How to acess an service from another machine unsing rancher-server? - docker

I'm trying to create a docker server using rancher on local network ( with many machines, some linux, some windows ). I had installed rancher-server, created a host, added an API to test and created a load balancer to registry this API. Locally, works fine, i can acess the API container like : "http://test.172.17.0.4.xip.io:3000/", but in others machines in my network, i cant acess..
PS:
test -> API name
172.17.0.4 -> Ip of HOST machine docker ( with rancher-agent )
xip.io -> public wildcard DNS ( see more in : http://xip.io/ )
3000 -> API port mapped in load balancer
I'vd tryed to change network of the container in rancher UI, didn't work, i read some things about create a docker network, but i'm a bit confused, cuz docker create a defaut netdocker, docker0, is an bridge network.. I'm a little lay in network matters.
EDIT:
I created macvlan using docker network, and now i can ping to my container using others machines, but now, i my container dont have internet connection to download things.
docker network create -d macvlan --subnet=172.16.108.0/26 --gateway=172.16.108.1 -o macvlan_mode=bridge -o parent=enp1s0 rancher
and tried to run a container in this network
EDIT2:
This ifconfig output
docker0: flags=4099 mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:79:4f:fc:66 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp1s0: flags=4163 mtu 1500
inet 172.16.108.1 netmask 255.255.255.192 broadcast 172.16.108.63
inet6 fe80::593f:24d0:31f2:4fd8 prefixlen 64 scopeid 0x20
ether d0:94:66:a5:29:8f txqueuelen 1000 (Ethernet)
RX packets 1251 bytes 1024069 (1000.0 KiB)
RX errors 0 dropped 5 overruns 0 frame 0
TX packets 980 bytes 157904 (154.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Loopback Local)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
EDIT3:
I tried to specify the ip adress passing the flag --address when start rancher and/or the host, and the result are the same: unknown flag: --address the commands i tried to do are:
docker run -d --restart=unless-stopped --address 172.16.108.63 -p 8080:8080 rancher/server
To start rancher server. I tried with macvlan too
docker run --privileged --name some-docker1 --address 172.16.108.63 -d docker:stable-dind
To start rancher machine ( to be the future host )
And i tried the same command above, but without the --address. Then, attached in shell of the container, i tried to create the host
docker run -e CATTLE_AGENT_IP="172.17.0.3" --rm --privileged --address 172.16.108.63 -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/rancher:/var/lib/rancher ran
cher/agent:v1.2.11 http://172.17.0.2:8080/v1/scripts/3FA0E7B767770264BCAD:1546214400000:P9NfsauqyhZpoeIBgGyCZIHkKtE
The results are the same..
RESUME:
I'm trying to create a rancher-server in my local network to access the applications in my load balancer from other machines in the same network.

Edit 2: One needs to specify the IP address of the host being added using CATTLE_AGENT_IP. I got the versions wrong in the previous edit.
Edit 1:
When using the same host for running both the rancher server and the agent image, it's important to specify the IP address of the host using the flag --address <IP address>. Otherwise, the auto detected IP address would be incorrect.
In your case, you need to specify --address 172.16.108.63 when registering the host.
Then xip address generated would reflect the correct IP address.
====
Here is one way to be able to access your application from outside the cluster. This involves use of Ingress. (Check here for more information: https://kubernetes.io/docs/concepts/services-networking/ingress/)
Step 1: Create a deployment (change the image and customize other options according to your needs)
apiVersion: apps/v1
kind: Deployment
metadata:
name: app1
spec:
replicas: 1
selector:
matchLabels:
name: app1
template:
metadata:
labels:
name: app1
spec:
containers:
- name: app1
image: leodotcloud/swiss-army-knife
ports:
- containerPort: 80
name: http
env:
- name: NATO_ALPHABET
value: "a"
Step 2: Create a service (One can directly create the ingress, but I like to keep things segregated)
apiVersion: v1
kind: Service
metadata:
labels:
name: access-app1
name: access-app1
spec:
ports:
- port: 80
targetPort: 80
selector:
name: app1
Step 3: Create Ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-app1
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /app1
backend:
serviceName: access-app1
servicePort: 80
Now your application will be available at http://<HOST_IP_ADDRESS>/app1

