
  portainer/portainer-ce:latest
  4. Portainer aufrufen: Öffne deinen Browser und gehe zu: 
    https://<deine-server-ip>:9000
  5. Du wirst aufgefordert, ein Admin-Passwort zu erstellen und Portainer einzurichten.
  • Gepostet von um 23:27:33 in Codeschnipsel
  • 64 Aufruf(e)
Wireguard conncetion mit Monit überprüfen »
« Setup von FlatPress mit Docker und NGINX