How can I fix network for docker in kubernetes? - docker

I have a kubernetes cluster and using Jenkins
pipeline jenkins:
podTemplate(label: 'pod-golang', containers: [
containerTemplate(name: 'golang', image: 'golang:latest', ttyEnabled: true, command: 'cat'),
containerTemplate(name: 'docker', image: 'docker:17.11-dind', ttyEnabled: true, command: 'cat'),
],
volumes: [hostPathVolume(hostPath: '/var/run/docker.sock', mountPath: '/var/run/docker.sock')]
) {
node('pod-golang') {
def app
String applicationName = "auth"
String buildNumber = "0.1.${env.BUILD_NUMBER}"
stage 'Checkout'
checkout scm
container('docker') {
stage 'Create docker image'
app = docker.build("test/${applicationName}")
}
}
}
When I run "docker build" command in new (creating) container not working network:
Step 1/6 : FROM alpine:latest
---> e21c333399e0
Step 2/6 : RUN apk --no-cache add ca-certificates
---> Running in 8483bb918ee8
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/community/x86_64/APKINDEX.tar.gz
[91mWARNING: Ignoring http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz: operation timed out
[0mEXITCODE 0[91mWARNING: Ignoring http://dl-cdn.alpinelinux.org/alpine/v3.7/community/x86_64/APKINDEX.tar.gz: operation timed out
if I use "docker run" command on host machine I see, It does not work properly network in "manual" started docker image:
root#node2:~/tmp# docker run --rm -it alpine ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
14 packets transmitted, 0 packets received, 100% packet loss
root#node2:~/tmp# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=12.9 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=12.9 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 12.927/12.943/12.960/0.114 ms
but When I use pod from kubectl everything worked.
How can I fix that?


Open another windows run the tcpdump -vvv host 8.8.8.8 command see traffic going out.
Here is my host output.
# tcpdump -vvv host 8.8.8.8
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
18:36:35.142633 IP (tos 0x0, ttl 63, id 2091, offset 0, flags [DF], proto ICMP (1), length 84)
webserver > google-public-dns-a.google.com: ICMP echo request, id 256, seq 0, length 64
18:36:35.170475 IP (tos 0x0, ttl 55, id 18270, offset 0, flags [none], proto ICMP (1), length 84)
google-public-dns-a.google.com > webserver: ICMP echo reply, id 256, seq 0, length 64
18:36:36.146145 IP (tos 0x0, ttl 63, id 2180, offset 0, flags [DF], proto ICMP (1), length 84)
webserver > google-public-dns-a.google.com: ICMP echo request, id 256, seq 1, length 64
# docker run --rm -it alpine ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=54 time=30.720 ms
64 bytes from 8.8.8.8: seq=1 ttl=54 time=25.576 ms
64 bytes from 8.8.8.8: seq=2 ttl=54 time=28.464 ms
64 bytes from 8.8.8.8: seq=3 ttl=54 time=33.860 ms
64 bytes from 8.8.8.8: seq=4 ttl=54 time=25.525 ms

Related

How to CNAME a domain to "host.docker.internal"?

I know "host.docker.internal" points to the host running docker daemon. I'd like to achieve the following:
services:
xx:
extra_hosts: ["example.com:host.docker.internal"]
But I can only use a specific IP address in extra_hosts.
My question: Is there a way to do this?

If your docker version is above 20.04, then you could use next:
extra_hosts:
- "host.docker.internal:host-gateway"
Detail see this.
Then you could use host.docker.internal to communicate with host, e.g.:
$ docker run --rm -it --add-host=host.docker.internal:host-gateway debian:10 ping -c 4 host.docker.internal
PING host.docker.internal (172.17.0.1) 56(84) bytes of data.
64 bytes from host.docker.internal (172.17.0.1): icmp_seq=1 ttl=64 time=0.064 ms
64 bytes from host.docker.internal (172.17.0.1): icmp_seq=2 ttl=64 time=0.094 ms
64 bytes from host.docker.internal (172.17.0.1): icmp_seq=3 ttl=64 time=0.094 ms
64 bytes from host.docker.internal (172.17.0.1): icmp_seq=4 ttl=64 time=0.095 ms
--- host.docker.internal ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 74ms
rtt min/avg/max/mdev = 0.064/0.086/0.095/0.017 ms