Related

Accessing webservice in docker image from a macchine different from docker host

Good morning,
I'm a new user of docker technology and I'm facing some issue.
Any help will be appreciated (I update the question, thanks to the questions provided by #JRichardsz).
Here the problem:
Docker Host: Ubuntu 20.04.2 LTS. This is a VMWare virtual machine
In the host no process is using port 80. (Running "sudo lsof -i :80" return no process name, if I do not start any docker image)
if I stop the running docker image by "docker compose down", I have 2 network interfaces:
docker0: flags=4099 mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:2f:a6:ae:d2 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens160: flags=4163 mtu 1500
inet 192.168.128.60 netmask 255.255.255.0 broadcast 192.168.128.255
inet6 fe80::250:56ff:fea6:60bb prefixlen 64 scopeid 0x20
ether 00:50:56:a6:60:bb txqueuelen 1000 (Ethernet)
RX packets 2929 bytes 251888 (251.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 424 bytes 53706 (53.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
when I start my docker image (this is a docker image provided by Xibo CMS developers), the network interfaces related to the docker image appears, and I'm able to view bridge information:
bridge name bridge id STP enabled interfaces
br-33e8e1916c0d 8000.024261f9ddaa no veth0b9040e
veth3c6ecf0
veth821b253
vethe879c11
docker0 8000.02422fa6aed2 no
when the docker is active, command "sudo lsof -i :80" provides me:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
docker-pr 25417 root 4u IPv4 122292 0t0 TCP *:http (LISTEN)
docker-pr 25423 root 4u IPv6 122300 0t0 TCP *:http (LISTEN)
so web service inside docker image is active on all interfaces.
If I open a browser inside the Linux docker Host, looking at url http://127.0.0.1/ I can access the web server page without any problem
If I open a browser at http://192.168.128.80/ in a PC connected in the same subnet of ens160, I'm not able to reach the webserver.
Please note, no firewall is active (if I shutdown docker image by "docker compose down" command, and try from a PC connected in the same subnet of ens160 to open a telnet connection to port 80 in 192.168.128.80, I can capture packets using tcpdump)
After stopping the docker image, I performed the following commands on the docker host PC:
sudo python3 -m http.server 80
connecting from a different PC using putty telnet on port 80, I can see messages on the python example command line (so no firewall issues)
Is there anyone that can help me find why the webservice inside docker image can be accessed only when opening webpage from Linux Docker Host machine?
Any help will be very helpful.

Docker is overriding my default route configuration

A noob here starting with docker in a Orange Pi 3 (Rasberry Pi clone).
I'm trying to configure and start a docker containter (bitwarden_rs), but when I do, I lost connection to the external network. Docker mess with my route table.
Network configuration: I have a bridge br0 that bridges eth0 and wlan0.
(Eth0 connects to the router, wlan0 is configured in AP mode)
Table when container is stopped:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 425 0 0 br0 <---OK
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 br0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.1.0 0.0.0.0 255.255.255.0 U 425 0 0 br0
192.168.2.0 0.0.0.0 255.255.255.0 U 425 0 0 br0
Table when container is running (No internet access to the exterior)
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 0.0.0.0 0.0.0.0 U 205 0 0 docker0 <---NOT OK
default _gateway 0.0.0.0 UG 425 0 0 br0
link-local 0.0.0.0 255.255.0.0 U 205 0 0 docker0
link-local 0.0.0.0 255.255.0.0 U 230 0 0 vethed140ce
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 br0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.1.0 0.0.0.0 255.255.255.0 U 425 0 0 br0
192.168.2.0 0.0.0.0 255.255.255.0 U 425 0 0 br0
What can I do to fix it? It's docker config problem or maybe my system problem (armbian).
Thanks
On ubuntu 20.04, I tried many methods,
like prevent dhcpd to update route
or change NetworkManager configure to let network-manager to igonre veth* device
Neither of the above works.
I spent a lot of time and found that connman service changes default route. Change its config file /etc/connman/main.conf by uncommenting following line:
#NetworkInterfaceBlacklist = vmnet,vboxnet,virbr,ifb,veth-,vb-
and
systemctl restart connman
to restart connman service. The issue resolved eventually.
This is because, as you can see docker creates a linux bridge named 'docker0'.
You can change the default settings for the docker bridge to resolve the issue.
Configure the default bridge network by providing the bip option along with the desired subnet in the daemon.json
# vi /etc/docker/daemon.json
{
"bip": "172.200.0.1/16"
}
and restart the service.
systemctl restart docker
More details HERE and HERE

