Tunneling into another container?
guruglue opened this issue · 4 comments
Apologies if this is a stupid question; I am new to this. I'm running Plex media server in bridged mode inside of another docker container on the same host machine. My question is, how would I configure this (if possible) to set up a tunnel from the remote server into the Plex container? Would I need to generate the rsa key inside of the Plex container? Also, can I use the same ports for both the remote server and the target; or would this be ill-advised? Thanks!
TL;DR: If you need to get into the running container, use docker exec from the host.
It is generally accepted (read: I'm not going to argue) that a separation needs to occur between the concept of "container" and "virtual machine". A virtual machine individualizes an Operating System, it can spawn/manage/kill processes. A container individualizes an application. They are not equivalent, not apples-to-apples. A VM runs many applications, a container should run only one application.
As such, "leading practices" discourage turning containers into virtual machines. If you have a web/app/db requirement, that can be 1 Virtual Machine (with (1) a webserver, nginx; (2) an application environment, php; and (3) a database, mariadb), -or- they can be three containers, a webserver container, an application container, AND a database container.
So, you don't want to 'ssh' directly into your plex container, because then the 'sshd' process needs to be running INSIDE the Plex container (along with all the apps running).
The (official) plex container violates this "leading" practice. It runs a supervisor process, which ensures that all the child processes (scanner, database, webserver) run appropriately. Again, I'm not going to argue (e.g. they cannot scale each component individually). Feel free to modify the container to ALSO run an 'sshd' process.
Docker explains how to do it, but again, recommends against it.
https://docs.docker.com/config/containers/multi-service_container/
Thanks for your response. I thought about that, just running autossh from within the pms container, but it just felt like the wrong way of going about it. Your explanation helps me to better understand why.
It sounds like you are saying that the official
pms container violates best practices all by itself. I'm trying to setup a pms server on my home network which is behind a double NAT'ed firewall. I've managed to get this working without containers using autossh reverse tunnels to a VPS that I own which has a public ip. This worked well, but there are obvious security risks. My thought was that limiting port forwarding to the pms container would solve this.
I'm curious what you'd suggest, since security is my primary consideration when looking to docker to accomplish this. Would it be better then, to run pms container within a VM guest on my media server using your autossh container within the same VM guest?
Apologies if this is outside of the scope of this project. Let me know if I'm barking up the wrong tree here.
If your PMS is not in your network, but you "want" it to be. Try a free VPN client. https://www.tinc-vpn.org/ is a great suggestion.
However, what I think you want (if I'm understanding you right), is your PMS server runs isolated, but you need port 32400 locally. So, YES, you can use this container to create a tunnel to PMS:32400. It is exactly like the autossh reverse tunnels you were creating manually.
As far as security risks, everything has a security risk. If you are looking to docker FOR security, that's not the main purpose of it. It still just uses the same tools that you are already using. Docker doesn't add security.
Containers, VMs or physical, if a port is open, it's insecure.
Closing because this is not an "issue". But feel free to continue the discussion.