How do I spin up a portainer docker on localhost?
Hey I have used Docker (with the preconfigured Docker linode) for a while now and discovered a really nice way to managing my docker containers trough portainer. However, with the convenience I am also worried about security. I would rather avoid exposing my portainer to the internet.
How can I specify the container to run on local host? Like e.g on port 3000 "localhost:3000". I am already using nginx proxy manager so I can restrict access by IP addresses for my docker containers but I figured running on localhost would be a more full proof solution.
6 Replies
I don’t know a huge amount about Docker and even less about Portainer but I’ll try and help.
Just to clarify are you wanting to restrict the Portainer admin interface (that runs publicly on port 9000 by default)?
If so, the “--bind” (also “-p”) argument seems to be what you need according to the documentation.
Something like:
-p 127.0.0.1:3000
Might work.
You could then use SSH port forwarding to still access it from your own machine.
Thanks a lot for the response andysh!
I apologise for not being so clear in my explanation. Yes that it exactly what I meant. I want it so the portainer admin interface is only accessible by me when I am home on my local internet.
I think my issue is that guides online seem to be running on localhost when using their own home servers. So I am not sure whether it is even possible to do it when I am using a remote server (linode) and accessing it via ssh on my laptop.
I tried running the docker container specify the local port like you suggested: docker run -d -p 8000:8000 -p 127.0.0.1:3000 --name=portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce. But since the docker images first needs to be pulled I first used the standard command from the portainer documentation to download the image. Then I deleted the docker container and ran it again with the 127.0.01:3000. But then it says "docker: Invalid hostPort: 127.0.0.1" .
Am I missing something here? Sorry I am very new to self-hosting.
Ah it may be you still need both the local (host) port and the port inside the container.
What about:
-p 127.0.0.1:3000:9000
This will (I think) forward connections from your Docker host (Linode) port 3000 to port 9000 inside the container.
So I am not sure whether it is even possible to do it when I am using a remote server (linode) and accessing it via ssh on my laptop.
That’s the beauty of SSH port forwarding - this is definitely possible.
Once you’ve got the container running on localhost, on your laptop, open an SSH connection and open a port forward from a local port number on your machine (3000 should work fine if it’s not already in use on your laptop). The “remote IP” should be “localhost” and remote port 3000.
How you do this depends on what SSH software you are using (an app like PuTTY, SecureCRT, etc) or plain command-line (OpenSSH.)
You can then connect to “http://localhost:3000” on your laptop and magically you should get transported to “localhost:3000” on your Linode, which in turn is port 9000 inside your container!
Thanks a ton!
It finally worked running "docker run -d -p 8000:8000 -p 127.0.0.1:3000:9000 --name=portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce" like you suggested.
But I am not sure how to do the SSH port forwarding. From what I could gather online it should be something like: ssh -L 3000:theipaddressofmylinode:127.0.0.1:3000 hostnameofmyserver. I tried it put I keep getting the message "bad forwarding specification".
Sorry I promise this will be my last question. I really appreciate the help :)
For reference I am just using normal OpenSSH on a macos terminal. Should be very similar to PuTTY on Windows.
Don’t worry about asking too many questions - that’s how we learn and it’s exactly what this community site is for!
The command you’d need is something like this:
ssh -L 127.0.0.1:3000:127.0.0.1:3000 username@linode.ip.address
It looks a bit odd at first glance as it looks like you’re forwarding your laptop back to your laptop.
However the first ip/port pair is the “local” or client port - on your laptop. It is where you will point your browser to (http://localhost:3000.)
The second ip/port pair is where the SSH server will connect to when the client side of the SSH tunnel (your laptop) receives a connection on the first ip/port pair.
Because the remote connection is initiated on the SSH server, the second ip/port pair is actually referring to localhost:3000 on your Linode - I.e. the Docker port forward.
These ports don’t have to match. A command like this…
ssh -L 127.0.0.1:12345:127.0.0.1:3000 username@linode.ip.address
… is perfectly valid. You’d point your browser to http://localhost:12345 on your laptop which in turn would route to localhost:3000 on your Linode!
I apologise for the very late reply but I put my server behind cloudflare and the dns records took forever to update. Also the mac firewall was a pain.
I tried ssh -L 127.0.0.1:3000:127.0.0.1:3000 username@linode.ip.address and it is now working splendid. Thank you again a ton for the help :)
Looking forward to learning more about self-hosting :)