Hortonworks docker sandbox is not loading in the browser

I have installed HortonWorks Docker sandbox as peer instructions.
Which seems to be running, when I type:
sudo docker ps
It is shown that the sandbox is runing:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
23dbac10e27b hortonworks/sandbox-hdp:3.0.1 "/usr/sbin/init" 20 minutes ago Up 20 minutes 22/tcp, 4200/tcp, 8080/tcp sandbox-hdp
But when I visit localhast:8080 on the browser I do not get any response.
I also read that I should try ifconfig to verify the ip address:
Not sure what I should be looking in here:
br-193585a7edfa: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
inet6 fe80::42:62ff:fe32:c2fc prefixlen 64 scopeid 0x20<link>
ether 02:42:62:32:c2:fc txqueuelen 0 (Ethernet)
RX packets 5 bytes 256 (256.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 24 bytes 3241 (3.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
EDIT:
I´m startung it with this command, no porst specified:
docker start sandbox-hdp
As shown in the instructions:
Also I get the same ports mapping that is shown in the documentation:
For container docker create separate network.
If you need mapping of port for container in this network to port in host system you should specify it with -p
you need
docker start -p <port_at_host_system>:<port_in_container> <image>
so run
docker start -p 8080:8080 sandbox-hdp

How to connect to OpenDJ LDAP server (Docker)

I am trying to connect(bind) to an OpenDJ server in Docker.
(I know how to connect to regular (not Docker) OpenDJ server)
OpenDJ seems to run, but when I try to connect to it with a ldap browser, it says "Unabled to connect"
--- Server Status ---
Server Run Status: Started
Open Connections: 1
--- Server Details ---
Host Name: 14e1e92e962e
Administrative Users: cn=Directory Manager
Installation Path: /opt/opendj
Instance Path: /opt/opendj/data
Version: OpenDJ Server 4.4.3
Java Version: 1.8.0_111
Administration Connector: Port 4444 (LDAPS)
--- Connection Handlers ---
Address:Port : Protocol : State
-------------:------------------------:---------
-- : LDIF : Disabled
0.0.0.0:161 : SNMP : Disabled
0.0.0.0:1389 : LDAP (allows StartTLS) : Enabled
0.0.0.0:1636 : LDAPS : Enabled
0.0.0.0:1689 : JMX : Disabled
0.0.0.0:8080 : HTTP : Disabled
--- Data Sources ---
Base DN: dc=example,dc=com
Backend ID: userRoot
Entries: 1
Replication:
[root#localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
14e1e92e962e openidentityplatform/opendj "/opt/opendj/run.sh" 18 hours ago Up 18 hours
[root#localhost ~]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:5ff:fe0f:a03 prefixlen 64 scopeid 0x20<link>
ether ******** txqueuelen 0 (Ethernet)
RX packets 5 bytes 254 (254.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7 bytes 647 (647.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.89 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::1db8:91e1:5276:4f9 prefixlen 64 scopeid 0x20<link>
ether ******** txqueuelen 1000 (Ethernet)
RX packets 796434 bytes 512206712 (488.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 479946 bytes 41277150 (39.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root#localhost ~]# docker run -it 1e03b62c213e /bin/bash
Instance data Directory is empty. Creating new DJ instance
BASE DN is dc=example,dc=com
Password set to password
Running /opt/opendj/bootstrap/setup.sh
Setting up default OpenDJ instance
Configuring Directory Server ..... Done.
Configuring Certificates ..... Done.
Creating Base Entry dc=example,dc=com ..... Done.
Starting Directory Server ...... Done.
To see basic server configuration status and configuration, you can launch
/opt/opendj/bin/status
Server Run Status: Started
The LDAP server is running at 192.168.0.89 with a port of 1389. So I try to connect with the below. I am unable to fetch Base DN as well. I tried putting the BaseDN manually too. I tried 172.17.0.1, but no luck. (It seems to be a docker ip. (ifconfig))
Question :
But with docker, do I need a different hostname? or IP? Or need additional configuration setup? (BTW, I put IP in hostname and successfully connected many times.)
Error message :
Error while opening connection
- Unable to connect
java.lang.Exception: Unable to connect
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$1.run(DirectoryApiConnectionWrapper.java:251)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1312)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doConnect(DirectoryApiConnectionWrapper.java:281)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.connect(DirectoryApiConnectionWrapper.java:172)
at org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:111)
at org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:60)
Unable to connect
You need to publish ports 1389 and 1636.
Change your docker run command to
docker run -it -p 1389:1389 -p 1636:1636 <image ID> /bin/bash
You can also run your container is host networking mode where you don't need port mapping.
docker run -it --net=host <image ID> /bin/bash
Hope this helps.
look at your docker ps command, you do not publish any ports
add this to your docker run command:
-p 1389:1389 -p 1636:1636

