I see lot of similar network issues for docker but nothing that helps me understand what's wrong here and how to solve it.
Basically I do a curl to the public IP from the container and is not able to reach the server:
from the host (I've replaced the IP by XXX for security reasons):
root#vultr ~]# curl http://207.246.XXX.XXX -vvvv
* About to connect() to 207.246.XXX.XXX port 80 (#0)
* Trying 207.246.XXX.XXX...
* Connected to 207.246.XXX.XXX (207.246.XXX.XXX) port 80 (#0)
> GET / HTTP/1.1
[root#vultr ~]# curl http://google.com -vvvv
* About to connect() to google.com port 80 (#0)
* Trying 2607:f8b0:4008:80e::200e...
* Connected to google.com (2607:f8b0:4008:80e::200e) port 80 (#0)
> GET / HTTP/1.1
from the container:
bash-4.4# curl http://207.246.XXX.XXX -vvvv
* Rebuilt URL to: http://207.246.XXX.XXX/
* Trying 207.246.XXX.XXX...
* TCP_NODELAY set
* connect to 207.246.XXX.XXX port 80 failed: Host is unreachable
* Failed to connect to 207.246.XXX.XXX port 80: Host is unreachable
* Closing connection 0
curl: (7) Failed to connect to 207.246.XXX.XXX port 80: Host is unreachable
bash-4.4# curl http://google.com -vvvv
* Rebuilt URL to: http://google.com/
* Trying 172.217.3.78...
* TCP_NODELAY set
* Connected to google.com (172.217.3.78) port 80 (#0)
> GET / HTTP/1.1
I would like to understand what's going on exactly, how do I configure docker correctly to resolve the IP and access the url same way the host is doing it.
Thanks
Related
Whenever I try to use curl in my docker container I'm getting the following error:
root#01f9a4b98e94:/# curl -v google.com
* Rebuilt URL to: google.com/
* Trying 172.17.0.1...
* TCP_NODELAY set
* connect to 172.17.0.1 port 9999 failed: Connection refused
* Failed to connect to 172.17.0.1 port 9999: Connection refused
* Closing connection 0
I've tried using --ipv4 option as well and getting the same result. I'm only having this issue when running my node image and not in any of my other containers:
docker run -it --rm node:13 /bin/bash
My host IP address is 172.17.0.1 and I'm not sure why its trying to connect to my host on port 9999. Pinging google.com is working just fine:
root#b1922f6cac72:/# ping google.com
PING google.com (142.250.204.14) 56(84) bytes of data.
64 bytes from syd09s25-in-f14.1e100.net (142.250.204.14): icmp_seq=1 ttl=116 time=35.3 ms
I have Keycloak 14 running and would like to scrape metrics data from it.
So I configured Prometheus to scrape http://KEYCLOAK_HOST:9990/metrics. Unfortunately this gives me a "Connection refused".
When I try to connect from another host manually I get the same:
user#host:/$ curl -vvv 10.244.3.154:9990/metrics
* Expire in 0 ms for 6 (transfer 0x5566ecabbfb0)
* Trying 10.244.3.154...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5566ecabbfb0)
* connect to 10.244.3.154 port 9990 failed: Connection refused
* Failed to connect to 10.244.3.154 port 9990: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 10.244.3.154 port 9990: Connection refused
user#host:/$
In fact I get this error on all paths on the management port. Even on those, that do not exist:
user#host:/$ curl -vvv 10.244.3.154:9990/some_endpoint
* Expire in 0 ms for 6 (transfer 0x55eea4059fb0)
* Trying 10.244.3.154...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55eea4059fb0)
* connect to 10.244.3.154 port 9990 failed: Connection refused
* Failed to connect to 10.244.3.154 port 9990: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 10.244.3.154 port 9990: Connection refused
user#host:/$
From within the Keycloak host it works fine:
bash-4.4$ curl -vvv localhost:9990/metrics
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9990 (#0)
> GET /metrics HTTP/1.1
> Host: localhost:9990
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Connection: keep-alive
...
bash-4.4$
It only works on localhost though:
bash-4.4$ hostname -I
10.244.3.154
bash-4.4$ curl -vvv 10.244.3.154:9990/metrics
* Trying 10.244.3.154...
* TCP_NODELAY set
* connect to 10.244.3.154 port 9990 failed: Connection refused
* Failed to connect to 10.244.3.154 port 9990: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 10.244.3.154 port 9990: Connection refused
bash-4.4$
So I assume Keycloak is not providing the management endpoints "to the outside world". But how can I enable it?
I'm using the codecentric Helm chart for deployment (https://github.com/codecentric/helm-charts/tree/master/charts/keycloak). I'm running Keycloak 14.0.0 right now, but had the same issue with 15.x (cannot update right now due to a bug).
