algorithm-container-network

Experimental setup for peer-to-peer network for algorithm containers with port forwarding

The mechanisms described below are partly automated in the script configure_network.py.

How to run

docker-compose up -d

Notes

Additional configuration

Blocking internet on vpn client container

Blocking internet for vpn clients (this will run automatically on vpn client):

iptables -F FORWARD
iptables -P FORWARD DROP
iptables -A FORWARD -i tun+ -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o tun+ -j ACCEPT

Default namespace configuration

The bridge networks of the docker containers are linked to network interfaces in the default network namespace of the host (but by a different name).

On docker host, configure exception to docker bridge network isolation:

iptables -I DOCKER-USER 1 -d $vpn_subnet -i $isolated_bridge -j ACCEPT
iptables -I DOCKER-USER 1 -s $vpn_subnet -o $isolated_bridge -j ACCEPT

docker run --network container:$ISOLATED_CONTAINER --cap-add=NET_ADMIN alpine ip route replace default via 172.16.238.2

Forward traffic from vpn client to algorithm container. Configure on vpn client per algorithm: TODO: make rule as specific as possible

iptables -t nat -A PREROUTING -i tun0 -p tcp \
  --dport $vpn_client_port -j DNAT --to $isolated_algorithm_ip:$algorithm_port

Openvpn server requirements

• blockLan = false
• clientToClient = true

References

• How to share networks between docker containers
• Container namespaces: deep dive into container networking