I'm trying to open a random port, so that a docker container can bind to it.
sudo firewall-cmd --permanent --add-port=27000/tcp # success
sudo firewall-cmd --reload # success
sudo netstat -tunap | grep -i listen # port 27000 doesn't show up
sudo lsof -i :27000 # No process is using port 27000
curl -v hostname:27000 # Failed connect to; connection refused
How can I open a port and make it listen.
Thank you
Related
I don't have much Linux experience but I have run into a problem with firewalld.
My friend and I recently used certbot to get our ssl certificate for a Linode box.
The plan is for nginx to serve a NEXTJS application on subdomain.domain.com and a RESTful api running via Docker on subdomain.domain.com/api.
The http configuration worked well.
But under https firewalld does not allow external connections on port 443 for mysterious reasons.
I reached this conclusion because by using the power of sudo systemctl stop firewalld everything worked nicely again.
Expectation is that after adding common services including https to the docker zone with the firewalld CLI https traffic should be allowed without having to disable the firewall.
Steps to reproduce are:
sudo systemctl start firewalld
sudo firewall-cmd --get-active-zones
docker
interfaces: docker0
sudo firewall-cmd --zone=docker --add-service=http --permanent
sudo firewall-cmd --zone=docker --add-service=httpd --permanent
sudo firewall-cmd --zone=docker --add-service=dns --permanent
sudo firewall-cmd --zone=docker --add-service=dhcpv6-client --permanent
sudo firewall-cmd --reload
sudo firewall-cmd --get-active-zones
docker
interfaces: docker0
sudo firewall-cmd --zone=docker --list-services
dhcpv6-client dns http https
Still getting a timeout error on subdomain.domain.com.
sudo firewall-cmd --zone=docker --add-port=443/tcp --permanent
sudo firewall-cmd --reload
sudo firewall-cmd --zone=docker --list-ports
443/tcp
Still getting a timeout error on subdomain.domain.com.
Suboptimal work-around is to use the power of sudo systemctl stop firewalld to disable firewall protection.
sudo lsof -i :443 shows four nginx processes.
The OS is openSUSE but I can't recall if it's LEAP or Tumbleweed. All packages up-to-date.
I used the website https://www.yougetsignal.com/tools/open-ports/ to diagnose the problem.
I'm sure that I forgot a lot of important details but I will amend with edits later if requested.
Cheers.
I think that the server just needed to be restarted in the end. We have accomplished our aims now.
My friend says that he noticed that the node16 process was 'running away' and using 99% of processing resources, which is apparently a common problem.
After installing Spree Commerce and running these commands, I am unable to access my domain http://example.com:4000/ or http://example.com:4000/admin. When I run:
curl example.com:4000 I got: curl: (7) Failed to connect to example.com port 4000 after 27 ms: Connection refused.
What is the reason I cannot access Spree Commerce on port 4:000 after fresh install and how can I correct this?
There is no point for accessing - http://example.com:4000. As per the spree documentation, you should use http://localhost:4000 for accessing the spree application.
For Backend
For APIs
Hope this helps.
Firewall could be the principal problem. Have you tried checking opened ports?
List the current Iptables rules
sudo iptables -L
Add an Iptable rule (for example to open a Mysql port 3306)
sudo iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
Remove an Iptable rule
sudo iptables -D INPUT -p tcp --dport xxxx -j ACCEPT
I'm on CentOS 7.9 and I need to get dockers to work with a firewalld configured.
However, the port is always filtered when firewalld is started... Unless I tried to connect to it over localhost.
On this machine (myhost), I have a running container listening on port 55123 :
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6878f1d6152d registry.example.com/my-image:22.1.1 "/entrypoint.sh" 2 weeks ago Up 10 minutes 0.0.0.0:55123->55123/tcp myhost_myservice
# netstat -lntp |grep docker-proxy
tcp 0 0 0.0.0.0:55123 0.0.0.0:* LISTEN 27091/docker-proxy
I did add the port to firewalld :
# firewall-cmd --zone=public --add-port=55123/tcp --permanent
# firewall-cmd --reload
I have a zone docker and a zone public, and I added my interfaces to the public zone to be sure :
# firewall-cmd --get-active-zones
docker
interfaces: br-e7b57dXXXXXX docker0
public
interfaces: ens192 ens224 ens256
I tried a restart of firewalld and then docker service but still getting filtered :
# nmap myhost -Pn -p 55123
Nmap scan report for myhost (XXX.XXX.XXX.23)
Host is up.
PORT STATE SERVICE
55123/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
but all good on localhost :
# nmap localhost -Pn -p 55123
Nmap scan report for myhost (XXX.XXX.XXX.23)
Host is up.
PORT STATE SERVICE
55123/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
I have enabled docker metrics on port 9323 directly on the host (myhost), and this port is well opened
# nmap myhost -Pn -p 9323
Nmap scan report for myhost (XXX.XXX.XXX.23)
Host is up.
PORT STATE SERVICE
9323/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
If I stop firewalld, I immediatly get :
# nmap myhost -Pn -p 55123
Nmap scan report for myhost (XXX.XXX.XXX.23)
Host is up.
