Tribler in docker, network_mode and iptables

Hi

I was using the docker image “image: triblercore/triblercore:latest” but the version currently seems to be stuck at 7.14.
I wanted to test the new web UI in version 8.x.

I have configured Tribler as follows …

    image: ghcr.io/tribler/tribler:latest
    network_mode: "host"
    volumes:
      - /var/tribler-ui/.tribler:/home/user/.Tribler:rw
      - /var/tribler-ui/download:/home/user/Downloads/:rw
    environment:
      CORE_API_PORT: 8085
      CORE_API_KEY: MY_KEY

I’m using iptables with default policy DROP.

I’d like to open only the necessary ports in iptables on the one hand, and on the other hand remove the network_mode: “host” to transmit only the necessary ports from docker to the host as well.

I see in “configuration.json” that ipv8 uses ports 8090 and 8091. I understand that bittorrent uses ports 6881 to 6889. And that all these ports use TCP and UDP.
Is this correct or will bittorrent assign ports dynamically in unpredictable ranges please?
Are there any other ports specific to Tribler?
Is it realistic to consider both a strict iptables configuration and a docker-compose configuration of the form …

    ports:
      - "127.0.0.1:8085:8085"
      - ...

Thanks in advance for your help

Running docker compose ps -a may offer insight into the ports that the Tribler container has opened, although I can’t say for sure

1 Like

Thx Sachiko :slightly_smiling_face:

I use portainer to create my dockerised applications.

With the help of …
https://www.baeldung.com/linux/docker-list-open-sockets-inside-container#3-using-nsenter

# nsenter -t CONTAINER_PID -n ss -tuln | sed -n '/127.0.0.1/! s#^.*[0-9]:\([0-9]\+\) .*$#\1#p' | sort -g | uniq
22
53
68
6771
6881
8090
35531
35912
36243
36801

Port 6771 would correspond to this …

The 35 and 36000 ports are odd.

Since the webUI listens in the docker container on 127.0.0.1:PORT, I should use a docker synthax compose of the form …

    ports:
      - "127.0.0.1:8085:127.0.0.1:8085"

But it doesn’t work, for safety/isolation reasons among others.

If it were possible to add an option to docker to bind the webUI to 0.0.0.0 in the container please :pray:

So the intent here is to recreate the headless Tribler 8.x in Docker, and maybe with more open networking to not need Apache? ( ̄ー ̄) I can try and make a Dockerfile build for this, but it might take a day or two. それはできる! (ง •̀_•́)ง

I created a network for the tribler container by assigning it a fixed private IP.
Then I modified the “~/.Tribler/git/configuration.json” from "http_host": "127.0.0.1", to "http_host": "private_ip", then restarted the container stack wich is no more in network_mode: "host".

For information, in the configuration.json file you can map the webUI to the IP address of the hardware carrying Tribler, with or without httpS.
So you can access the webUI from outside without using an Apache/Nginx/… web service @Sachiko

Oh and ports …

  • 6881 to 6889 # libtorrent
  • 8090, 8091 # ipv8
    … seem to be the only ones to open on a firewall / iptables.

Hmm… ( ̄ー ̄) What about providing the API key? Apache seems to be the simplest way of doing this, so I’d lean toward leaving Tribler on 127.0.0.1 and proxying through. Then HTTPS and authentication can be added!

If the computer/server on which Triber is installed (in a docker container or as a classic application) is public, it is important to install an upstream web service (Apache, Nginx, Caddy, etc). In which case this web service will proxy as follows …
How to connect to new Tribler WebUI from other devices/other issues

On the other hand, if Tribler is installed on a LAN / at home, there’s no need for a dedicated web service. Simply map the webUI to the IP address of the hardware, and access it from another workstation via http://Your_IP: 8085/ui/#/downloads/all?key=YOUR_KEY (just bookmark this link).

I haven’t yet tested https access to the webUI as suggested in the configuration.json file.