I've upgraded the Docker Kong image to the version 0.14.0 and it stopped responding to connections from outside the container:
$ curl 127.0.0.1:8001 --trace-ascii dump.txt
== Info: Rebuilt URL to: 127.0.0.1:8001/
== Info: Trying 127.0.0.1...
== Info: Connected to 127.0.0.1 (127.0.0.1) port 8001 (#0)
=> Send header, 78 bytes (0x4e)
0000: GET / HTTP/1.1
0010: Host: 127.0.0.1:8001
0026: User-Agent: curl/7.47.0
003f: Accept: */*
004c:
== Info: Recv failure: Connection reset by peer
== Info: Closing connection 0
The ports mapping is
0.0.0.0:8000-8001->8000-8001/tcp, 0.0.0.0:8443-8444->8443-8444/tcp
Everything is ok when trying to connect from inside the container:
/ # curl 127.0.0.1:8001
{"plugins":{"enabled_in_cluster":[], ...
Port 8000 is available from outside and inside the container. What can that be?
I have encountered the same issue. The reason is the kong admin configuration set to loopback address by default. But I didn't modify the configuration file. Since Kong Docker Image providing an environment variable to expose the admin port.
KONG_ADMIN_LISTEN="0.0.0.0:8001, 0.0.0.0:8444 ssl"
This bind the admin port to the host machine port
The problem was in the binding of the admin server to localhost in /usr/local/kong/nginx-kong.conf
server {
server_name kong_admin;
listen 127.0.0.1:8001;
listen 127.0.0.1:8444 ssl;
...
I've added the following code into my custom entrypoint which removes this binding just before starting nginx:
echo "Remove the admin API localhost binding..."
sed -i "s|^\s*listen 127.0.0.1:8001;|listen 0.0.0.0:8001;|g" /usr/local/kong/nginx-kong.conf && \
sed -i "s|^\s*listen 127.0.0.1:8444 ssl;|listen 0.0.0.0:8444 ssl;|g" /usr/local/kong/nginx-kong.conf
echo "Starting nginx $PREFIX..."
exec /usr/local/openresty/nginx/sbin/nginx \
-p $PREFIX \
-c nginx.conf
Of course the admin ports must be closed in production some other way.
Related
OS: Ubuntu 20.04 LTS
Docker version 20.10.7, build 20.10.7-0ubuntu1~20.04.2
Tried this (minimal way to reproduce), the previous day it works normally:
docker run --name nginx1 -p 8089:80 -d nginx:alpine
Works normally:
docker ps
CONTAINER ID IMAGE COMMAND CREATED
74faabf44b8e nginx:alpine "/docker-entrypoint.…" 5 minutes ago
STATUS PORTS NAMES
Up 5 minutes 0.0.0.0:8089->80/tcp, :::8089->80/tcp nginx1
curl inside docker works:
docker exec -it 74faabf44b8e sh
/ # curl localhost
<!DOCTYPE html>
<html>
<head>
....
But when accessed from the host:
netstat -antpel | grep 8089
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN 0 82748695 -
tcp6 0 0 :::8089 :::* LISTEN 0 82751546 -
curl -v localhost:8089
* Trying 127.0.0.1:8089...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8089 (#0)
> GET / HTTP/1.1
> Host: localhost:8089
> User-Agent: curl/7.68.0
> Accept: */*
>
--> stuck without a response, after a while:
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
What's the possible cause of this?
This also doesn't work for another container (PostgreSQL), seems the docker-proxy does not forward back the response from docker?
already tried:
reinstall docker.io
delete all containers and re-create
docker network prune
Ubuntu version: 22.04 LTS
Docker version: 20.10.17, build 100c701
Installation procedure: https://docs.docker.com/engine/install/ubuntu/
I am encountering the same problem as you on more recent versions of Ubuntu & Docker: Everything seems to be working fine except that the host is not able to reach the container on port, as defined by the -p <docker-host-port>:<docker-container-port> option.
curl http://localhost:<port> works from within the container, but not from outside despite port binding ...
I tried to restart docker daemon, restart machine, remove container, recreate container, remove image, recreate image, uninstall completely docker, reinstall docker from scratch. I just don't understand why Docker is acting funky like this on this specific instance (Ubuntu 22.04 + Docker).
