Merge branch 'docker-host-networking' into 'master'

Make Docker host networking safer See merge request i2p-hackers/i2p.i2p!54
2022-02-16 15:53:32 +00:00
parent d6684403a2 1b5feda517
commit 91e9d95df7
3 changed files with 41 additions and 16 deletions
--- a/Docker.md
+++ b/Docker.md
@ -1,5 +1,25 @@
 # I2P in Docker

+### Very quick start
+If you just want to give I2P a quick try or are using it on a home network, follow these steps:
+
+1. Create two directories `i2pconfig` and `i2ptorrents`
+2. Copy the following text and save it in a file `docker-compose.yml`
+```
+version: "3.5"
+services:
+    i2p:
+        image: geti2p/i2p
+        network_mode: host
+        volumes:
+            - ./i2pconfig:/i2p/.i2p
+            - ./i2ptorrents:/i2psnark
+```
+3. Execute `docker-compose up`
+4. Start a browser and go to `http://127.0.0.1:7657` to complete the setup wizard.
+
+Note that this quick-start approach is not recommended for production deployments on remote servers.  Please read the rest of this document for more information.
+
 ### Building an image
 There is an i2P image available over at [DockerHub](https://hub.docker.com).  If you do not want to use that one, you can build one yourself:
 ```
@ -17,21 +37,26 @@ By the default the image limits the memory available to the Java heap to 512MB.
 #### Ports
 There are several ports which are exposed by the image.  You can choose which ones to publish depending on your specific needs.

-|Port|Description|TCP/UDP|
-|---|---|---|
-|4444|HTTP Proxy|TCP|
-|4445|HTTPS Proxy|TCP|
-|6668|IRC Proxy|TCP|
-|7654|I2CP Protocol|TCP|
-|7656|SAM Bridge TCP|TCP|
-|7657|Router console|TCP|
-|7658|I2P Site|TCP|
-|7659|SMTP Proxy|TCP|
-|7660|POP Proxy|TCP|
-|12345|I2NP Protocol|TCP and UDP|
+|Port|Interface|Description|TCP/UDP|
+|---|---|---|---|
+|4444|127.0.0.1|HTTP Proxy|TCP|
+|4445|127.0.0.1|HTTPS Proxy|TCP|
+|6668|127.0.0.1|IRC Proxy|TCP|
+|7654|127.0.0.1|I2CP Protocol|TCP|
+|7656|127.0.0.1|SAM Bridge TCP|TCP|
+|7657|127.0.0.1|Router console|TCP|
+|7658|127.0.0.1|I2P Site|TCP|
+|7659|127.0.0.1|SMTP Proxy|TCP|
+|7660|127.0.0.1|POP Proxy|TCP|
+|7652|LAN interface|UPnP|TCP|
+|7653|LAN interface|UPnP|UDP|
+|12345|0.0.0.0|I2NP Protocol|TCP and UDP|

 You probably want at least the Router Console (7657)  and the HTTP Proxy (4444).  If you want I2P to be able to receive incoming connections from the internet, and hence not think it's firewalled, publish the I2NP Protocol port (12345) - but make sure you publish to a different random port, otherwise others may be able to guess you're running I2P in a Docker image.

+#### Networking
+A best-practices guide for cloud deployments is beyond the scope of this document, but in general you should try to minimize the number of published ports, while exposing only the `I2NP` ports to the internet.  That means that the services in the list above which are bound to `127.0.0.1` (which include the router console) will need to be accessed via other methods like ssh tunneling or be manually configured to bind to a different interface.
+
 #### Example
 Here is an example container that mounts `i2phome` as home directory, `i2ptorrents` for torrents, and opens HTTP Proxy, IRC, Router Console and I2NP Protocols.  It also limits the memory available to the JVM to 256MB.
 ```
--- a/docker/rootfs/i2p/clients.config
+++ b/docker/rootfs/i2p/clients.config
@ -30,7 +30,7 @@
 ## non-SSL and SSL
 #clientApp.0.args=7657 ::1,127.0.0.1 -s 7667 ::1,127.0.0.1 ./webapps/
 ## non-SSL only, both IPv6 and IPv4 local interfaces
-clientApp.0.args=7657 0.0.0.0 ./webapps/
+clientApp.0.args=7657 127.0.0.1 ./webapps/
 clientApp.0.main=net.i2p.router.web.RouterConsoleRunner
 clientApp.0.name=webConsole
 clientApp.0.onBoot=true
@ -38,7 +38,7 @@ clientApp.0.onBoot=true
 # start up the SAM bridge so other client apps can connect
 clientApp.1.main=net.i2p.sam.SAMBridge
 clientApp.1.name=SAMBridge
-clientApp.1.args=sam.keys 0.0.0.0 7656 i2cp.tcp.host=localhost i2cp.tcp.port=7654
+clientApp.1.args=sam.keys 127.0.0.1 7656 i2cp.tcp.host=localhost i2cp.tcp.port=7654
 clientApp.1.startOnLoad=false

 # poke the i2ptunnels defined in i2ptunnel.config
--- a/docker/rootfs/i2p/i2ptunnel.config
+++ b/docker/rootfs/i2p/i2ptunnel.config
@ -19,7 +19,7 @@ tunnel.0.name=I2P HTTP Proxy
 tunnel.0.description=HTTP proxy for browsing eepsites and the web
 tunnel.0.type=httpclient
 tunnel.0.sharedClient=true
-tunnel.0.interface=0.0.0.0
+tunnel.0.interface=127.0.0.1
 tunnel.0.listenPort=4444
 tunnel.0.proxyList=false.i2p
 tunnel.0.i2cpHost=127.0.0.1
@ -44,7 +44,7 @@ tunnel.1.name=Irc2P
 tunnel.1.description=IRC tunnel to access the Irc2P network
 tunnel.1.type=ircclient
 tunnel.1.sharedClient=false
-tunnel.1.interface=0.0.0.0
+tunnel.1.interface=127.0.0.1
 tunnel.1.listenPort=6668
 tunnel.1.targetDestination=irc.postman.i2p:6667,irc.echelon.i2p:6667
 tunnel.1.i2cpHost=127.0.0.1