Post · bonfire.cafe

Post

@christianselig@mastodon.social · 2 hours ago

Docker noob here. Anyone seeing Docker on Mac getting IPs completely mixed up, where destination IPs are getting assigned as the source IP? Isn't that like… a security issue? Or am I being a noob? (New Mac mini, new Docker install, no iCloud Private Relay, no VPN)

A Terminal showing setting up nginx and jellyfin as services in docker, then running docker, then making a request to nginx and it showing an incorrect IP address as the one making the request (not my local address) and instead it being from a random, public-facing Jellyfin IP

Pink

@can@haz.pink replied · 1 hour ago

@christianselig definitely looks very unusual. Maybe some environment variables for the docker compose stuff at play here? What happens if you just run an empty alpine nginx container (in a different directory) without the jellyfin stuff?

Christian Selig

@christianselig@mastodon.social replied · 7 minutes ago

@can I wish it was just nginx, it came up in conflict logs in other services, I just used nginx because it was a simple way to display the bug. This is also after a brand new Docker install

Running nginx alone is obviously fine, the issue is that Docker seemingly latches onto random IPs (like the Jellyfin one in this case, but I've seen it with others too) and it effectively becomes the internal/container IP for whatever reason

Dean Mayers

@deandmx@mastodon.social replied · 1 hour ago

@christianselig treat yourself and use https://orbstack.dev/

Gavin Wiggins

@wigging@fosstodon.org replied · 1 hour ago

@christianselig Use OrbStack for Docker stuff on the Mac https://orbstack.dev

Sylocule

@Sylocule@cyberplace.social replied · 1 hour ago

@christianselig After you run the container, a unique string is displayed

docker inspect -f \
'{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' \ <unique string from above >

Will show the container IP address

Christian Selig

@christianselig@mastodon.social replied · 8 minutes ago

@Sylocule For sure, the issue is that this isn't the container/internal IP address, it's a random public Jellyfin IP haha 167.71.248.173

Mikhail

@msaratov@infosec.exchange replied · 1 hour ago

@christianselig The IP resolves to nyc2.mirror.jellyfin.org, but I can’t explain why either

Alex Gordienko

@alex@s.datais.me replied · 1 hour ago

@christianselig I’m not a network guy but from what I remember there’s an internal Docker network that is being used by host/containers to communicate to each other

You can find the network details if you run $docker inspect <container>

Christian Selig

@christianselig@mastodon.social replied · 11 minutes ago

@alex Yeah, I'd totally understand an internal Docker IP (they even document the range), the issue is that it's a public, existing IP that it encountered earlier

Graham Ballantyne

@gnb@mastodon.social replied · 1 hour ago

@alex @christianselig usually that's a 172.x private IP.

I just tried Christian's exact config on Linux, and the nginx container logged the source IP as 172.19.0.1, which is my host's docker IP address

Alex Gordienko

@alex@s.datais.me replied · 57 minutes ago

@gnb @christianselig I did the same on Mac with Orbstack and got 192.168.147.2 for the container and 192.168.147.1 for its gateway. I guess it is controlled/configured by Docker engine?

Florian

@Typ0genius@mastodon.social replied · 53 minutes ago

@alex @gnb @christianselig Yes, this is controlled by the engine.

Graham Ballantyne

@gnb@mastodon.social replied · 50 minutes ago

@Typ0genius @alex @christianselig and configurable; the default 172 range conflicts with my work VPN so I had to change it when running Docker on Mac.

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.2-alpha.7 no JS en

Automatic federation enabled