PORT STATE SERVICE
55123/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
My Firewalld configuration :
# firewall-cmd --zone=docker --list-all
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: br-e7b57dXXXXXX docker0
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192 ens224 ens256
sources:
services: dhcpv6-client ssh
ports: 9323/tcp 55123/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
I'm a bit lost of why it isn't working.
There is one thing bit weird, we have a network with non-standard private network. Our network is on something like 110.2.0.0/16.
I am running a Debian server (stable), with the docker.io Debian package.This is the one distributed by Debian, not the one from the Docker developers. Since docker.io is only available in sid, I have installed from there (apt install -t unstable docker.io).
My firewall does allow connections to/from docker containers:
$ sudo ufw status
(...)
Anywhere ALLOW 172.17.0.0/16
172.17.0.0/16 ALLOW Anywhere
I also have this in /etc/ufw/before.rules :
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.17.0.0/16 -o eth0 -j MASQUERADE
So -- I have created an image with
$ sudo debootstrap stable ./stable-chroot http://deb.debian.org/debian > /dev/null
$ sudo tar -C stable-chroot -c . | docker import - debian-stable
Then started a container and installed apache2 and netcat. Port 1111 on the host machine will be redirected to port 80 on the container:
$ docker run -ti -p 1111:80 debian-stable bash
root#dc4996de9fe6:/# apt update
(... usual output from apt update ...)
root#dc4996de9fe6:/# apt install apache2 netcat
(... expected output, installation successful ...)
root#dc4996de9fe6:/# service apache2 start
root#dc4996de9fe6:/# service apache2 status
[ ok ] apache2 is running.
And from the host machine I can connect to the apache server:
$ curl 127.0.0.1:1111
(... HTML from the Debian apache placeholder page ...)
$ telnet 127.0.0.1 1111
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
And it waits for me to type (if I type GET / I get the Debian apache placeholder page). Ok. And if I stop apache inside the container,
root#06da401a5724:/# service apache2 stop
[ ok ] Stopping Apache httpd web server: apache2.
root#06da401a5724:/# service apache2 status
[FAIL] apache2 is not running ... failed!
Then connections to port 1111 on the host will be rejected (as expected):
$ telnet 127.0.0.1 1111
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.
Now, if I start netcat on the container, listening on port 80:
root#06da401a5724:/# nc -l 172.17.0.2 80
Then I cannot connect from the host!
$ telnet localhost 1111
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
The same happens if I try nc -l 127.0.0.1 80 in the container.
What could be happening? Both apache and netcat were listening on port 80. What have I missed?
I'd appreciate any hints...
update: if I try this:
root#12b8fd142e00:/# nc -vv -l -p 80
listening on [any] 80 ...
172.17.0.1: inverse host lookup failed: Unknown host
invalid connection to [172.17.0.2] from (UNKNOWN) [172.17.0.1] 54876
Then it works!
Now it's weird... ifconfig inside the container tells me it has IP 172.17.0.2, but I can only use netcat binding to 172.17.0.1:
root#12b8fd142e00:/# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 0.0.0.0
inet6 fe80::42:acff:fe11:2 prefixlen 64 scopeid 0x20<link>
And Apache seems to want to 172.17.0.2 instead:
2AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
but it actually uses 172.17.0.1:
root#12b8fd142e00:/# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 12b8fd142e00:http 172.17.0.1:54942 TIME_WAIT
tcp 0 0 12b8fd142e00:39528 151.101.48.204:http TIME_WAIT
Apache is not listening on 172.17.0.1, that's the address of the host (in the docker bridge).
In the netstat output, the local address has been resolved to 12b8fd142e00. Use the -n option with netstat to see unresolved (numeric) addresses (for example netstat -plnet to see listening sockets). 172.17.0.1 is the foreign address that connected to Apache (an it's indeed the host).
The last line in the netstat output shows that some process made a connection to 151.101.48.204:80, probably to make an HTTP request. You can see the PID/name of the process with netstat -p.
I've been following the manual here, but I'm having trouble getting docker to use the new bridge.
I've added the following to /etc/default/docker and /etc/sysconfig/docker but as soon as I start the docker service it continues to use the docker0 bridge.
The established docker0 IP range blocks many internal IPs on my network. I simply want to configure it to use a 192.168.5.0/24 range.
$ netstat -r
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 bridge0
Found out what I'm doing wrong.
The vendor suggests creating a conf file under /etc/systemd/system/docker.service.d to override directives and preserving the docker.service
# cd /etc/systemd/system/
# mkdir docker.service.d
# cd docker.service.d
# vi override.conf
Then add the following directives (the ExecStart twice to reset the first in /usr/lib/systemd/system/docker.service):
[Service]
EnvironmentFile=-/etc/sysconfig/docker
ExecStart=
ExecStart=/usr/bin/docker -d -H fd:// $DOCKER_OPTS
Then daemon-reload and start docker
# systemctl daemon-reload
# systemctl start docker
systemd Documentation