HTTP 403 response when accessing docker container on other host - docker

I am using Docker version 17.06.2-ce, build cec0b72 on CentOS Linux release 7.2.1511.
My goal is to get a docker container to publish on one of the host's ports and have the information be visible to another system in the same subnet. My docker image is the friendlyhello image built in the getting started tutorial. I have an image of it on docker hub which you can pull with the below command. It exposes port 80 within the file, and then I call the image with
docker run -d -p 8080:80 jeremydr2/get-started:part2
I can get the correct response (basically "hello world") when I curl localhost:8080 or curl 10.x.x.x:8080 while on the host in which the container is running. When curling on another host, I get some html formatting and
default "Access Denied" response (403)
Note that a successful response can take over a minute, but an unsuccessful response will still be immediate.
From what I've read about this, I shouldn't have to mess with iptables at all to get this to work, which is good, because I don't really understand networking very well. However, I think something is wrong, because iptables -t nat -L | grep 8080 doesn't return anything, when I expect it to have a line about redirecting or allowing traffic to that port. I have disabled SELinux and firewalld, and installed iptables-services instead.
I can send traffic between the hosts with other commands like:
[root#host1 ~]# ncat -l 8001
[root#host2 ~]# echo "testing123" > /dev/tcp/<host1_ip_addr>/8001
so I feel confident it is not just a misconfigured network. FWIW, I've also tried the docker run ... command with --network=host, and this did not help, either. This has been 2 days of my life now. If anyone has advice I'd greatly appreciate it.
EDIT: This is definitely, somehow, a misconfigured network. I redid it at home, and it "just worked" the way everyone says docker is supposed to. Any advice on how to go about figuring out what part of the network stuff is blocking docker would be appreciated.

It was because of the proxies I had set up to reach the internet. After unsetting all the proxy variables, I was able to curl from the other system to the host. I had been told that the no_proxy and NO_PROXY variables I had set up were sufficient to prevent this, but that was not the case.
Thanks for everyone who looked at this.

Related

How to debug network host access

I'm having problems with getting proxy setup right in a docker container. I want to download a file from github, but get unable to resolve host address error from wget. Now, how do I debug what goes wrong in accessing the host? I want to see steps like :
requesting `docker.host.internal:3128" (my local proxy)
requesting "company.com/proxy:1234"
requesting "github.com".
What command line utility can get this information? or what other approach can I use to debug inaccessible host?
I had similar issues and found it helpful to debug by comparing behavior of curl locally and via docker.
curl google.com
docker run -it curlimages/curl google.com
If docker network setup is fine, result should be the same.
"unable to resolve host address" points to a problem with DNS resolution. You can try to ping the IP address of github. If you use docker behind a proxy, you need to make some configuration (https://docs.docker.com/network/proxy/). To test connectivity you can use: ping, curl, wget.

Simple Nginx server on docker returns 503

I'm just starting up with Docker and the first example that I was trying to run already fails:
docker container run -p 80:80 nginx
The command successfully fetches the nginx/latest image from the Docker Hub registry and runs the new container, there is no indication in CMD of anything going wrong. When I browse to localhost:80 I get 503 (Service Unavailable). I'm doing this test on Windows 7.
I tried the same command on another computer (this time on macOS) and it worked as expected, no issues.
What might be a problem? I found some issues on SO similar to mine, but they were connected with the usage of nginx-proxy, which I don't use and don't even know what it is. I'm trying to run a normal http server.
//EDIT
When I try to bind my container to a different port, for example:
docker container run -p 4201:80 nginx
I get ERR_CONNECTION_REFUSED in Chrome, so basically connection can't be established, because destination does not exist. Why is that?
The reason why it didn't work is that on Windows, Docker publishes results on different IP than localhost. This IP given is at the top in Docker client console.

docker app serving on https and connecting to external rethinkdb

I'm trying to launch a docker container that is running a tornado app in python 3.
It serves a few API calls and is writing data to a rethinkdb service on the system. RethinkDB does not run inside a container.
The system it runs on is ubuntu 16.04.
Whenever I tried to launch the docker with docker-compose, it would crash saying the connection to localhost:28015 was refused.
I went researching the problem and realized that docker has its own network and that external connections must be configured prior to launching the container.
I used this command from a a question I found to make it work:
docker run -it --name "$container_name" -d -h "$host_name" -p 9080:9080 -p 1522:1522 "$image_name"
I've changed the container name, host name, ports and image name to fit my own application.
Now, the docker is not crashing, but I have two problems:
I can't reach it from a browser by pointing to https://localhost/login
I lose the docker-compose usage. This is problematic if we want to add more services that talk to each other in the future.
So, how do I launch a docker that can talk to my rethinkdb database without putting that DB into a container?
Please, let me know if you need more information to answer this question.
I'd appreciate your guidance in this.
The end result is that the docker will serve requests coming over https.
for exmaple I have an end-point called /getURL.
The request includes a token verified in the DB. The URL is like this:
https://some-domain.com/getURL
after verification with the DB it will send back a relevant response.
the docker needs to be able to talk on 443 and also on 28015 with the rethinkdb service.
(Since 443 and https include the use of certificates, I'd appreciate a solution that handles this on regular http with some random port too and I'll take it from there)
Thanks!
P.S. The service works when I launch it without a docker on pycharm it's the docker configuration I have problems with.
I found a solution.
I needed to add this so that the container can connect to both the database and the rethinkdb:
--network="host"
Since this solution works for me right now, but it isn't the best solution, I won't mark this as the answer for now.

