Connection problems from Docker Swarm services - docker
We have a Docker Swarm with manager and several workers (in OpenStack) and encounter a problem that services cannot send emails using SMTP-SSL. Indeed from bash in-container this gets stuck:
# openssl s_client -debug -connect smtp.gmail.com:465 -crlf
CONNECTED(00000003)
write to 0x15bd2e0 [0x15bd360] (305 bytes => 305 (0x131))
0000 - 16 03 01 01 2c 01 00 01-28 03 03 50 0f 63 7c a4 ....,...(..P.c|.
0010 - 3f 96 d0 e4 e1 be 9a 0c-2b de 29 16 c9 54 b4 9d ?.......+.)..T..
0020 - 56 8d d7 76 f5 18 10 93-96 90 87 00 00 aa c0 30 V..v...........0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1 .,.(.$..........
0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37 ...k.j.i.h.9.8.7
0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a .6.........2...*
0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f .&.......=.5.../
0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0 .+.'.#..........
0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31 ...g.#.?.>.3.2.1
0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43 .0.........E.D.C
00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c .B.1.-.).%......
00b0 - 00 3c 00 2f 00 96 00 41-c0 11 c0 07 c0 0c c0 02 .<./...A........
00c0 - 00 05 00 04 c0 12 c0 08-00 16 00 13 00 10 00 0d ................
00d0 - c0 0d c0 03 00 0a 00 ff-01 00 00 55 00 0b 00 04 ...........U....
00e0 - 03 00 01 02 00 0a 00 1c-00 1a 00 17 00 19 00 1c ................
00f0 - 00 1b 00 18 00 1a 00 16-00 0e 00 0d 00 0b 00 0c ................
0100 - 00 09 00 0a 00 23 00 00-00 0d 00 20 00 1e 06 01 .....#..... ....
0110 - 06 02 06 03 05 01 05 02-05 03 04 01 04 02 04 03 ................
0120 - 03 01 03 02 03 03 02 01-02 02 02 03 00 0f 00 01 ................
0130 - 01 .
^C
Moreover, apt update/install nor pip install works:
# apt update
Hit:1 http://archive.ubuntu.com/ubuntu xenial InRelease
0% [Waiting for headers] [Waiting for headers]
pip install httpie
^CERROR: Operation cancelled by user
^CTraceback (most recent call last):
File "/usr/local/bin/pip", line 8, in <module>
sys.exit(main())
File "/usr/local/lib/python3.8/site-packages/pip/_internal/cli/main.py", line 75, in main
return command.main(cmd_args)
File "/usr/local/lib/python3.8/site-packages/pip/_internal/cli/base_command.py", line 105, in main
return self._main(args)
File "/usr/local/lib/python3.8/site-packages/pip/_internal/cli/base_command.py", line 224, in _main
self.handle_pip_version_check(options)
File "/usr/local/lib/python3.8/site-packages/pip/_internal/cli/req_command.py", line 149, in handle_pip_version_check
pip_self_version_check(session, options)
File "/usr/local/lib/python3.8/site-packages/pip/_internal/self_outdated_check.py", line 207, in pip_self_version_check
best_candidate = finder.find_best_candidate("pip").best_candidate
File "/usr/local/lib/python3.8/site-packages/pip/_internal/index/package_finder.py", line 881, in find_best_candidate
candidates = self.find_all_candidates(project_name)
File "/usr/local/lib/python3.8/site-packages/pip/_internal/index/package_finder.py", line 825, in find_all_candidates
package_links = self.process_project_url(
File "/usr/local/lib/python3.8/site-packages/pip/_internal/index/package_finder.py", line 790, in process_project_url
html_page = self._link_collector.fetch_page(project_url)
File "/usr/local/lib/python3.8/site-packages/pip/_internal/index/collector.py", line 497, in fetch_page
return _get_html_page(location, session=self.session)
File "/usr/local/lib/python3.8/site-packages/pip/_internal/index/collector.py", line 337, in _get_html_page
resp = _get_html_response(url, session=session)
File "/usr/local/lib/python3.8/site-packages/pip/_internal/index/collector.py", line 126, in _get_html_response
resp = session.get(
File "/usr/local/lib/python3.8/site-packages/pip/_vendor/requests/sessions.py", line 546, in get
return self.request('GET', url, **kwargs)
File "/usr/local/lib/python3.8/site-packages/pip/_internal/network/session.py", line 405, in request
return super(PipSession, self).request(method, url, *args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/pip/_vendor/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.8/site-packages/pip/_vendor/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.8/site-packages/pip/_vendor/cachecontrol/adapter.py", line 53, in send
resp = super(CacheControlAdapter, self).send(request, **kw)
File "/usr/local/lib/python3.8/site-packages/pip/_vendor/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/local/lib/python3.8/site-packages/pip/_vendor/urllib3/connectionpool.py", line 665, in urlopen
httplib_response = self._make_request(
File "/usr/local/lib/python3.8/site-packages/pip/_vendor/urllib3/connectionpool.py", line 376, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python3.8/site-packages/pip/_vendor/urllib3/connectionpool.py", line 994, in _validate_conn
conn.connect()
File "/usr/local/lib/python3.8/site-packages/pip/_vendor/urllib3/connection.py", line 386, in connect
self.sock = ssl_wrap_socket(
File "/usr/local/lib/python3.8/site-packages/pip/_vendor/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/local/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/local/lib/python3.8/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/local/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
KeyboardInterrupt
(Terminated after significant wait time.)
