๐ŸŒ Network & Docker

China-specific setup: mirrors, registries, and compose tips

Contents

Docker China Mirrors

Docker Hub is blocked or extremely slow in China. Without mirrors, docker pull hangs indefinitely.

/etc/docker/daemon.json

{
  "registry-mirrors": [
    "https://docker.mirrors.ustc.edu.cn",
    "https://mirror.ccs.tencentyun.com",
    "https://hub-mirror.c.163.com",
    "https://docker.m.daocloud.io"
  ]
}
๐Ÿ’ก Apply the config sudo systemctl restart docker โ€” then verify with docker info | grep -i mirror

ghcr.io works

GitHub Container Registry (ghcr.io) is not blocked. We pull Open WebUI from there:

docker pull ghcr.io/open-webui/open-webui:main

Compose Version

Ubuntu apt installs docker-compose v1 (hyphen). The newer docker compose (space, v2 plugin) may not be available. Both work, but syntax differs slightly.

Version Command Status
v1 (apt) docker-compose up -d โœ… Available
v2 (plugin) docker compose up -d โš ๏ธ May not be installed
โš ๏ธ ContainerConfig bug docker-compose v1 has a bug with certain images where ContainerConfig is missing. If you see this error, the image is fine โ€” the compose tool is old. Upgrade to v2 or use docker run directly.

Port Mapping

Every service gets a dedicated port. No conflicts if you plan ahead:

Service Host Port Container Port Note
Ollama 11434 11434 Native, not Docker
Open WebUI 3000 8080 ghcr.io image
Nextcloud 8080 80 Apache inside container
Jellyfin 8096 8096 Media server
AdGuard (web) 3001 3000 Moved from 3000 to avoid conflict
AdGuard (DNS) โ€” 53 Conflict with systemd-resolved
MariaDB โ€” 3306 Internal only, no host mapping
Kiwix 8081 8081 Native binary

Firewall

Ubuntu's UFW is usually disabled on LANs. If enabled, open the ports:

sudo ufw allow 3000/tcp    # Open WebUI
sudo ufw allow 8080/tcp    # Nextcloud
sudo ufw allow 8096/tcp    # Jellyfin
sudo ufw allow 3001/tcp    # AdGuard web
sudo ufw allow 8081/tcp    # Kiwix
sudo ufw allow 11434/tcp   # Ollama API
sudo ufw reload

School Network

At NAS Jiaxing, the machine got IP 10.39.26.217 via DHCP. Students on the same WiFi/LAN can access all services.

โš ๏ธ School firewall may block ports If students cannot reach 10.39.26.217:3000, the school firewall is blocking internal ports. Ask IT to open 3000, 8080, 8096, 3001, 8081, 11434 for the machine's MAC address. Or run on ports 80/443 (but then you need root and may conflict with other services).
๐Ÿ’ก mDNS / .local hostname Install avahi-daemon and students can reach http://her.local:3000 instead of remembering an IP. Easier for non-technical users.