Document invoaction of docker run / settings used for the docker daemon.

Question

Document invoaction of docker run / settings used for the docker daemon.

bjodah opened this issue 10 years ago · 3 comments

Hi!

First of all, thank you for providing these Dockerimages (and hosting them!) like this.
It really helps in teaching and general showcasing of Jupyter.

I would like to host a modified version and I am curious how you disallow outgoing internet connections. I.e.:

>>> subprocess.check_output(["ping", '-c', '1', '127.0.0.1'])

b'PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.\n64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.028 ms\n\n--- 127.0.0.1 ping statistics ---\n1 packets transmitted, 1 received, 0% packet loss, time 0ms\nrtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms\n'

>>> subprocess.check_output(["ping", '-c', '1', '64.233.161.99'])

---------------------------------------------------------------------------
CalledProcessError                        Traceback (most recent call last)
<ipython-input-11-89d4d5e7389b> in <module>()
----> 1 subprocess.check_output(["ping", '-c', '1', '64.233.161.99'])

/usr/lib/python3.4/subprocess.py in check_output(timeout, *popenargs, **kwargs)
    614         retcode = process.poll()
    615         if retcode:
--> 616             raise CalledProcessError(retcode, process.args, output=output)
    617     return output
    618 

CalledProcessError: Command '['ping', '-c', '1', '64.233.161.99']' returned non-zero exit status 1

Using docker run --net='none' disables all networking. Are you running the docker daemon with --ip-forward=false? It would be great if there was a sentence or two describing this in the README.

Answer 1 · 2015-04-20T15:01:24.000Z

The deployment of tmpnb is done through an Ansible playbook. We certainly need more documentation, as this evolved from a need and an experiment into something folks like to use and reference.

Networking is disabled for user containers by setting DOCKER_OPTS within /etc/default/docker to have both --icc=false and --ip-forward=false set:

DOCKER_OPTS="--icc=false --ip-forward=false"

The launcher (tmpnb) and proxy (configurable http proxy) are both set with --net=host to have the full networking stack.

Answer 2 · 2015-10-15T11:41:20.000Z

The FAQ in the README now points to the ansible playbook. Is there more documentation needed here?

Answer 3 · 2015-10-15T11:46:15.000Z

That looks great! Thanks!