Inside a docker container I create the following tunnel in an interactive shell:
ssh -4 root#remotehost.com -L 8443:127.0.0.1:80
In another shell on the same container I can successfully run the following:
curl http://localhost:8443
The server (remotehost.com) does respond with HTML content.
(Note: I'm using plain HTTP for now to make it easier to debug. In the end I need to be using HTTPS, that's why I choose the local port to be 8443.)
This docker container does expose its port 8443:
# docker port be68e57bc3e0
8443/tcp -> 0.0.0.0:8443
But when I try to connect from the host to that port I get the following:
# curl --verbose http://localhost:8443
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8443 (#0)
> GET / HTTP/1.1
> Host: localhost:8443
> User-Agent: curl/7.64.1
> Accept: */*
>
* Empty reply from server
* Connection #0 to host localhost left intact
curl: (52) Empty reply from server
* Closing connection 0
Here I'm lost. Why doesn't it behave exactly the same way as when connecting from inside the container? Am I misunderstanding something about SSH tunnels?
The solution was to add the -g flag to the ssh line that creates the tunnel.
I installed the latest HDP into the docker container.
docker ps
>hortonworks/sandbox-proxy:1.0
>hortonworks/sandbox-hdp:3.0.1
Kafka broker is running at 6667 port that it's working fine.
>ssh hdfs#sandbox-hdp.hortonworks.com -p 2222
> echo "send test message" | kafka-console-producer.sh --broker-list sandbox-hdp.hortonworks.com:6667 --topic hotelReservation > /dev/null
>kafka-console-consumer.sh --bootstrap-server sandbox-hdp.hortonworks.com:6667 --topic test --from-beginning
The only problem is that I don't have access to the Kafka broker outside the docker container.
More information for troubleshooting:
I verified that all the ports are open local machine -> proxy -> hdp
HDP Server:
hostname -I
172.18.0.2
netstat -vatn | grep 6667
tcp 0 0 172.18.0.2:6667 0.0.0.0:* LISTEN
Proxy Server
hostname -I
172.18.0.3
nmap 172.18.0.2 -p 6667
6667/tcp open irc
netstat -vatn | grep 6667
tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN
My Local machine:
nmap sandbox-hdp.hortonworks.com -p 6667
Host is up (0.000064s latency).
rDNS record for 127.0.0.1: localhost
PORT STATE SERVICE
6667/tcp open irc
Note: 6668 is open too.
included default stream conf (/etc/nginx/conf/stream.d/tcp-hdp.conf):
server {
listen 6668;
proxy_pass sandbox-hdp:6667;
}
So I decided to create new config the http: /etc/nginx/conf/stream.d/tcp-hdp.conf
server {
listen 6667;
server_name sandbox-hdp.hortonworks.com;
location / {
proxy_pass http://sandbox-hdp:6667;
}
}
Note: I read (here) that I should use advertised.listeners to access broker outside the doctor:
>listeners=PLAINTEXT://0.0.0.0:6667
>advertised.listeners=PLAINTEXT://172.18.0.2:6667
but I 'm sure that's incorrect for my case. I have access in this network, the problem is some type of Nginx mapping only.
Solution:
Run the following command to find hortonworks/sandbox-proxy container id.
docker ps
Log in to the proxy server
docker exec -it CONTAINER_ID /bin/bash
add new mapping in the nginx
cd /etc/nginx/conf.stream.d
vim tcp-hdp.conf
config:
server {
listen 6667;
proxy_pass sandbox-hdp:6667;
}
reload nginx mapping:
/etc/init.d/nginx reload
Test:
> ./kafka-console-consumer.sh --bootstrap-server localhost:6668 --topic topicName --from-beginning
> echo "msg" | ./kafka-console-producer.sh --broker-list sandbox-hdp.hortonworks.com:6668 --topic topicName > /dev/nul
The problem was that 6667:6667 mapping was missing. Now brokers are access both 6667 and 6668 ports.
I have a dockerized Python app that outputs data on port 8080 and port 8081.
I am running the code on a Ubuntu system.
