I use docker and docker-compose to deploy and run my java application running on port 5555.
I run it as docker-compose -f docker-compose.yml up -d
But if I run telnet command outside of my server where docker container is runnig I get Connection refused message. If run it inside the server everything is fine.
So these things are checked:
$: docker-compose ps
$: ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
5555/tcp ALLOW Anywhere
5432 ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
5555/tcp (v6) ALLOW Anywhere (v6)
5432 (v6) ALLOW Anywhere (v6)
docker-compose.yml
version: '3'
services:
db:
container_name: db
image: postgres
restart: always
ports:
- 5432:5432
auth:
container_name: auth
image: registryimg
restart: always
stdin_open: true
tty: true
ports:
- 5555:5555
Dockerfile
FROM openjdk:8-jre
ADD target/auth.jar app.jar
EXPOSE 5555
ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "app.jar"]
Update 1
From the docker logs of my container I found that application binds correctly to desired port:
2019-01-18 10:18:11.481 DEBUG 1 --- [ntLoopGroup-2-1] io.netty.handler.logging.LoggingHandler : [id: 0xaf27337e] REGISTERED
2019-01-18 10:18:11.485 DEBUG 1 --- [ntLoopGroup-2-1] io.netty.handler.logging.LoggingHandler : [id: 0xaf27337e] BIND: localhost/127.0.0.1:5555
2019-01-18 10:18:11.489 DEBUG 1 --- [ntLoopGroup-2-1] io.netty.handler.logging.LoggingHandler : [id: 0xaf27337e, L:/127.0.0.1:5555] ACTIVE
Update 2
From my home computer I run telnet command telnet myhost 5555 and I get an error:
Trying myhost...
telnet: Unable to connect to remote host: Connection refused
After it's done I watch my container logs and they are empty (netty didn't register any connections).
Else I want to point that if I telnet another container with potgresql inside it - everything is ok.
Well, shot answer is think what host you are binding.
In my case netty server was bound like this:
BIND: localhost/127.0.0.1:5555
I've change it to:
BIND: 0.0.0.0/0.0.0.0:5555
And it works like a charm!
Related
I am trying to run a local mosquitto broker, publisher and subscriber setup via docker and docker-compose, but the publisher cannot connect to the broker. However, connecting to local broker via cli works fine.
Getting following error when running below setup.
{ Error: connect ECONNREFUSED 127.0.0.1:1883
at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1088:14)
errno: 'ECONNREFUSED',
code: 'ECONNREFUSED',
syscall: 'connect',
address: '127.0.0.1',
port: 1883 }
Local dockerized setup:
docker-compose.yml:
version: "3.5"
services:
publisher:
hostname: publisher
container_name: publisher
build:
context: ./
dockerfile: dev.Dockerfile
command: npm start
networks:
- default
depends_on:
- broker
broker:
image: eclipse-mosquitto
hostname: mosquitto-broker
container_name: mosquitto-broker
networks:
- default
ports:
- "1883:1883"
networks:
default:
dev.Dockerfile:
FROM node:11-alpine
RUN mkdir app
WORKDIR app
COPY package*.json ./
RUN npm ci
COPY ./src ./src
CMD npm start
src/index.js:
const mqtt = require("mqtt");
const client = mqtt.connect("mqtt://localhost:1883");
client.on("connect", () => {
console.log("Start publishing...");
client.publish("testTopic", "test");
});
client.on("error", (error) => {
console.error(error);
});
However, if I connect to the mosquitto broker via mqtt-js cli, it works as expected. E.g.
mqtt sub -t 'testTopic' -h 'localhost' and mqtt pub -t 'testTopic' -h 'localhost' -m 'from MQTT.js'.
What am I missing?
your publisher container and broker are running in two different containers that's mean that they are two different machines each machine has it's own ip.
you can't call broker service from your publisher container by using localhost:1883 and vice verse , from broker to publisher container
To reach broker container you have to call container ip or name or service name
in your case change mqtt.connect("mqtt://localhost:1883"); value to be mqtt.connect("mqtt://broker:1883"); and give it a try
The publisher and broker run in different containers, meaning they have different IPs.
When the publisher is trying to reach the broker at localhost:1883, it is normal to receive a ECONNREFUSED, hence the broker is not in the same container.
You should replace the 127.0.0.1 or localhost with the service name of the broker(broker in this case). The service name will be resolved to the correct IP of the broker container.
in your index.js you should change "localhost" to "broker". When inside a container "localhost" will resolve to that specific container so you should always use the service name instead and docker will take care of the routing to that specific service. Also by default all service in the same compose file are added to the same network so there is no need to specify it.