Of course, everything works well on hosts (manager as well as workers)... For wget I have strange problem, that works for some and for some not:
# wget seznam.cz
--2020-04-30 06:14:34-- http://seznam.cz/
Resolving seznam.cz (seznam.cz)... 77.75.75.172, 77.75.75.176, 2a02:598:4444:1::1, ...
Connecting to seznam.cz (seznam.cz)|77.75.75.172|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://www.seznam.cz/ [following]
--2020-04-30 06:14:34-- https://www.seznam.cz/
Resolving www.seznam.cz (www.seznam.cz)... 77.75.75.172, 77.75.74.172, 77.75.75.176, ...
Connecting to www.seznam.cz (www.seznam.cz)|77.75.75.172|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html.1'
# wget google.com
--2020-04-30 06:15:10-- http://google.com/
Resolving google.com (google.com)... 216.58.201.110, 2a00:1450:4014:801::200e
Connecting to google.com (google.com)|216.58.201.110|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.google.com/ [following]
--2020-04-30 06:15:10-- http://www.google.com/
Resolving www.google.com (www.google.com)... 172.217.23.196, 2a00:1450:4014:80c::2004
Connecting to www.google.com (www.google.com)|172.217.23.196|:80... connected.
HTTP request sent, awaiting response...
Any ideas how to identify and fix the problem please? I am kinda out of ideas.
UPDATE: Now I suspect that the problem could be MTU (Docker default 1500 but ens3 has 1442 on all nodes) - need to figure out how to change it everywhere... But surprising I still DID NOT SOLVE this - adding --mtu, adjusting daemon.json, using --opt when creating networks, etc. still results in MTU 1500!
The problem was caused by MTU mismatch (1500 vs. 1442 used in OpenStack cloud).
I had to change /etc/docker/daemon.json, "break" my swarm, customize ingress network (docs) and docker_gwbridge (on each node before forming swarm again) (docs), remove the interfaces, restart Docker (it created interfaces again), and finally also change MTU on interfaces:
sudo ifconfig docker0 mtu 1442
sudo ifconfig docker_gwbridge mtu 1442
Because it seems that /etc/docker/daemon.json affects only interfaces in containers and not those on host.
If anyone knows a better solution, please let me know...
You can add a service to modify the mtu value After the docker.service
Create a script setdockermtu.sh
#!/bin/bash
sudo ifconfig docker0 mtu 9000
Create a service to run after docker.service
[Unit]
Description=Change docker0 default mtu
# When systemd stops or restarts the docker.service, the action is propagated to this unit
PartOf=docker.service
# Start this unit after the docker.service start
After=docker.service
[Service]
# The program will exit after running the script
Type=oneshot
# Execute the shell script
ExecStart=/usr/local/bin/setdockermtu.sh
# This service shall be considered active after start
RemainAfterExit=yes
[Install]
# This unit should start when docker.service is starting
WantedBy=docker.service
Copy it to /etc/systemd/system/setdockermtu.service
Make sure to add proper execute permission to both script and service
chmod a+x /usr/local/bin/setdockermtu.sh
chmod a+x /etc/systemd/system/setdockermtu.service
Reload changes and start service
sudo systemctl daemon-reload
sudo systemctl start setdockermtu.service
sudo systemctl enable setdockermtu.service
Related
Finding the CRC / Checksum in a control unit message
I have a list of messages from a control unit that i'm trying to replicate. I have the body of the message correct, however, i can't seem to work out what CRC or checksum is being utilised. 00 FE 0F 32 A8 80 84 90 00 FE 0F 32 A8 80 84 54 00 FE FF 31 A8 80 84 38 00 FE 0F 32 A8 80 84 DC 00 FE 0F 32 A8 80 84 90 00 FE 0F 32 A8 80 84 54 00 FE 0F 32 A8 80 84 18 00 FE 0F 32 A8 80 84 DC 00 FE 0F 32 A8 80 84 90 00 FE 1F 32 A8 80 84 44 00 FE 0F 32 A8 80 84 18 00 FE 0F 32 A8 80 84 DC 00 FE AF 31 A8 80 84 4C 00 FE BF 31 A8 80 84 F0 00 FE CF 31 A8 80 84 A4 I know the checksum is the last 4 bits in the last byte of the message. the other 4 bits in the last byte are a counter, that counts from 0 to 3 and then wraps back around. I know the whole message is little endian as well. I have run this in reveng (probably done it wrong) and it does not return any results. I was hoping someone smarter than me would be able to assist with identifying this.