Unable to access ports from services across nodes in overlay network in swarm mode

I use the following compose file for stack deployment
version: '3.8'
x-deploy: &Deploy
replicas: 1
placement: &DeployPlacement
max_replicas_per_node: 1
restart_policy:
max_attempts: 15
window: 60s
resources: &DeployResources
reservations: &DeployResourcesReservations
cpus: '0.05'
memory: 10M
services:
serv1:
image: alpine
networks:
- test_nw
deploy:
<<: *Deploy
entrypoint: ["tail", "-f", "/dev/null"]
serv2:
image: nginx
networks:
- test_nw
deploy:
<<: *Deploy
placement:
<<: *DeployPlacement
constraints:
- "node.role!=manager"
expose: # deprecated, but I leave it here anyway
- "80"
networks:
test_nw:
name: test_nw
driver: overlay
For the sake of convenience, I'll use test_serv1 running via container in host1 and test_serv2 running via container2 in host2 for the rest of this port since actual host and container names keep changing for me.
When I get into the shell of test_serv1, the following happens when I ping serv2:
ubuntu#host1:~$ sudo docker exec -it test_serv1.1.container1 ash
/ # ping serv2
PING serv2 (10.0.7.5): 56 data bytes
64 bytes from 10.0.7.5: seq=0 ttl=64 time=0.084 ms
However, the ip of container2 as indicated while inspecting container2 is 10.0.7.6
ubuntu#host2:~$ sudo docker inspect test_serv2.1.container2
[
{
****************
"NetworkSettings": {
"Bridge": "",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"80/tcp": null
},
****************
"Networks": {
"test_nw": {
"IPAMConfig": {
"IPv4Address": "10.0.7.6"
},
"Links": null,
"Aliases": [
"80c06bb29a42"
],
"NetworkID": "sp56aiqxnt56yglsd8mc1zqpv",
"EndpointID": "dac52f1d7fa148f5acac20f89d6b709193b3c11fc90201424cd052785121e706",
"Gateway": "",
"IPAddress": "10.0.7.6",
"IPPrefixLen": 24,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:0a:00:07:06",
****************
}
}
}
]
I can see that container2 is listening on port 80 on all interfaces and by itself can ping both 10.0.7.5 and 10.0.7.6 (!!), and can access port 80 on both ips (!!).
ubuntu#host2:~$ sudo docker exec -it test_serv2.1.container2 bash
root#80c06bb29a42:/# ping 10.0.7.5
PING 10.0.7.5 (10.0.7.5) 56(84) bytes of data.
64 bytes from 10.0.7.5: icmp_seq=1 ttl=64 time=0.093 ms
64 bytes from 10.0.7.5: icmp_seq=2 ttl=64 time=0.094 ms
^C
--- 10.0.7.5 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 8ms
rtt min/avg/max/mdev = 0.093/0.093/0.094/0.009 ms
root#80c06bb29a42:/# ping 10.0.7.6
PING 10.0.7.6 (10.0.7.6) 56(84) bytes of data.
64 bytes from 10.0.7.6: icmp_seq=1 ttl=64 time=0.035 ms
64 bytes from 10.0.7.6: icmp_seq=2 ttl=64 time=0.059 ms
64 bytes from 10.0.7.6: icmp_seq=3 ttl=64 time=0.053 ms
^C
--- 10.0.7.6 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 50ms
rtt min/avg/max/mdev = 0.035/0.049/0.059/0.010 ms
root#80c06bb29a42:/# netstat -tuplen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 33110 1/nginx: master pro
tcp 0 0 127.0.0.11:35491 0.0.0.0:* LISTEN 0 32855 -
tcp6 0 0 :::80 :::* LISTEN 0 33111 1/nginx: master pro
udp 0 0 127.0.0.11:43477 0.0.0.0:* 0 32854 -
root#80c06bb29a42:/# curl 10.0.7.5:80
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
nginx.org.<br/>
Commercial support is available at
nginx.com.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
root#80c06bb29a42:/# curl 10.0.7.6:80
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
nginx.org.<br/>
Commercial support is available at
nginx.com.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
root#80c06bb29a42:/#
However, when I try the following from container1, I simply want to throw my laptop at a wall since I am unable to figure out how no one else faced such an issue and/or posted such a question :/
ubuntu#host1:~$ sudo docker exec -it test_serv1.1.container1 ash
/ # ping serv2
PING serv2 (10.0.7.5): 56 data bytes
64 bytes from 10.0.7.5: seq=0 ttl=64 time=0.084 ms
64 bytes from 10.0.7.5: seq=1 ttl=64 time=0.086 ms
^C
--- serv2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.084/0.085/0.086 ms
/ # curl serv2:80
^C
/ # curl --max-time 10 serv2:80
curl: (28) Connection timed out after 10001 milliseconds
/ # ping test_serv2
PING test_serv2 (10.0.7.5): 56 data bytes
64 bytes from 10.0.7.5: seq=0 ttl=64 time=0.071 ms
64 bytes from 10.0.7.5: seq=1 ttl=64 time=0.064 ms
64 bytes from 10.0.7.5: seq=2 ttl=64 time=0.125 ms
^C
--- test_serv2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.064/0.086/0.125 ms
/ # curl --max-time 10 test_serv2:80
curl: (28) Connection timed out after 10001 milliseconds
/ # ping 10.0.7.6
PING 10.0.7.6 (10.0.7.6): 56 data bytes
^C
--- 10.0.7.6 ping statistics ---
87 packets transmitted, 0 packets received, 100% packet loss
/ # curl --max-time 10 10.0.7.6:80
curl: (28) Connection timed out after 10001 milliseconds
/ #
I have checked that all the docker ports (TCP 2376, 2377, 7946, 80 and UDP 7946, 4789) are open on both nodes.
What is going on wrong here?? Any help truly appreciated!