Can't reach service of host from container

On the host, there is a service
#server# netstat -ln | grep 3308
tcp6 0 0 :::3308 :::* LISTEN
It can be reached from remote.
The container is in a user-defined bridge network.
The server IP address is 192.168.1.30
#localhost ~]# ifconfig
br-a54fd3b63acd: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
inet6 fe80::42:1eff:fecc:92e8 prefixlen 64 scopeid 0x20<link>
ether 02:42:1e:cc:92:e8 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:37ff:fe9f:e4f1 prefixlen 64 scopeid 0x20<link>
ether 02:42:37:9f:e4:f1 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34 bytes 4018 (3.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.30 netmask 255.255.255.0 broadcast 192.168.1.255
And ping from container also works.
#33208c18aa61:~# ping -c 2 192.168.1.30
PING 192.168.1.30 (192.168.1.30) 56(84) bytes of data.
64 bytes from 192.168.1.30: icmp_seq=1 ttl=64 time=0.120 ms
64 bytes from 192.168.1.30: icmp_seq=2 ttl=64 time=0.105 ms
And the service is available.
#server# telnet 192.168.1.30 3308
Trying 192.168.1.30...
Connected to 192.168.1.30.
Escape character is '^]'.
N
But the service can't be reached from the container.
#33208c18aa61:~# telnet 192.168.1.30 3308
Trying 192.168.1.30...
telnet: Unable to connect to remote host: No route to host
I checked
Make docker use IPv4 for port binding
make sure I didn't have IPv6 set to only bind on IPv6
# sysctl net.ipv6.bindv6only
net.ipv6.bindv6only = 0
From inside of a Docker container, how do I connect to the localhost of the machine?
find my route is a little different.
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router.asus.com 0.0.0.0 UG 100 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-a54fd3b63acd
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
Does it matter? Or could it be another reason?
Your docker container is on a different network namespace and connected to a different interface than your host machine that's why you can't reach it using the ip 192.168.x.x
What you need to do is to use the docker network gateway instead, in your case 172.17.0.1 but be aware that this IP might no be the same from host to host so to reproduce this everywhere and be completely sure of which is the IP you can create an user-defined network specifying the subnet and gateway and running your container there for example:
docker network create -d bridge --subnet 172.16.0.0/24 --gateway 172.16.0.1 dockernet
docker run --net=dockernet ubuntu
Also whatever service you are trying to connect here must be listening on the docker's bridge interface as well.
Another option is to run the container on the same network namespace as the host with the --net=host flag, and in this case you can access service outside the container using localhost
Inspired by the official document
The Docker bridge driver automatically installs rules in the host
machine so that containers on different bridge networks cannot
communicate directly with each other.
I checked the iptables on the server, for an experiment I stopped the iptables temporary. Then the container can reach that service success. Later I was told, the server has been reboot recently. So guessing some config was lost after that reboot. Not familiar with iptables very much, and when I try
systemctl status iptables.service
It says the service is not installed. After I install and run the service,
iptables -L -n
is almost empty. Now not clue what kind of iptables rules can cause that messy.
But if anyone face the ping success telnet fail situation, iptables could be the place of the root cause.

Resources