$ docker version | grep Version
Version: 18.03.1-ce
The app responds on port 8080
$ curl -k localhost:8080 | tail -4
-->
TYPE hello_world_total counter
hello_world_total 3.0
TYPE hello_world_created gauge
hello_world_created 1.5617357381235116e+09
The app returns an ERROR on port 8081
$ curl -k localhost:8081
curl: (56) Recv failure: Connection reset by peer
Although I am not familiar with netstat, I used it to check that ports 8080 and 8081 were both in the LISTEN state ...
root#1d1ac2974893:/# netstat -apn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1/python3
tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN 1/python3
tcp 0 0 172.17.0.2:58220 16.46.41.11:8080 TIME_WAIT -
tcp 0 0 172.17.0.2:58218 16.46.41.11:8080 TIME_WAIT -
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
root#1d1ac2974893:/#
My Dockerfile looks as follows ...
$ cat Dockerfile
FROM python:3
RUN pip3 install prometheus_client
COPY sampleapp.py /src/sampleapp.py
EXPOSE 8081
CMD [ "python3", "/src/sampleapp.py" ]
When I run the application, I map both ports 8080 and 8081 from the Docker container to the same ports on the host as follows ...
$ docker run -p 8081:8081 -p 8080:8080 sampleapp
If I go into the Container and repeat the above curl commands, they work as I expect.
root#1d1ac2974893:/# curl -k localhost:8081 | tail -4
TYPE hello_world_total counter
hello_world_total 3.0
TYPE hello_world_created gauge
hello_world_created 1.5617357381235116e+09
root#1d1ac2974893:/#
AND
$ docker exec -it 1d1ac2974893 /bin/bash
root#1d1ac2974893:/# curl -k localhost:8081
Hello World
SO
the question is why the latter curl command does NOT work from the host system.
$ curl -k localhost:8081
curl: (56) Recv failure: Connection reset by peer
Solution was as follows
Expose both ports in the Dockerfile
$ grep EXPOSE Dockerfile
EXPOSE 8080
EXPOSE 8081
Use 0.0.0.0 rather than 127.0.0.1
import http.server
from prometheus_client import start_http_server
from prometheus_client import Counter
HOST='0.0.0.0'
HELLO_WORLD_PORT=8080
HELLO_WORLD_METRICS_PORT=8081
REQUESTS = Counter('hello_world_total', 'Hello World Requested')
class MyHandler(http.server.BaseHTTPRequestHandler):
def do_GET(self):
REQUESTS.inc()
self.send_response(200)
self.end_headers()
self.wfile.write(b"Hello World\n")
if name == "main":
start_http_server(HELLO_WORLD_METRICS_PORT)
server = http.server.HTTPServer((HOST, HELLO_WORLD_PORT), MyHandler)
server.serve_forever()
Contaainer now gives the expected results when run from the host
$ curl -k localhost:8080
Hello World
$
$ curl -k localhost:8081 | tail -4
...
# TYPE hello_world_total counter
hello_world_total 1.0
# TYPE hello_world_created gauge
hello_world_created 1.5619773258069074e+09
$
Xref :- Docker Rails app fails to be served - curl: (56) Recv failure: Connection reset by peer
for details of a similar issue
I'm not able to access docker port 8080 from the host machine. We have a docker container with a React application. We are able to get the landing page from inside the container but not from the host.
From the container:
root#d4947f7b1710:/# wget localhost:8080
--2019-04-01 19:38:00-- http://localhost:8080/
Resolving localhost (localhost)... 127.0.0.1, ::1
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 492 [text/html]
Saving to: 'index.html'
index.html 100%[===============================================================================================>] 492 --.-KB/s in 0s
2019-04-01 19:38:00 (49.5 MB/s) - 'index.html' saved [492/492]
From the host:
wget localhost:8000
--2019-04-01 19:38:59-- http://localhost:8000/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8000... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.Retrying.
Also tried wget 0.0.0.0:8000 but got the same result.
The ports seem to be mapped correctly:
docker port d4947f7b1710
8080/tcp -> 0.0.0.0:8000
Command used to start the container:
docker run -d -p 8000:8080 <docker repo>:<version>
It might be that you inverted the ports from what I see in the last part of your post