Docker is it’s own container within an operating system, and therefore contains everything it needs to function including it’s own network. When you get into Docker’s netstat output, you’ll see the network Docker runs on is entirely different than your host network. Therefore, if you turn your stake pool loose on the world, you might be surprised at zero inbound peers when running a monitoring script like liveview.sh. When you finally analyze the script to see almost everything else is using Prometheus and the cardano-node’s inherent output, it’s inbound connections are simply performing a netstat command with some clever parsing of the data.

One way to see network connections in a Docker container is to use the nsenter command:

sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' container_name_or_id) -n netstat

Therefore, if your relay node is named “relay1”, your nsenter command becomes:

sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' relay1) -n netstat

And to fix your liveview.sh script:

sudo nsenter -t $(docker inspect -f '{{.State.Pid}}' relay1) -n netstat -an|awk "\$4 ~ /${cardanoport}/"|grep -c ESTABLISHED

Note: If you haven’t done so already, your cardano-node command in liveview.sh will change too, from:

"$(command -v cardano-node)" version

To:

docker run --rm inputoutput/cardano-node version

If the Docker container’s name or Id is not correct, you will receive the following error:

Error: No such object: object_name_or_id

Another Option:

There is another way to have docker run on the host network, but in theory, it’s less secure. Hold that thought though. Docker’s network runs in “bridged” mode by default. To have it run on the host network, simply add the --network="host" parameter to your “docker run” command and then restart your node. At this point, the Docker image will run on the host network and the original netstat command from liveview.sh will function as you would normally expect as you will be able to see the cardano-node network connections on the host network.

However, the following is from the official Docker documentation:

--network="host" gives the container full access to local system services such as D-bus and is therefore considered insecure.

You will need to evaluate what’s best for your infrastructure and security. Our hosts are specifically dedicated to being cardano-nodes. Our cardano-node Docker image is the official IOHK (Cardano Foundation) image and so we would feel safe running it on the host’s network regardless. Docker has mostly given us convenience (rather than security), as we’d essentially be running the cardano-nodes on the host network anyway if we weren’t using Docker. Therefore we don’t see a security downside for our scenario. However, until we run out of options with Docker, we will just continue to keep it all contained using the methods above.

Comments

Be the first to post a comment

Post a comment