docker: Error response from daemon: Get https://registry-1.docker.io/v2/: Service Unavailable. IN DOCKER , MAC [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 months ago.
Improve this question
I am having this issue
system3:postgres saurabh-gupta2$ docker build -t postgres .
Sending build context to Docker daemon 38.91kB
Step 1/51 : FROM registry.access.redhat.com/rhel7/rhel
Get https://registry.access.redhat.com/v2/: Service Unavailable
docker run -t apline
Unable to find image 'apline:latest' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: Service Unavailable.
See 'docker run --help'.
I have looked for a solution that says to set proxy, but I have set the proxy for the wifi.
https://docs.docker.com/docker-for-mac/networking/#httphttps-proxy-support
Still, it is not working.
I have set proxy for docker too. It is not working.
in Preference -> proxies
Docker version 17.12 ce
I also want to know if the proxy is the issue then how can I check it is set, what is work around for this?
Here are few suggestions:
Try restarting your Docker service.
Check your network connections. For example by the following shell commands:
</dev/tcp/registry-1.docker.io/443 && echo Works || echo Problem
curl https://registry-1.docker.io/v2/ && echo Works || echo Problem
Check your proxy settings (e.g. in /etc/default/docker).
If above won't help, this could be a temporary issue with the Docker services (as per Service Unavailable).
Related: GH-842 - 503 Service Unavailable at http://hub.docker.com.
I had this problem for past days, it just worked after that.
You can consider raising the issue at docker/hub-feedback repo, check at, Docker Community Forums, or contact Docker Support directly.
docker logout
docker login
This might solve your problem
I tried running on Windows, and got this problem after an update. I tried restarting the docker service as well as my pc, but nothing worked.
When running:
curl https://registry-1.docker.io/v2/ && echo Works
I got back:
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
Works
Eventually, I tried:
https://github.com/moby/moby/issues/22635#issuecomment-284956961
By changing the fixed address to 8.8.8.8:
Which worked for me!
I still got the unauthorized message for curl https://registry-1.docker.io/v2/ but I managed to pull images from docker hub.
For me I had this issue when I first installed Docker and ran
docker run hello-world
I got an authentication required error when I ran
curl https://registry-1.docker.io/v2/ && echo Works
All I needed to do was to restart my MacOS and then run the command again, it just started pulling the image and i got the message
Hello from Docker!
This message shows that your installation appears to be working correctly.
It's clearly a proxy issue: docker proxies https connections to the wrong place. Bear in mind that docker proxy settings may be different from the operating system (and curl) ones. Here's how I managed to solve the issue:
First of all, find out where are you proxying your docker https requests:
# docker info | grep Proxy
Http Proxy: http://<my.proxy.server>:8080
Https Proxy: https://<my.proxy.server>:8080
No Proxy: localhost,127.0.0.1
and double check your https settings.
In my case, I realized that the "Https proxy" was set to https://... instead of http://..., so I corrected it in /etc/sysconfig/docker file (I'm using RHEL7) and, after a docker restart with:
# systemctl restart docker
the proxy variable shows up succesfully updated:
# docker info | grep Proxy
Http Proxy: http://<my.proxy.server>:8080
Https Proxy: http://<my.proxy.server>:8080
No Proxy: localhost,127.0.0.1
and everything works fine :-)
Just to add, in case anyone else comes across this issue.
On a Mac
I had to logout and log back in.
docker logout
docker login
Then it prompts for username (NOTE: Not email) and password. (Need an account on https://hub.docker.com to pull images down)
Then it worked for me.
NTML PROXY AND DOCKER
If your company is behind MS Proxy Server that using the proprietary NTLM protocol.
You need to install **Cntlm** Authentication Proxy
After this SET the proxy in
/etc/systemd/system/docker.service.d/http-proxy.conf) with the following format:
[Service]
Environment=“HTTP_PROXY=http://<<IP OF CNTLM Proxy Server>>:3182”
In addition you can set in the .DockerFile
export http_proxy=http://<<IP OF CNTLM Proxy Server>>:3182
export https_proxy=http://<IP OF CNTLM Proxy Server>>:3182
export no_proxy=localhost,127.0.0.1,10.0.2.*
Followed by:
systemctl daemon-reload
systemctl restart docker
This Worked for me
For me the problem was solved by restarting the docker daemon:
sudo systemctl restart docker
One option which worked for me on MAC.
Click on the Docker Icon in the tray. Open Preferences -> Proxies. Click on Manual Proxy and specify Web Server (HTTP) proxy and Secure Web server (HTTPS) proxy in the same format as we specify in HTTPS_PROXY env variable.
Choose Apply and Restart.
This Worked for me
try to reload daemon then restart docker service.
systemctl daemon-reload
I had this same issue when working on an Ubuntu server.
I was getting the following error:
deploy#my-comp:~$ docker login -u my-username -p my-password
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://registry-1.docker.io/v2/: dial tcp 35.175.83.85:443: connect: connection refused
Here are the things I tried that did not work:
Restarting the docker service using sudo docker systemctl restart docker
Powering off and restarting the Ubuntu server.
Changing the name server to 8.8.8.8 in the /etc/resolv.conf file
Here's what worked for me:
I tried checking if the server has access to the internet using the following netcat command:
nc -vz google.com 443
And it returned this output:
nc: connect to google.com port 443 (tcp) failed: Connection refused
