Docker - port 443: No route to host - docker

I'm trying to reach a company internal registry. I have bashed into the container and when I curl the URL I get:
port 443: No route to host
I can reach the registry from outside of the container. I have tried to use --network host when running the container but it doesn't help. What can be wrong?
Found the issue and it's super weird.
I had to deactivate Kubernetes in Docker Desktop, quit Docker Desktop and start it again.
Basically I found a strange cni0 when I did ifconfig and I traced it to Kubernetes by googling. Then I just guessed that it had to do with Docker Desktop as I had Kubernetes enabled there. It didn't work to press the "Apply & Restart" button though in the Docker Desktop app. I had to quit the app and start it again.
With Kubernetes disabled the cni0 disappeared and I could access the internal registry.

Related

Unable to access Docker container running in WSL2

I am new to containers and Docker. On my Windows 10 laptop (Version 20H2 Build 19042.630) I have WSL2 installed as well as Docker Desktop (Docker Engine v19.03.13). When I run the command below (from the docker documentation):
docker run -d -p 80:80 docker/getting-started
The container starts fine but I am unable to access the container from either within WSL or from the Windows 10 host.
Inside WSL, if I enter curl http://127.0.0.1 it returns the error curl: (7) Failed to connect to 127.0.0.1 port 80: Connection refused
From the Windows 10 host, if I open a browser and attempt to go to http://127.0.0.1 it just throws a 404 error.
From the Windows 10 host, when I open the Docker Desktop app, it shows the container running and listening on port 80 but if I then stop the container...and then attempt to restart it, it throws an error that says:
(HTTP code 500) server error - Ports are not available: listen tcp 0.0.0.0:80: bind: An attempt was made to access a socket in a way forbidden by its access permissions
I have tried completely uninstalling WSL and Docker Desktop and resetting the TCP/IP stack but the end result is the same. I performed the exact same install steps on my desktop PC and everything works fine with no issues. I did notice on the desktop PC that the first time I tried accessing the "getting-started" container that it produced a pop-up to allow the traffic through my firewall. I never got this on the laptop. I compared the firewall rules on the PC to the Laptop and the PC had 4 rules for the com.docker.backed application that the Laptop did not have. I manually duplicated those rules on the laptop but it did not change the behavior any.
EDIT:
After doing more research on this issue...discovered why this is happening. The ports the container is attempting to listen on are excluded for my Laptop. Found the Github issue linked below that had the command netsh interface ipv4 show excludedportrange protocol=tcp that showed the list of excluded ports on my laptop. Seems Hyper-V is what is excluding the ports but the only reason Hyper-V is on the system is for WSL. The Github issue is still open as of today.
Unable to bind ports: Docker-for-Windows & Hyper-V excluding but not using important port ranges #3171
If your docker container uses localhost inside it won't work. I had the same issue with docker inside wsl and the solution was to change IP of underlying service (the one that is run inside docker) to 0.0.0.0.
You can check this by doing docker ps. In my case I ran the docker like this:
docker run --rm -p 8080:8080 hello-python
which was then bind to (part of docker ps output):
0.0.0.0:8080->8080/tcp
So basically the python code had to use 0.0.0.0:8080 instead of localhost:8080

Docker Intercontainer communication on CentOS 7

I am setting up a microservices architecture using docker for each service. I am also using kong API gateway running in its own docker container. The docker host is Centos 7 running in a VM with an IP 192.168.222.76.
On the host command line, I can access the starter service on port 7000 fine. However, within the kong VM, I ping the IP address but cannot access the service. As you can see from the output below, it says "Host is unreachable".
I am starting docker with --icc=true and --iptables=true and I have made several suggested changes to the firewalld and rich rules, etc. but I continue to not be able to reach the other container from within the kong container.
I am starting the kong container with a named network "kong-net" and the kong database is instance is in the same docker network and THEY seem to be able to communicate. I have added my starter service container to the same network on start up and still no joy. The kong container CAN access the outside world, just not other docker containers on the same host.
Output is below:
[root#docker ~]# clear
[root#docker ~]# curl 192.168.222.76:7000/starter/hello
Hello Anonymous Person!!
[root#docker ~]# docker exec -it kong /bin/ash
# curl 192.168.222.76:7000/starter/hello
curl: (7) Failed to connect to 192.168.222.76 port 7000: Host is unreachable
# curl www.google.com
HTML returned properly...
Any help on this appreciated!
You must have to reach the other container with his container name.
Try this:
docker exec -t kong curl servicename:7000/starter/hello
Kong container and service containers must share the same network
I was able to get ICC working by disabling firewalld all together (stop, disable, mask with systemctl) and opening up everything in iptables. Now its just a matter of setting up rules to block inbound access except on the API gateway and SSH.
Thanks!
I have come across this problem before. If disabling the firewall fixes the problem, DO NOT leave the firewall disabled, this is a very big security concern. The proper way to go about it is firstly, reactivate the firewall and then add a network masquerade.
firewall-cmd --zone=public --add-masquerade --permanent

docker images access issue

Im not able to access my docker image. my setup is windows 7 and have the docker linux vm which is running on oracle vm. i have build my app and i can see my app using below
i dont know how i can access myapp container. since its wokring on localhost i believe i can access on localhost:port number. but i have no clue where i can see and how i can start. if you have face this same prob can you help ?
Update log hung :
in the below screen the server startup hung almost 10 mins and i terminate the process, any idea about this error ?
What you have shown in your screenshot is the image list. So you would first have to docker run your image, binding the application's port exposed by the docker image (with EXPOSE, I'm assuming 8081 for the sake of my example) to the host:
docker run --publish 8081:8081 3b98
If you forgot to expose the port in your image you can do that on the commandline adding the argument --expose 8081 to run.
Then, since your working with the Windows 7 setup, you cannot access your running application in its container on localhost but on the docker-machine's (the docker linux VM) IP. You can find out the assigned IP with
docker-machine ip
So if your application publishes itself on 8081 and docker-machine ip returns 192.168.99.100 you would find your app on 192.168.99.100:8081