I'm posting this for someone who might come looking since there is no answer yet.
A few things to consider (even though it is all mentioned in the question):
Please ensure all ports are open once again. Check iptables thoroughly even though you had set it once. Docker engine seems to change the configuration and at times leave it in an unusable state if you open the ports after docker had started (restarting won't fix it, you need to hard stop -> reset iptables -> start docker ce)
Ensure your machine's local IP addresses are not conflicting. This is big deal. While I am unable to describe it, you may try to understand various classes of IP and see if there is any conflict.
Probably the most trivial, but almost always excluded instruction: Remember to ALWAYS init or join a swarm with both --advertise-addr and --listen-addr. The --advertise-addr should be a public-facing IP address (even if not internet facing, it is the IP address that the other hosts use to reach this host). The --listen-addr is not documented well enough, but this must be the IP of the interface to which docker should bind to.
Having gone through the above, please note that AWS Ec2 does not play well with cross-provider hosts. If you have machines spread across providers (say, IBM, Azure, GCP etc.), Ec2 plays spoil-sport there. I'm very curious on how it is done (has to be a low level network infringement), but I've spent considerable amount of time trying to get it work and it wouldn't.

Docker in docker routing within Kubernetes

I've network related issue on the Kubernetes host, using Calico network layer. For continuous integration I need to run docker in docker, but running simple docker build with this Dockerfile:
FROM praqma/network-multitool AS build
RUN route
RUN ping -c 4 google.com
RUN traceroute google.com
produces output:
Step 1/4 : FROM praqma/network-multitool AS build
---> 3619cb81e582
Step 2/4 : RUN route
---> Running in 80bda13a9860
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 172.17.0.1 0.0.0.0 UG 0 0 0 eth0
172.17.0.0 * 255.255.0.0 U 0 0 0 eth0
Removing intermediate container 80bda13a9860
---> d79e864eafaf
Step 3/4 : RUN ping -c 4 google.com
---> Running in 76354a92a413
PING google.com (216.58.201.110) 56(84) bytes of data.
--- google.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 53ms
---> 3619cb81e582
Step 4/4 : RUN traceroute google.com
---> Running in 3aa7908347ba
traceroute to google.com (216.58.201.110), 30 hops max, 46 byte packets
1 172.17.0.1 (172.17.0.1) 0.009 ms 0.005 ms 0.003 ms
Seems docker container has invalid routing while created off Kubernetes. Pods orchestrated by Kubernetes can access internet normally.
bash-5.0# ping -c 3 google.com
PING google.com (216.58.201.110) 56(84) bytes of data.
64 bytes from prg03s02-in-f14.1e100.net (216.58.201.110): icmp_seq=1 ttl=55 time=0.726 ms
64 bytes from prg03s02-in-f14.1e100.net (216.58.201.110): icmp_seq=2 ttl=55 time=0.586 ms