nc: connect to google.com port 443 (tcp) failed: Network is unreachable
Instead of something like this:
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 172.217.166.110:443.
Ncat: 0 bytes sent, 0 bytes received in 0.07 seconds.
I tried checking again if the server has access to the internet using the following wget command:
wget -q --spider http://google.com ; echo $?
And it returned:
4
Instead of:
0
Note: Anything other than 0 in the output means your system is not connected to the internet
I then tried the last time if the server has access to the internet using the following Nmap command:
nmap -p 443 google.com
And it returned:
Starting Nmap 7.01 ( https://nmap.org ) at 2021-02-16 11:50 WAT
Nmap scan report for google.com (216.58.223.238)
Host is up (0.00052s latency).
Other addresses for google.com (not scanned): 2c0f:fb50:4003:802::200e
rDNS record for 216.58.223.238: los02s04-in-f14.1e100.net
PORT STATE SERVICE
443/tcp closed https
Nmap done: 1 IP address (1 host up) scanned in 1.21 seconds
Instead something like this:
Starting Nmap 7.01 ( https://nmap.org ) at 2021-02-16 11:50 WAT
Nmap scan report for google.com (216.58.223.238)
Host is up (0.00052s latency).
Other addresses for google.com (not scanned): 2c0f:fb50:4003:802::200e
rDNS record for 216.58.223.238: los02s04-in-f14.1e100.net
PORT STATE SERVICE
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 1.21 seconds
Note: The state of port 443/tcp is closed instead of open
All this was enough to make me realize that connections to the internet were not allowed on the server.
All I had to do was speak with the team in charge of infrastructure to fix the network connectivity issue to the internet on the server. And once that was fixed my docker command started working fine.
Resources: 9 commands to check if connected to internet with shell script examples
That's all.
I hope this helps
Recheck Proxy Settings with the following commands
docker info | grep Proxy
Check VPN Connectivity
If VPN not using CHECK NET connectivity
Reinstall Docker and repeat the above steps.
Enjoy
On my windows 11 all I did was to first login into my account
docker login
Got this from a network filter (LuLu on macOS) blocking traffic to/from Docker-related processes.
I had this issue when I first installed Docker and ran
docker run hello-world
I was on a corporate network and switching to my personal network solved the issue for me.
The answers are provided here amazing, but if you are new in that and you don't realize full error then you may see at the end of that error net/http: TLS handshake timeout. message means that you have a slow internet connection. So it can be only that problem that's it.
Toodles
I had the following entries in my /etc/hosts file:
34.228.211.243 registry-1.docker.io
34.205.88.205 auth.docker.io
104.18.121.25 production.cloudflare.docker.com
Just by commenting them out, I fixed the problem.
List item
Many good answers above, but mine is a bit different with Mac and Docker Desktop UI. In my case, it is a Desktop proxy setting that needs to be turned off when I am outside of corporate fiewall/proxy:
ERROR message from docker CLI:
Username: xxx
Password: ***
Error response from daemon: Get https://registry-1.docker.io/v2/: Service Unavailable
My env: Machine Mac with Docker UI (i.e. called Docker Desktop,
shown as a whale icon), running outside of corp firewall/proxy.
I am able to Sign In with Docker Desktop UI.
However, whether docker login or docker pull, I kept getting the above error and I got sidetrack into the user id, reset the daemon, ...
Finally, I got to the Docker Desktop UI. Sure enough, there is a proxy setting that I have setup long time ago, and totally forgot about it!
Yes, when I am outside of firewall, I need to turn off the proxy setting here.
Docker Desktop -> Preference -> Resources -> Proxies. Turn
Turn off the manual proxy configuration.
Then docker pull works (without docker login as I was pulling a public image)!
Thanks
PS. I think the difference in behavior of Docker Desktop and Docker CLI contributes to the confusion. I am able to login to docker through the GUI, and the CLI keeps erroring out without good enough diagnostic information.
Using Linux. For me it worked by doing:
$ docker logout
log out of hub.docker.com
log in to hub.docker.com
$ docker login
Check whether containers is enabled or not?
Goto --> turn on/off windows feature, then enable checkbox of containers
Restart windows.
Using the root account instead of my regular user account solved it for me.
I have solved this issue about $ sudo docker run hello-world following the Docker doc.
If you are behind an HTTP Proxy server of corporate, this may solve your problem.
Docker doc also displays other situation about HTTP proxy setting.
In my case, stopping Proxifier fixed it. I added a rule to route any connections from vpnkit.exe as Direct and it now works.
One of the problems you might need to check is,
Does the registry requires VPN,
Enable your VPN and try pulling again.
Thanks.
Ok, I have a similar issue and nothing seemed to help, restart docker, disabled IPv6 and the nslookup and dig all seemed fine.
What worked for me was going to my Docker Desktop -> Preferences -> Experimental Features and unchecking Use new virtualization framework.
docker login terminal command worked for me.
If your machine requires VPN then must connect with VPN first and try docker login.
Have you create a repo with the matching tag on destinated docker hub? It might be that your container image has no where to be pushed to.
Run export DOCKER_CONTENT_TRUST=0 and then try it again.
Use --tls in the pull request.
For example if original pull request is docker pull dgraph/dgraph:v21.03.0
Use this instead : docker --tls pull dgraph/dgraph:v21.03.0
Just reloading system, this is helped for me. (Windows 10 64x)