So basically change this: const client = mqtt.connect("mqtt://localhost:1883");
To this: const client = mqtt.connect("mqtt://broker:1883");
I have a docker-compose file that looks something like the following:
version: "3.1"
services:
app:
container_name: Apache_web_server
image: httpd:2.4
ports:
- 40:80
restart: unless-stopped
volumes:
- ./web-root:/usr/local/apache2/htdocs
As it is currently configured, any IP can access the apache web server on port 40. I can change the ports section to this:
ports:
- "127.0.0.1:40:80"
And it only allows traffic from localhost on port 40 into the container, however if I change the ports section to this:
ports:
- "192.168.1.24:40:80"
And try to turn on the container I get this lovely error:
ERROR: for Apache_web_server Cannot start service app: driver failed programming external connectivity on endpoint Apache_web_server ([ID]): Error starting userland proxy: listen tcp4 192.168.1.24:40: bind: cannot assign requested address
ERROR: for app Cannot start service app: driver failed programming external connectivity on endpoint Apache_web_server ([ID]): Error starting userland proxy: listen tcp4 192.168.1.24:40: bind: cannot assign requested address
Does anyone know what's going on with this? I want to (in this example) restrict access to the apache web server to only requests from the IP 192.168.1.24.
First with the command ip a | grep -w inet Check if this address exists in the Linux.
Then check a similar port is open on the desired interface or not, cause problem is binding. Check with the following command whether it exists or not netstat -nltp.
Finally, if there is still a problem, create a bridge network in docker-compose and check on it again.
I am trying to debug using NetBeans 11 as my client, Xdebug 3 on the Docker image. The Docker container is on a remote host. I am unable to make a connection. Indicator at the bottom of the NetBeans screen scrolls forever with "waiting for connection (netbeans-xdebug)". I am not sure what I am doing wrong. I have had this work in the past without Docker and with Xdebug 2, I am not sure if I messed up the Xdebug 3, the Docker or both.
My configurations:
Dockerfile adds Xdebug properly and I can see it in my container.
docker-compose.yml
---
services:
drupal:
container_name: intranet-finkenb2
ports:
- "8082:80"
- "9092:9003"
volumes:
- /home/finkenb2/intranet/custom_themes:/opt/drupal/web/themes/custom
- /home/finkenb2/intranet/custom_modules:/opt/drupal/web/modules/custom
environment:
XDEBUG_MODE: debug,develop
XDEBUG_SESSION: netbeans-xdebug
XDEBUG_CONFIG: >
client_host = localhost
client_port = 9003
discover_client_host=true
start_with_request=yes
db:
container_name: intranet-finkenb2-db
solr:
container_name: intranet-finkenb2-solr
ports:
- "8982:8983"
volumes:
public_files:
private_files:
site_settings:
SSH Tunnel via PuTTY: R9092 localhost:9092
NetBeans PHP Debug config:
- Debugger Port: 9092
- Session ID: netbeans-xdebug
- Maximum Data Length: 8192
- Check: Stop at first line
NetBeans Project config (run configuration):
- Run As: Remote Web Site
- Project URL: http://intranet-finkenb2.devel.lib.msu.edu
- index file: index.php
- remote connection
- hostname intranet8.devel.lib.msu.edu /*docker host server*/
- user/pwd correct
- initial directory /var/www/
This is not correct:
ports
- "9092:9003"
Xdebug connects to your IDE, so you don't need to expose the port. These ports are for external exposures anyway, and you're SSH-ing into the container with -R already, so this makes no sense.
This is not correct:
XDEBUG_CONFIG: >
client_host = localhost
client_port = 9003
discover_client_host=true
start_with_request=yes
You can't use all of these as part of the XDEBUG_CONFIG variable, start_with_request, for example.
discover_client_host with Docker doesn't work, as it gets the wrong IP through the gateway
localhost is normally also not correct, as it needs to be the IP/hostname of the machine where your IDE listens. But you're SSH-ing into that container, so that should fine fine.
With that SSH tunnel, you need to set client_port to the port of your remote SSH end point (9092).
If anything else is unclear, make a log file, or try to debug a page with xdebug_info() in it, and it will tell you what Xdebug has tried.
I have this docker-compose.yml that basically builds my project for e2e test. It's composed of a postgres db, a backend Node app, a frontend Node app, and a spec app which runs the e2e test using cypress.
version: '3'
services:
database:
image: 'postgres'
backend:
build: ./backend
command: /bin/bash -c "sleep 3; yarn backpack dev"
depends_on:
- database
frontend:
build: ./frontend
command: /bin/bash -c "sleep 15; yarn nuxt"
depends_on:
- backend
spec:
build:
context: ./frontend
dockerfile: Dockerfile.e2e
command: /bin/bash -c "sleep 30; yarn cypress run"
depends_on:
- frontend
- backend
The Dockerfiles are just simple Dockerfiles that based off node:8 which copies the project files and run yarn install. In the spec Dockerfile, I pass http://frontend:3000 as FRONTEND_URL.
But this setup fails at the spec command when my cypress runner can't connect to frontend with error:
spec_1 | > Error: connect ECONNREFUSED 172.20.0.4:3000
As you can see, it resolves the hostname frontend to the IP correctly, but it's not able to connect. I'm scratching my head over why can't I connect to the frontend with the service name. If I switch the command on spec to do sleep 30; ping frontend, it's successfully pinging the container. I've tried deleting and let docker-compose recreate the network, I've tried specifying expose and links to the services respectively. All to no success.
