Develop Reference

Opening a port to the world on AWS not working

I am having trouble accessing a service that is running in a docker container (port 5005) from the internet over TCP.
The server is a ubuntu AWS ec2 instance with port 5005 open in the security group (both v4 and v6 addressing)
The docker processes are running fine, appearing to map the port from inside its container to the ec2 instance.
ubuntu#ip-172-31-5-89:~$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
71e620ea2969 rasa/rasa-sdk:latest "./entrypoint.sh sta…" 15 minutes ago Up 15 minutes 0.0.0.0:5055->5055/tcp, :::5055->5055/tcp emma_action_server_1
533010182ca7 rasa/rasa:latest-full "rasa run --enable-a…" 15 minutes ago Up 15 minutes 0.0.0.0:5005->5005/tcp, :::5005->5005/tcp emma_rasa_1
(yes, 5005 and 5055 are both valid ports and not a typo - but only 5005 should be exposed to the ec2 instance and up through the firewall out to the web.
ufw appears to be signalling the port fine.
Status: active
To Action From
-- ------ ----
5005/tcp ALLOW Anywhere
5005 ALLOW Anywhere
22 ALLOW Anywhere
5005/tcp (v6) ALLOW Anywhere (v6)
5005 (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
and the ec2 instance appears to be listening fine:
ubuntu#ip-172-31-5-89:~$ sudo netstat -plunta | grep LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 561/systemd-resolve
tcp 0 0 0.0.0.0:5055 0.0.0.0:* LISTEN 6473/docker-proxy
tcp 0 0 0.0.0.0:5005 0.0.0.0:* LISTEN 6451/docker-proxy
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 810/sshd: /usr/sbin
tcp6 0 0 :::5055 :::* LISTEN 6480/docker-proxy
tcp6 0 0 :::5005 :::* LISTEN 6458/docker-proxy
tcp6 0 0 :::22 :::* LISTEN 810/sshd: /usr/sbin
Yet, when I try accessing public.IP.address:5005 on any online port checking tool - it says the port is closed. When I actually try to make a POST request via postman - I get ETIMEDOUT which Im not sure is another way to say its closed, or infact, its just a timeout... but when I make the same POST request on the server, using local addressing, it works fine.
This works locally on ec2 (outside of container):
curl -XPOST localhost:5005/webhooks/rest/webhook -d '{"message":"hi"}'
this doesnt work - ETIMEOUT:
curl -XPOST publicIPAddressHere:5005/webhooks/rest/webhook -d '{"message":"hi"}'
The ACL and Network appear to be setup correctly also.
When I run the reachability analyser, it works - but thats obviously coming from inside the network from the private IP address... 172... so the issue is clearly exposing the port to the world.

I was able to get this working by creating a fresh ec2 instance on its own VPC/ACL with the same configuration as above.
Not really an answer as it is a work-around - gremlins in the system.

docker jupyter notebook address never responds / times out

Trying to use jupyter-notebook on a docker image (https://hub.docker.com/r/tensorflow/tensorflow), but having problem where using the port-forwarded address in browser just hangs with the (chrome) home page stuck saying Waiting for 127.0.0... until it just times out.
The docker command being run looks like
➜ ~ docker run -it -p 8888:8888 --rm tensorflow/tensorflow:latest-devel-gpu-py3 jupyter-notebook --ip 0.0.0.0 --no-browser --allow-root
[I 04:26:44.023 NotebookApp] Writing notebook server cookie secret to /root/.local/share/jupyter/runtime/notebook_cookie_secret
[I 04:26:44.042 NotebookApp] Serving notebooks from local directory: /root
[I 04:26:44.043 NotebookApp] The Jupyter Notebook is running at:
[I 04:26:44.043 NotebookApp] http://(f1afd4b163fd or 127.0.0.1):8888/?token=5a838cefbd58822ce3de5a9ab00ed724bc6f9e048017125a
[I 04:26:44.043 NotebookApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).
[C 04:26:44.043 NotebookApp]
Copy/paste this URL into your browser when you connect for the first time,
to login with a token:
http://(f1afd4b163fd or 127.0.0.1):8888/?token=5a838cefbd58822ce3de5a9ab00ed724bc6f9e048017125a
(note, have also tried docker run -it -p 8888:8888 --rm tensorflow/tensorflow:latest-devel-gpu-py3 /run_jupyter.sh --allow-root to similar hanging results).
Checking docker ps shows
➜ ~ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2114609d6d9d tensorflow/tensorflow:latest-devel-gpu-py3 "jupyter-notebook --…" About a minute ago Up About a minute 6006/tcp, 0.0.0.0:8888->8888/tcp mystifying_liskov
Checking for a response via curl shows
➜ ~ curl -v http://127.0.0.1:8888/?token=5a838cefbd58822ce3de5a9ab00ed724bc6f9e048017125a
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
> GET /?token=5a838cefbd58822ce3de5a9ab00ed724bc6f9e048017125a HTTP/1.1
> Host: 127.0.0.1:8888
> User-Agent: curl/7.47.0
> Accept: */*
>
<at this point just hangs until I ctl+C out>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
and examine the ports shows
➜ ~ sudo netstat -plnt
[sudo] password for me:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1512/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2485/cupsd
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2284/smbd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1502/mysqld
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2284/smbd
tcp 0 0 127.0.0.1:5037 0.0.0.0:* LISTEN 8558/adb
tcp 0 0 127.0.0.1:6000 0.0.0.0:* LISTEN 1006/unicorn.rb --h
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1954/monitorix-http
tcp6 0 0 :::22 :::* LISTEN 1512/sshd
tcp6 0 0 ::1:631 :::* LISTEN 2485/cupsd
tcp6 0 0 :::445 :::* LISTEN 2284/smbd
tcp6 0 0 :::8888 :::* LISTEN 32491/docker-proxy
tcp6 0 0 :::139 :::* LISTEN 2284/smbd
tcp6 0 0 :::80 :::* LISTEN 1846/apache2
Other post I've seen seem to be people simply not forwarding the port that jupyter expects to use, but that does not seem to be the problem here. This occurs regardless of what docker image is used (so not just that particular image). If anyone has any ideas of what it could be or any debugging advice it would be appreciated.