localhost not working docker windows 10

I am using VS2017 docker support. VS created DockerFile for me and when I build docker-compose file, it creates the container and runs the app on 172.x.x.x IP address. But I want to run my application on localhost.
I did many things but nothing worked. Followed the docker docs as a starter and building microsoft sample app . The second link is working perfectly but I get HTTP Error 404 when tried the first link approach.
Any help is appreciated.
Most likely a different application already runs at port 80. You'll have to forward your web site to a different port, eg:
docker run -d -p 5000:80 --name myapp myasp
And point your browser to http://localhost:5000.
When you start a container you specify which inner ports will be exposed as ports on the host through the -p option. -p 80:80 exposes the inner port 80 used by web sites to the host's port 80.
Docker won't complain though if another application already listens at port 80, like IIS, another web application or any tool with a web interface that runs on 80 by default.
The solution is to:
Make sure nothing else runs on port 80 or
Forward to a different port.
Forwarding to a different port is a lot easier.
To ensure that you can connect to a port, use the telnet command, eg :
telnet localhost 5000
If you get a blank window immediatelly, it means a server is up and running on this port. If you get a message and timeout after a while, it means nobody is running. You anc use this both to check for free ports and ensure you can connect to your container web app.
PS I run into this just a week ago, as I was trying to set up a SQL Server container for tests. I run 1 default and 2 named instances already, and docker didn't complain at all when I tried to create the container. Took me a while to realize what was wrong.
In order to access the example posted on Docker Docs, that you pointed out as not working, follow the below steps,
1 - List all the running docker containers
docker ps -a
After you run this command you should be able to view all your docker containers that are currently running and you should see a container with the name webserver listed there, if you have followed the docker docs example correctly.
2 - Get the IP address where your webserver container is running. To do that run the following command.
docker inspect -f "{{ .NetworkSettings.Networks.nat.IPAddress }}" webserver
You should now get the IP address which the webserver container is running, hope you are familiar with this step as it was even available within the building Microsoft sample app example that you attached with the question.
Access the IP address you get once running the above command and you should see the desired output.
Answering to your first question (accessing docker container with localhost in docker for windows), in Windows host you cannot access the container with localhost due to a limitation in the default NAT network stack. A more detailed explanation for this issue can be obtained by visiting this link. Seems like the docker documentation is not yet updated but this issue only exists in Windows hosts.
There is an issue reported for this as well - Follow this link to see that.
Hope this helps you out.
EDIT
The solution for this issue seems to be coming in a future Windows release. Yet that release comes out this limitation is available in Windows host. Follow this link -> https://github.com/MicrosoftDocs/Virtualization-Documentation/issues/181
For those who encountering this issue in 2022, changing localhost to 127.0.0.1 solved an issue for me.
There is other problem too
You must have correct order with parameters
This is WRONG
docker run container:latest -p 5001:80
This sequence start container but parameter -p is ignore, therefore container have no ports mapping
This is good
docker run -p 5001:80 container:latest

Resources