Docker container can't connect to host application using IP whitelist

I have an application running on my host which has the following features: it listens to port 4001 (configurable) and only accepts connections from a whitelist of trusted IP addresses (127.0.0.1 only by default, other addresses can be be added but one by one, not using a mask).
(It's the interactive brokers gateway application which is run in java but I don't think that's important)
I have another application running inside a docker container which needs to connect to the host application.
(It's a python application accessing the IB API, but again I don't think that matters)
Ultimately I have will multiple containers on multiple machines trying to do the same thing, but I can't even get it working with one running on the same machine.
sudo docker run -t myimage
Error: Couldn't connect to TWS. Confirm that "Enable ActiveX and Socket Clients" is enabled on the TWS "Configure->API" menu.
(No response from IB Gateway on host machine)
IDEALLY I'd be able to set up the docker containers / bridge so that all the docker containers appear as if they are on a specific IP address, add it to the whitelist, and voila.
What I've tried:
1) using -p and EXPOSE
sudo docker run -t -p 4001:4001 myimage
Bind for 0.0.0.0:4001 failed: port is already allocated.
(No response from gateway)
This eithier doesn't work or leads to a "port already in use" conflict. I gather that these settings are designed for the opposite problem (host can't see a particular port on the container).
2) setting --net=host
sudo docker run -t --net=host myimage
Exception caught while reading socket - Connection reset by peer
(no response from gateway)
This should work since the docker container should now look like it's 127.0.0.1... but it doesn't.
3) setting --net=host and adding the local host's real IP address 192.168.0.12 (as suggested in comments) to the whitelist
sudo docker run -t --net=host myimage
Exception caught while reading socket - Connection reset by peer
(no response from gateway)
4) adding 172.17.0.1, ...2, ...3 to the whitelist on the host application (the bridge network is 172.17.0.0 and subsequent containers get allocated in this range)
sudo docker run -t myimage
Error: Couldn't connect to TWS. Confirm that "Enable ActiveX and Socket Clients" is enabled on the TWS "Configure->API" menu.
(no response from host)
This is horribly hacky but doesn't work eithier.
PS Note this is different from the problem of trying to run the host application IB Gateway inside a container - I am not doing that.
I don't want to run the host application inside another container, although in some ways that might be a neater solution.
Running the IB gateway is tricky on a number of different levels, including connecting to it, and especially if you want to automate the process.
We took a close look at connecting to it from other IPs, and finally gave up on it--gateway bug as far as we could tell. There is a setting to white IPs that can connect to the gateway, but it does not work and can not be scripted.
In our build process we create a docker base image, then add the gateway and any/all of the gateway's clients to that image. Then we run that final image.
(Posted on behalf of the OP).
Setting --net=host and changing the port from 4001 so it doesn't conflict with a live version of the gateway on the same network. The only IP address required in the whitelist is 127.0.0.1.
sudo docker run -t --net=host myimage
Use socat to forward port from the gateway to a new port which can listen on any address. For example, set the gateway to listen on port 4002 (localhost only) and use command in the container
socat tcp-listen:4001,reuseaddr,fork tcp:localhost:4002
to forward the port to 4001.
Then you can connect to the gateway from outside of the container using port 4001 when running the container with parameter -p 4001:4001.
In case this one is useful for another person. I tried a couple suggestions that were put here to connect from my python app running on a Docker container to a TWS IBGateway instance running on another server and none of them were 100% working. The socat option was connecting, but then the connection was being drop due an issue with the socat buffer that we couldn't fix.
The solution we found was to create an ssh tunnel from the machine that is running the Docker container to the machine that is running the TWS IBGateway.
ssh -i ib-gateway.pem <ib-gateway-server-user>#<ib-gateway-server-ip> -f -N -L 4002:127.0.0.1:4001
After you establish this ssh tunnel, you can test it running
telnet 127.0.0.1 4002
If this command run successfully, your ssh tunnel is ready. The next step would be to configure your python application to connect to 127.0.0.1 on port 4002 and start your docker container with --net=host to be able to access the ssh tunnel running on Docker host machine.

Connecting webpack-dev-server inside a Docker container from the host

I'm running a webpack-dev-server application inside a Docker container (node:4.2.1). If I try to connect to the server port from within the container - it works fine. However, trying to connect it from the host computer results in reset connection (the port is published, of course). How can I fix it?
This issue is not a docker problem.
Add --host=0.0.0.0 to your webpack command.
You need to connect to your page like this:
http://host:port/webpack-dev-server/index.html
Look to the iframe mode
You need to make sure:
you docker container has mapped the EXPOSE'd port to a host port
docker run -p x:y
your VM (if you are using docker machine with a VM) has forwarded that mapped port to the actual host (the host of the VM).
See "How to access tomcat running in docker container from browser?"

Resources