I've set up a sample repo here if you wanna try replicating the issue:
https://github.com/afifsohaili/demo-dockercompose-network
Any help is greatly appreciated! Thank you!
Your application is listening on loopback:
$ docker run --rm --net container:demo-dockercompose-network_frontend_1 nicolaka/netshoot ss -lnt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.11:35233 *:*
LISTEN 0 128 127.0.0.1:3000 *:*
From outside of the container, you cannot connect to ports that are only listening on loopback (127.0.0.1). You need to reconfigure your application to listen on all interfaces (0.0.0.0).
For your app, in the package.json, you can add (according to the nuxt faq):
"config": {
"nuxt": {
"host": "0.0.0.0",
"port": "3000"
}
},
Then you should see:
$ docker run --rm --net container:demo-dockercompose-network_frontend_1 nicolaka/netshoot ss -lnt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:3000 *:*
LISTEN 0 128 127.0.0.11:39195 *:*
And instead of an unreachable error, you'll now get a 500:
...
frontend_1 | response: undefined,
frontend_1 | statusCode: 500,
frontend_1 | name: 'NuxtServerError' }
...
spec_1 | The response we received from your web server was:
spec_1 |
spec_1 | > 500: Server Error
Problem
I'm trying to set up JetBrains Hub, Youtrack, Upsource and Teamcity in a docker container and configure each to be available on their own IP (macvlan) at the default ports 80 redirected to 443 and 443 for HTTPS (so the port numbers do not show up in the browser).
However if I do that I get:
Could not listen on address 0.0.0.0 and port 443
Leaving the teamtools on their default ports 8080 and 8443 works or giving them ports over 2000 seems to work as well.
I checked with fuser 443/tcp and netstat -tulpn but there is nothing running on port 80 or 443. (had to install the packages for those in the container)
I tried setting the listening address to the NICs IP or 172.0.0.1 but this is refused as well:
root#teamtools [ /opt/teamtools ]# docker run --rm -it \
-v /opt/hub/data:/opt/hub/data \
-v /opt/hub/conf:/opt/hub/conf \
-v /opt/hub/logs:/opt/hub/logs \
-v /opt/hub/backups:/opt/hub/backups \
jetbrains/hub:2018.2.9840 \
configure --listen-address=192.168.1.211
* Configuring JetBrains Hub 2018.2
* Setting property 'listen-address' to '192.168.1.211' from arguments
[APP-WRAPPER] Failed to configure Hub: java.util.concurrent.ExecutionException: com.jetbrains.bundle.exceptions.BadConfigurationException: Could not listen on address {192.168.1.211} . Please specify another listen address in property listen-address
Question:
Why can I not set ports 80 and 443?
Why does it work for ports over
2000?
How can I make this work without a reverse proxy?
(reverse-proxy comes with a whole bunch of other issues, that I'm trying to avoid with this setup)
Setup
ESXi 6.7 Host
- vSwitch0 (Allow promiscuous mode: Yes)
- port group: VM Netork (Allow promiscuous mode: No)
- other VMs
- port group: Promiscuous Ports (Allow promiscuous mode: Yes)
- Teamtools VM (Photon OS 2.0, IP: 192.168.1.210)
- firewall based on: https://unrouted.io/2017/08/15/docker-firewall/
- docker/docker-compose
- hub (IP: 192.168.1.211:80/443)
- youtrack (IP: 192.168.1.212:80/443)
- upsource (IP: 192.168.1.213:80/443)
- teamcity-server (IP: 192.168.1.214:80/443)
- teamcity_db (MariaDB 10.3) (IP: 192.168.1.215:3306)
docker-compose.yml
version: '2'
networks:
macnet:
driver: macvlan
driver_opts:
parent: eth0
ipam:
config:
- subnet: 192.168.1.0/24
gateway: 192.168.1.1
services:
hub:
# set a custom container name so no more than one container can be created from this config
container_name: hub
image: "jetbrains/hub:2018.2.9840"
restart: unless-stopped
volumes:
- /opt/hub/data:/opt/hub/data
- /opt/hub/conf:/opt/hub/conf
- /opt/hub/logs:/opt/hub/logs
- /opt/hub/backups:/opt/hub/backups
- /opt/teamtools:/opt/teamtools
expose:
- "80"
- "443"
- "8080"
- "8443"
networks:
macnet:
ipv4_address: 192.168.1.211
domainname: office.mydomain.com
hostname: hub
environment:
- "JAVA_OPTS=-J-Djavax.net.ssl.trustStore=/opt/teamtools/certs/keyStore.p12 -J-Djavax.net.ssl.trustStorePassword=xxxxxxxxxxxxxx"
...
Upsource is running by user jetbrans, which is non-root.
https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html