I found the answer: its not CRC, but rather: 16 - (Sum of Byte 0 to 7 % 16)
Does anyone know how to convert to little endian .pfm file from ImageMagic?
I'm looking for method about to convert little endian.pfm file from imageMagick. As I know we can get a pfm file like this. convert input.bmp output.pfm This output file is made by Big endian. But I want to convert as Little endian. So is there any method to convert to Little endian from Big endian on ImageMagick? Thanks
Endian can be controlled with -endian option. Example. Create a 2x2 red PFM image with little endian, and write to hexdump. $ convert -size 2x2 xc:red -endian LSB PFM:- | hexdump 0000000 50 46 0a 32 20 32 0a 2d 31 2e 30 0a 00 00 80 3f 0000010 00 00 00 00 00 00 00 00 00 00 80 3f 00 00 00 00 0000020 00 00 00 00 00 00 80 3f 00 00 00 00 00 00 00 00 0000030 00 00 80 3f 00 00 00 00 00 00 00 00 000003c You can confirm the little endian by translating the header. 50 46 0a 32 20 32 0a 2d 31 2e 30 0a 00 00 80 3f | | | | little endian -------| "-1.0" | | LSM data| Repeat above with big endian. $ convert -size 2x2 xc:red -endian MSB PFM:- | hexdump 0000000 50 46 0a 32 20 32 0a 31 2e 30 0a 3f 80 00 00 00 0000010 00 00 00 00 00 00 00 3f 80 00 00 00 00 00 00 00 0000020 00 00 00 3f 80 00 00 00 00 00 00 00 00 00 00 3f 0000030 80 00 00 00 00 00 00 00 00 00 00 000003b and observe... 50 46 0a 32 20 32 0a 31 2e 30 0a 3f 80 00 00 00 | | | | big endian ----------| "1.0"| | MSB data|
Error setting up private docker-registry
Using the official Docker registry container I'm trying to run a private docker-registry on AWS EC2, but I keep running into connection errors. The command to run the standard container is: docker run -d \ -e SETTINGS_FLAVOR=s3 \ -e AWS_BUCKET=mybucket \ -e STORAGE_PATH=/registry \ -e AWS_KEY=whateffa \ -e AWS_SECRET=verysecret \ -e SEARCH_BACKEND=sqlalchemy \ -e AWS_REGION=eu-west-1 \ -e STORAGE_REDIRECT=true \ -p 443:5000 \ registry But when I try to push a local image to that new registry using: docker push zite.com:443/test I get: FATA[0014] Error: v1 ping attempt failed with error: Get https://zite.com:443/v1/_ping: dial tcp 1.2.3.4:443: i/o timeout. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry zite.com:443` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/zite.com:443/ca.crt I've added --insecure-registry zite.com:443 to a number of places (because I'm not sure where the proper place for the docker daemon options is: /etc/sysconfig/docker /etc/docker/default /etc/docker/default To get some more detail I've tried: OpenSSL s_client -connect zite.com:443/v1/_ping -prexit -debug which gave me: CONNECTED(00000003) write to 0x7f906b700000 [0x7f906d001000] (130 bytes => 130 (0x82)) 0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00 ......W... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00 ..3..2../....... 0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00 ................ 0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11 .........#...... 0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00 ................ 0060 - 00 ff fe c8 6e d6 d0 17-f7 e9 6c b2 2f ee 09 83 ....n.....l./... 0070 - e4 c0 71 11 be 86 77 5d-b9 9b 9f 54 c9 07 a6 fa ..q...w]...T.... 0080 - e2 ef .. read from 0x7f906b700000 [0x7f906d006600] (7 bytes => 0 (0x0)) 9308:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.10.1/src/ssl/s23_lib.c:185: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 130 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE I'm too new to this to understand how to solve this issue. GETting the '_ping' url works fine btw: curl -v http://zite.com:80/_ping gives: * Hostname was NOT found in DNS cache * Trying 52.17.133.30... * Connected to zite.com (1.2.3.4) port 80 (#0) > GET /_ping HTTP/1.1 > User-Agent: curl/7.37.1 > Host: zite.com > Accept: */* > < HTTP/1.1 200 OK * Server gunicorn/19.1.1 is not blacklisted < Server: gunicorn/19.1.1 < Date: Tue, 31 Mar 2015 22:04:06 GMT < Connection: keep-alive < X-Docker-Registry-Standalone: True < Expires: -1 < Content-Type: application/json < Pragma: no-cache < Cache-Control: no-cache < Content-Length: 2 < * Connection #0 to host zite.com left intact {}~ I've tried running the container on ports 80, 443, 500, but to no avail (and opened these ports on the AWS EC2 machine). The error stays. I also tried building a brand new image from the github source. I've tried getting an answer at the official repo, but that has stalled and I have to move on. A number of guides I've followed: http://blog.50projects.com/2014/08/build-your-own-private-docker-registry.html https://blog.docker.com/2013/07/how-to-use-your-own-registry/ https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-docker-registry-on-ubuntu-14-04
OK, found it. It turns out that you have to run the LOCAL docker daemon with the '--insecure-registry' option, not the docker daemon of the remote docker registry.