64 bytes from prg03s02-in-f14.1e100.net (216.58.201.110): icmp_seq=3 ttl=55 time=0.451 ms
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 10ms
rtt min/avg/max/mdev = 0.451/0.587/0.726/0.115 ms
bash-5.0# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 169.254.1.1 0.0.0.0 UG 0 0 0 eth0
169.254.1.1 * 255.255.255.255 UH 0 0 0 eth0
bash-5.0# traceroute google.com
traceroute to google.com (216.58.201.110), 30 hops max, 46 byte packets
1 10-68-149-194.kubelet.kube-system.svc.kube.example.com (10.68.149.194) 0.006 ms 0.005 ms 0.004 ms

Docker container can't connect to the internet. But can ping any external ip

Can't ping or connect to any internet domain from docker container
Manjaro linux
dns set in /etc/docker/daemon.json on host
/etc/resolv.conf in docker container:
root#785625d57ad5:/# cat /etc/resolv.conf
nameserver 8.8.4.4
nameserver 8.8.8.8
ping from docker contaner (ip is google.com)
root#785625d57ad5:/# ping -c 3 172.217.23.142
PING 172.217.23.142 (172.217.23.142) 56(84) bytes of data.
64 bytes from 172.217.23.142: icmp_seq=2 ttl=53 time=51.9 ms
64 bytes from 172.217.23.142: icmp_seq=3 ttl=53 time=51.9 ms
--- 172.217.23.142 ping statistics ---
3 packets transmitted, 2 received, 33% packet loss, time 2018ms
rtt min/avg/max/mdev = 51.973/51.980/51.987/0.007 ms
root#785625d57ad5:/# ping -c 3 google.com
ping: unknown host google.com

Wrong IP address in docker swarm service

I have very weird problem:
I have the swarm cluster and one of my service have wrong ip:
$ docker service inspect nginx_backend | grep Addr
"Addr": "10.0.0.107/24"
From any container in the cluster:
/ # ping nginx_backend
PING nginx_backend (10.0.0.107): 56 data bytes
64 bytes from 10.0.0.107: seq=0 ttl=64 time=0.057 ms
64 bytes from 10.0.0.107: seq=1 ttl=64 time=0.061 ms
64 bytes from 10.0.0.107: seq=2 ttl=64 time=0.064 ms
64 bytes from 10.0.0.107: seq=3 ttl=64 time=0.083 ms
^C
--- nginx_backend ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.057/0.066/0.083 ms
But in the server which hosted nginx_backend container:
root#backend:~# docker inspect nginx_backend.1.myzy10psfdl9r4jljrsz5zd5t | grep IPv4
"IPv4Address": "10.0.0.87"
And when some service try connect by name it got connect error, but if I manually put record like 10.0.0.87 nginx_backend to /etc/hosts inside a container, it have successful connect.
What I did wrong?)

Docker creates (by default) a Virtual IP (VIP) for each service. That's the 10.0.0.107. It then balances requests between the backend containers. In the second example (10.0.0.87) you're seeing the IP address of one of the containers. That's routable within Docker as well (which is why hitting the IP works). However the name (nginx_backend.1.myzy10psfdl9r4jljrsz5zd5t) is not DNS resolvable so that's why that fails.
You can find a list of the 'backing' containers for a service by doing a DNS lookup on tasks.nginx_backend.
Some more background here: https://docs.docker.com/network/overlay/

Resources