Resolved the problem.
Restarted the host machine (note, this was the first time restarting since installing docker, but still did not work until...)
Ran sudo /etc/init.d/docker restart (Did this purely based on a hunch when skimming the troubleshooting docs here: https://docs.docker.com/toolbox/faqs/troubleshoot/#configure-http-proxy-settings-on-docker-machines).
Then the docker run ... statement from the posted question worked and can now reach the forwarded port on host machine and can curl the address. An Ubuntu notification popped up saying "Wired connection established".
This is a bit of a lame answer, but it's what worked for me. Oddly, seems have to rerun the sudo /etc/init.d/docker restart statement sometimes to get docker containers to open. Will try to figure out a bit more about what exactly was going on here, but if anyone with more experience thinks they know what may have been happening, please do let us know.

connect to docker daemon from inside docker container

Im trying configure the docker daemon so i can connect to it from inside the docker containers i start..
So i changed /etc/docker/daemon.json to
{
"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2375"]
}
So that i connect to it through the docker bridge.. However when i restart docker i get
netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 3728/mysqld
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 24253/redis-server
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3756/nginx
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3634/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 3756/nginx
tcp6 0 0 :::8010 :::* LISTEN 4230/apache2
tcp6 0 0 :::9200 :::* LISTEN 26824/java
tcp6 0 0 :::9300 :::* LISTEN 26824/java
tcp6 0 0 :::22 :::* LISTEN 3634/sshd
tcp6 0 0 :::2375 :::* LISTEN 1955/dockerd
So first i though the issue was the fact that it was listening on ipv6 not ipv4. and according to
Make docker use IPv4 for port binding
It should all still work but it doesnt.. When i try
telnet 172.17.0.1(docker host) 2375
it fails to connect while
telnet 172.17.0.1(docker host) 80
works. How can i connect to docker running on the host machine? Im running on Ubuntu 14.04.5 docker Version: 17.06.2-ce

You can start your containers mounting the host docker socket into your containers.
docker run -v /var/run/docker.sock:/var/run/docker.sock ...
With this setup, Docker clients inside the containers will be using the Docker daemon from the host. Your containers will be able to build, run, push etc. using daemon running in host. Please note that with these setup everything is happening on the host, so if you start new containers they will be “sibling” containers.
EDIT
If you are using the bridge network, you can connect to any service running on host machine using host IP address.
For example, I have mysqld running on my host with IP 10.0.0.1 and from a container I can do
mysql -u user -p -h 10.0.0.1
The trick is to find out the host IP address from containers.
In Docker for Mac (I am running version 17.07.0) is as simple as connecting to the special host "docker.for.mac.localhost"
Another option is to add an alias IP to your loopback interface
sudo ifconfig lo0 alias 192.168.1.1
And then when running containers add a host for this alias IP
docker run --rm -ti --add-host host-machine:192.168.1.1 mysql:5.7 bash
With this setup, inside container you should be able to do
mysql -u user -p -h host-machine

This answer may be a bit late, but it's better late than never as we never can tell who may be experiencing similar problem. I just fixed it be disabling the unnecessary ufw rule blocking the internal communication.
Example:
sudo ufw allow from <IP address or range> to any port [desired port]
sudo ufw allow from 172.16.0.0/12 to any port 3421.
As for me, I disabled the UFW service totally using the command below.
sudo ufw disable

Cannot access HTTPS service from Docker container via Virtual Box

I run a https web service from a docker container set up on Vbox. Here is my config:
Vbox
Docker
Unfortunatelly, https://127.0.0.1 is not accessible.
The output of the command docker run -it --rm --net=container:$cont_id --pid=container:$cont_id busybox netstat -lntp is:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 21/sshd
tcp 0 0 127.0.0.1:444 0.0.0.0:* LISTEN 319/node
tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN 315/python
tcp 0 0 :::22 :::* LISTEN 21/sshd
tcp 0 0 :::443 :::* LISTEN 319/node
I can't figure out where I'm getting wrong (I am still a beginner in port forwarding and networking). Any help appreciated, Thanks!

Cannot access port on host mapped to docker container port

I have started a docker container using the command
sudo docker run -it -P -d plcdimage
The image is built using a Dockerfile which has instruction EXPOSE 8080. Container runs a jboss server with an application deployed on it. Port mappings are :
Command: sudo docker port be1837e849dc
Output: 8080/tcp -> 0.0.0.0:32771
When I try to access the web application running on jboss in the container from the mapped host port using url:
http://IPAddressOfHost:32771/
I get connection refused error. Following is the result of command "netstat -tulpn"
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::9999 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::32771 :::* LISTEN -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
I tried doing telnet hostip 32771 and it also results in connection refused.
Docker version 1.12.1
build 23cf638
What could be the possible reason for this?
Thanks in advance

I found that jboss server running inside the container was not listening on 0.0.0.0. One option to do this is, while starting the standalone server use -b 0.0.0.0.
/bin/standalone.sh -b 0.0.0.0