search

docker / machine

Machine management for a container-centric world
https://docs.docker.com/machine/
Apache License 2.0
6.63k stars 1.97k forks source link

Specify network security group #3872

Open ghost opened 8 years ago

ghost commented 8 years ago

IT won't give me permission to create arbitrary new network security groups so docker-machine won't deploy anything. I have a perfectly good NSG that I'd like to specify but, for some reason, this isn't an option and it insists on trying to create a new one for every machine.

Command:

docker-machine create -d azure --azure-ssh-user user@email.com --azure-subscription-id abcdefff-beef-beef-beef-12345678900 --azure-resource-group RG --azure-no-public-ip --azure-open-port 80 Machine

Error:

(Machine) Configuring network security group. name="Machine-firewall" location="westus" Error creating machine: Error in driver during machine creation: network.SecurityGroupsClient#CreateOrUpdate: Failure sending request: StatusCode=403 - Original Error: Long running operation terminated with status 'Failed': Code="AuthorizationFailed" Message="The client 'live.com#user@email.com' with object id 'abcabcab-beef-beef-beef-beefbeefabca' does not have authorization to perform action 'Microsoft.Network/networkSecurityGroups/write' over scope '/subscriptions/abcabcab-beef-beef-beef-beefbeefabca/resourceGroups/RG/providers/Microsoft.Network/networkSecurityGroups/Machine-firewall'."

I'd be very happy to see a new parameter that would let me use the existing NSG. Something like

--azure-nsg

ahmetb commented 7 years ago

@sirdank this looks like a feasible feature request. Is it often the case that your NSG is not in the same resource group as the docker-machine VM? I'm not sure how soon I can get to this.

If you'd like to contribute a pull request, there's code that lets specifying --azure-vnet from other Resource Groups etc (in [rg:]name format). Feel free to copy that code to make it work with NSGs as well!

ghost commented 7 years ago

My NSG isn't in a different resource group, I just want to be able to specify an existing NSG in the same resource group rather than have docker-machine create a new one. This has been put on the back-burner for now but I may be back with a pull request sometime soon. 

On Friday, December 2, 2016 5:02 PM, Ahmet Alp Balkan <notifications@github.com> wrote:

@sirdank this looks like a feasible feature request. Is it often the case that your NSG is not in the same resource group as the docker-machine VM? I'm not sure how soon I can get to this.If you'd like to contribute a pull request, there's code that lets specifying --azure-vnet from other Resource Groups etc (in [rg:]name format). Feel free to copy that code to make it work with NSGs as well!— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

DBarthe commented 7 years ago

I'm also interested in this in order to create a cluster of docker-machines behind the same NSG, without extra manual operations.

mitchellmaler commented 6 years ago

We have a nsg in a different resource group that was already created along with our vnet and gateway. We need to create nodes with docker machine with this group already.

mitchellmaler commented 6 years ago

I opened pull request #4486 to allow named network security group. This way multiple created vms can share the same nsg.