Thanks in advance!
Found in the documentation of the Helm chart, that I had to enable it by setting the env variable KEYCLOAK_STATISTICS to all.
https://github.com/codecentric/helm-charts/tree/master/charts/keycloak#prometheus-metrics-support
So, I have minikube 0.16.0 installed
Also istio 1.7.3
So I do envoy sidecars on each deployment I do, as per with command kubectl label namespace default istio-injection=enabled
Now, coming to the question, I'm not able to do any curl from inside any pod whatsoever, even from sleep-diag, I always get request timed out message, but it does work for non secure http
For example while installing jenkins, I try to curl against this url with no success:
bash-5.0# curl -v https://updates.jenkins.io/current/update-center.json
* Trying 92.242.132.16:443...
* TCP_NODELAY set
* connect to 92.242.132.16 port 443 failed: Operation timed out
* Failed to connect to updates.jenkins.io port 443: Operation timed out
* Closing connection 0
curl: (28) Failed to connect to updates.jenkins.io port 443: Operation timed out
But even if I try let's say:
bash-5.0# curl -v https://www.google.com
* Trying 92.242.132.16:443...
* TCP_NODELAY set
* connect to 92.242.132.16 port 443 failed: Operation timed out
* Failed to connect to www.google.com port 443: Operation timed out
* Closing connection 0
curl: (28) Failed to connect to www.google.com port 443: Operation timed out
While I'm able to outside of any pod in my local cluster, any ideas on this?
For example, tried installing jenkins like this, with helm:
helm install --set Master.ServiceType=ClusterIP jenkins/jenkins --generate-name
Obviously it will fail because I cannot access any https from my local cluster, even specifying NodePort I have the same issue:
helm install --set Master.ServiceType=NodePort jenkins/jenkins --generate-name
Any ideas?
Inside a docker container I create the following tunnel in an interactive shell:
ssh -4 root#remotehost.com -L 8443:127.0.0.1:80
In another shell on the same container I can successfully run the following:
curl http://localhost:8443
The server (remotehost.com) does respond with HTML content.
(Note: I'm using plain HTTP for now to make it easier to debug. In the end I need to be using HTTPS, that's why I choose the local port to be 8443.)
This docker container does expose its port 8443:
# docker port be68e57bc3e0
8443/tcp -> 0.0.0.0:8443
But when I try to connect from the host to that port I get the following:
# curl --verbose http://localhost:8443
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8443 (#0)
> GET / HTTP/1.1
> Host: localhost:8443
> User-Agent: curl/7.64.1
> Accept: */*
>
* Empty reply from server
* Connection #0 to host localhost left intact
curl: (52) Empty reply from server
* Closing connection 0
Here I'm lost. Why doesn't it behave exactly the same way as when connecting from inside the container? Am I misunderstanding something about SSH tunnels?
The solution was to add the -g flag to the ssh line that creates the tunnel.
I know this error has been posted before on StackOverflow and many solutions/answers are available too. But, I've already gone through all those answers and couldn't find any viable solution for me.
I'm running a Hyperledger Fabric network with single peer and orderer. Their Docker containers have exposed the following ports. 7051:7051 & 7053:7053 on peer, 7050:7050 on orderer. I'm trying to configure Prometheus to analyse the metrics by following the official documentation .
As mentioned in the documentation, I'm exposing my local machine's 9443 port to port 9443 of peer docker container by mapping it as 9443:9443 in ports section of docker-compose.yaml. When I run curl 0.0.0.0:9443, I get curl: (56) Recv failure: Connection reset by peer error.
However, when I run the command curl 0.0.0.0:9443/logspec in my peer container I get the desired result which is {"spec":"info"}. The two commands mentioned above are different but I've also tried running the command curl 0.0.0.0:9443/logspec in my local machine to which I got the same error response.
Running the command curl -v 0.0.0.0:9443 results in following response.
* About to connect() to 0.0.0.0 port 9443 (#0)
* Trying 0.0.0.0...
* Connected to 0.0.0.0 (0.0.0.0) port 9443 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 0.0.0.0:9443
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
I read in many of the answers that I might be a firewall issue. But even after disabling my firewall using the command systemctl disable firewalld, it's not working.
cat etc/os-release response
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
curl --version response
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.34 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
I request you not to mark this question as duplicate as I've already gone through all the possible scenarios mentioned here.
First of all please check if there is firewall. Disable it.
Then remove the IP address provided in core.yaml file in operations tab. So that line will look like a below:
operations:
# host and port for the operations server
listenAddress: :9443
This change worked for me.