How to parse custom format packet with two bytes private header in wireshark?
Below is a example dump of the custom format packet, with two bytes of private header "00 01" at the beginning of each packet. So is there a way to ask wireshark to skip the two bytes private header, and treat the remaining content as a normal PDU? Or how to write a custome dissector for this? 0000 00 01 ff ff ff ff ff ff f0 1f af 20 18 52 08 00 0010 45 00 01 63 4b cf 00 00 40 11 2d bc 00 00 00 00 0020 ff ff ff ff 00 44 00 43 01 4f 7a 9d 01 01 06 00 0030 09 e9 ac d2 04 00 00 00 00 00 00 00 00 00 00 00 0040 00 00 00 00 00 00 00 00 f0 1f af 20 18 52 00 00 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0110 00 00 00 00 00 00 00 00 63 82 53 63 35 01 03 3d 0120 07 01 f0 1f af 20 18 52 32 04 0a 29 04 74 0c 0b 0130 42 4a 4e 47 4c 48 5a 42 41 4f 59 51 1d 00 00 00 0140 42 4a 4e 47 4c 48 5a 42 41 4f 59 2e 61 70 2e 74 0150 68 6d 75 6c 74 69 2e 63 6f 6d 3c 08 4d 53 46 54 0160 20 35 2e 30 37 0c 01 0f 03 06 2c 2e 2f 1f 21 79 0170 f9 2b ff
What is exactly goal that you're trying to achieve? Do the preamble means that packet belongs to the proto you're want to dissect? Anyway, If I got you correct, you need to treat these bytes like a field of the protocol, I guess. If so, add following construction to your dissector. local f_magic = ProtoField.uint16("proto.magic", "Magic", base.HEX) function proto.dissector (buf, pkt, root) pkt.cols.protocol = proto.name subtree = root:add(proto, buf(0)) local magic_item = subtree:add(f_magic, buf(0,2)) If you'll need further help I'll update my answer with more code/details. Hope this helps.
Inject sctp packets
I've been trying to inject sctp packets in linux environment with no success, This is what I have done, I've created an association between two points(one terminal with sctp server and another terminal with sctp client). Then I sent a char from client to the server and it's been delivered successfully, then I copied the packets from wireshark and put in my source code and incremented the TCN and stream sequence number and send it but i didn't receive it on the sctp server. as you can see below that my packets are exactly the same, my packet is this: IP Part 0000 45 00 00 34 00 00 40 00 40 84 3c 44 7f 00 00 01 0010 7f 00 00 01 SCTP Part 0000 0b 5e 0b 59 c2 e5 f8 00 00 00 00 00 00 03 00 13 0010 fe aa 43 3e 00 00 00 0c 00 00 00 00 64 0a 00 00 then after my packet failed to be delivered to the sctp server i sent with the sctp client just to compare it with my packet and it arrived to the sctp server, IP Part 0000 45 02 00 34 00 00 40 00 40 84 3c 42 7f 00 00 01 0010 7f 00 00 01 SCTP Part 0000 0b 5e 0b 59 c2 e5 f8 00 00 00 00 00 00 03 00 13 0010 fe aa 43 3e 00 00 00 0c 00 00 00 00 64 0a 00 00 Regards, devbag
Your SCTP Message seems badly formatted see RFC4960. Regards 0b 5e :src port 0b 59 :dst port c2 e5 f8 00 :verification tag 00 00 00 00 : checksum - WRONG 00 : chunk type (payload data) 03 : chunk flags (beginning and end fragment) 00 13 : chunk length 00 10 fe aa : TSN 43 3e : STREAM 00 00 : STREAM Sequence 00 0c 00 00 : PPID 00 00 64 0a 00 00 : User Data