[qubes-users] Re: Playing with docker in an app-vm
Le jeudi 24 novembre 2016 14:05:30 UTC+1, Opal Raava a écrit : > Hi all, > > I've not seen many docker posts, but for the heck of it I'd like to report on > how I made an app-vm that has a website running in docker and reachable by > everything connected to sys-firewall. > > 1) install docker in fedora-24, dnf install docker > > 2) create the new appvm, I called it 'docker' > > 3) in that app-vm in /rw/config/rc.local, i put: > > rm -rf /var/lib/docker > ln -s /home/user/docker /var/lib/docker > systemctl start docker > > , and I made the dir in /home/user/docker > now as root i can use 'docker ps' and everything. > > > 4) networking, making 'docker' visible: >on docker app-vm in /rw/config/qubes-firewall-user-script, i put: > > iptables -I INPUT -s 10.137.2.0/24 -j ACCEPT > >on sys-firewall, in /rw/config/qubes-firewall-user-script, i put: > > iptables -I FORWARD 2 -s 10.137.2.0/24 -d $(docker-appvm-ip) -j ACCEPT > > Ok, that's all i have on docker, and it works great. Hello Opal Raava. Thanks for this post. I am newbie in Qubes OS. I'd like to create an appVM having an HTTPS (Port 443) website running in docker. When i start the docker container i set the following option : -p 2443:443 But, i failed with configurating sys-firewall, and my browser refuses to access to the https website. Did you met this case ? Thanks for you ideas around the sys-firewall/https forward. Regards Mac -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fc3afeec-3d49-42c2-bd6e-e2ecd107beac%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Trouble with enabling networking between two Vms
Le jeudi 10 novembre 2016 18:09:30 UTC+1, Max a écrit : > On Thursday, 10 November 2016 07:34:06 UTC+8, Drew White wrote: > > On Thursday, 10 November 2016 04:36:18 UTC+11, Max wrote: > > > Brief update on this. After attempting to use the Qubes Network Server > > > from Manuel Amador (Rudd-O) to solve this issue with no luck I have gone > > > back to looking at solving this by adjusting the iptables rules. > > > > > > I ran through the steps listed here again: > > > https://www.qubes-os.org/doc/qubes-firewall/#enabling-networking-between-two-vms > > > but instead of trying to ping my Debian 8 VM (10.137.2.18) from the > > > Windows VM (10.137.2.19), I did this from a new Fedora VM (10.137.2.16) > > > to test the results. > > > > > > I simply did the following: > > > > > > Firewall > > > sudo iptables -I FORWARD 2 -s 10.137.2.16 -d 10.137.2.18 -j ACCEPT > > > > > > work-apps > > > iptables -I INPUT -s 10.137.2.16 -j ACCEPT > > > > > > This enabled me to ping from Fedora to the Debian VM. No additional rules > > > were required such as adding ports or adding an ACCEPT FORWARD rule in > > > the Debian VM with the destination and source reversed. > > > > > > Given the ease of achieving this, it seems that the issue here stopping > > > me pinging my Debian VM from Windows is specific to Windows being an HVM. > > > Pinging from an HVM to a PVM does not seem to work but PVM to PVM > > > networking does. Please note that the HVM can ping the firewall and vice > > > versa. > > > > > > Does anyone have any suggestions given this information? > > > > > > Many thanks. > > > > As I have said in other places, including his qubes network server post, I > > too use IPTables, because it's much simpler and cleaner. > > > > I have a dedicated ProxyVM that is my inter-vm network. > > > > > > These are the 2 rules... > > $intervm_internalnet = '10.137.2.0';// this can be generated from the > > ifconfig if required. But conditions apply for success. > > > >iptables -I FORWARD 1 -i vif+ -o vif+ -s $intervm_internalnet/24 -d > > $intervm_internalnet/24 -m state --state NEW -p tcp -m tcp -j ACCEPT > >iptables -I FORWARD 1 -i vif+ -o vif+ -s $intervm_internalnet/24 -d > > $intervm_internalnet/24 -p udp -m udp -j ACCEPT > > > > > > > > This has worked for me always. Never missed a beat. And it allows for > > inter-vm comms, as well as it communicating to the outside world. > > Thanks Drew, unfortunately I tried this at the beginning (my step 3). It > didn't work for me. > > Have you tried pinging from a Windows HVM to another Debian or Fedora AppVM? Hello Max, I am a newbie on Qubes, and i've the same issue on 3.2 version. Did you finally succeeded in having interconnect between two HVM ? Thanks for your feedback. Regards Mc -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/317d2d23-cfe3-4326-b5b7-371875bbf9ae%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
