On my Windows 10 host machine with Docker 4.9.1 I want to ssh into a docker container.
I followed a bunch of tutorials just like this one:
https://phoenixnap.com/kb/how-to-ssh-into-docker-container
From within the container I can ssh into the container using its IP of 172.17.0.2, but from my host machine I cannot.
Confirmation of the IP address:
docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' interesting_meitner
'172.17.0.2'
Ping without response:
ping 172.17.0.2
Ping wird ausgeführt für 172.17.0.2 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Ping-Statistik für 172.17.0.2:
Pakete: Gesendet = 1, Empfangen = 0, Verloren = 1
(100% Verlust),
SSH with connection timeout:
ssh root#172.17.0.2
ssh: connect to host 172.17.0.2 port 22: Connection timed out
Starting the container (obviously done before trying to connect to it):
docker run -ti with_ssh:new /bin/bash
I have also tried this with options for remapping ports i.e. -p 22:666 or -p 666:22 .
Starting ssh server:
/etc/init.d/ssh start
* Starting OpenBSD Secure Shell server sshd
Checking status:
/etc/init.d/ssh status
* sshd is running
Ssh from container into container:
ssh root#172.17.0.2
The authenticity of host '172.17.0.2 (172.17.0.2)' can't be established.
ECDSA key fingerprint is SHA256:471dnz1q83owB/Nu0Qnnyz/Sct4Kwry9Sa9L9pwQeZo.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.2' (ECDSA) to the list of known hosts.
root#172.17.0.2's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 5.10.16.3-microsoft-standard-WSL2 x86_64)
[...]
Again from the Docker host I get a connection timeout. What do?
Your Docker container runs in a virtual network you cannot reach from the host (because it is isolated), which is why you cannot ping the containers IP from the host (but your docker container can, because it is attending the same network). You can expose the port like you already did with -p 666:22, but then you have to SSH to localhost not to the IP of the container: ssh -p 666 root#127.0.0.1.
You could also configure a correct routing from your hosts network to the virtual network and then you can reach the IP directly.
I did not reproduce your setup but this might work i guess. Hope it helps.
I'm trying to set up Guacamole using container on a home Ubuntu 20.04 desktop. I can get an SSH connection to work but I'm having a hard time with the VNC setup. Below are a summary of the errors, my setup and some troubleshooting steps I did.
SUMMARY OF ERROR MESSAGES
The management app Guacamole is served at http://localhost:8080/guacamole/, I try to access the VNC connection (its setup is in the next section) and get these errors
guacamole web app error message: "The Guacamole server is denying access to this connection because you have exhausted the limit for simultaneous connection use by an individual user. Please close one or more connections and try again."
In the Chrome or Firefox developer console, network/XHR, I'm pasting
a few request/response headers:
Request URL: http://localhost:8080/guacamole/tunnel?connect
Response Status Code: 429
Response Headers:
Guacamole-Error_message: Cannot connect. Connection already in use by this user.
Guacamole-Status-Code: 797
In the guacd docker container:
guacd[7]: DEBUG: Guacamole connection closed during handshake
guacd[7]: DEBUG: Error reading "select": End of stream reached while reading instruction
In the guacamole docker container:
18:13:26.091 [http-nio-8080-exec-9] ERROR o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Creation of WebSocket tunnel to guacd failed: Cannot connect. Connection already in use by this user.
18:13:26.116 [http-nio-8080-exec-6] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: Cannot connect. Connection already in use by this user.
MY INSTALLATION AND TROUBLESHOOTING DONE SO FAR
Environment
Ubuntu 20.04 desktop
working tiger VNC server setup at display number 1, which I have been using for SSH-tunneled VNC connection for 2 years
$ sudo systemctl status vncserver#1.service
?? vncserver#1.service - Start TightVNC server at startup
Loaded: loaded (/etc/systemd/system/vncserver#.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2022-04-13 22:45:53 EDT; 8min ago
Main PID: 2035 (Xtigervnc)
Docker containers
I followed the official doc to set up three containers.
The guacamole links to the guacd and mysql.
$ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b0c49ab0fb8f guacamole/guacamole:1.4.0 "/opt/guacamole/bin/??" 20 hours ago Up 42 minutes 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp some-guacamole
969afbd569c2 guacamole/guacd "/bin/sh -c '/usr/lo??" 21 hours ago Up 43 minutes (healthy) 4822/tcp some-guacd
3e490e948aa6 mysql/mysql-server:latest "/entrypoint.sh mysq??" 38 hours ago Up 42 minutes (healthy) 3306/tcp, 33060-33061/tcp mysql-docker
The guacamole container, guacd container and the vnc server have connectivity with each other
The web app came up fine and I can login to configure settings.
I easily got an SSH connection to work on guacamole
For VNC connections, I tried both guacamole at the latest and at tag 1.4.0 but that made no difference
On my Ubuntu host, I have proper firewall settings:
ports ssh 22, apache 80/443 are wide open
my VNC server is sitting on 0 0.0.0.0:5901 and is therefore open to 172.17.0.0/24
My docker0 is recognized by the host as 172.17.0.1
$ netstat -an | grep 5901
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN
$ ifconfig docker0
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
From within the guacd container, I can telnet to my docker host's SSH server (172.17.0.1:22), Apache server(172.17.0.1:80/443), and VNC server (172.17.0.1:5901)
$ sudo docker exec -u0 -it some-guacd bash
root#969afbd569c2:/# telnet 172.17.0.1 5901
Trying 172.17.0.1...
Connected to 172.17.0.1.
Escape character is '^]'.
RFB 003.008
^]
telnet> quit
Connection closed.
In addition to the SSH connection working out of the box with guacamole install, from within the guacamole container, I could telnet to the guacd at port 4822 and paste the following vnc handshake (6.select,3.vnc;) and got a proper response.
$ sudo docker inspect some-guacd|grep IPAddress
"SecondaryIPAddresses": null,
"IPAddress": "172.17.0.2",
"IPAddress": "172.17.0.2",
$ sudo docker exec -u0 -it some-guacamole bash
root#b0c49ab0fb8f:/opt/guacamole# telnet 172.17.0.2 4822
Trying 172.17.0.2...
Connected to 172.17.0.2.
Escape character is '^]'.
6.select,3.vnc;
4.args,13.VERSION_1_3_0,8.hostname,4.port,9.read-only,9.encodings,8.username,8.password,13.swap-red-blue,11.color-depth,6.cursor,9.autoretry,18.clipboard-encoding,9.dest-host,9.dest-port,12.enable-audio,16.audio-servername,15.reverse-connect,14.listen-timeout,11.enable-sftp,13.sftp-hostname,13.sftp-host-key,9.sftp-port,13.sftp-username,13.sftp-password,16.sftp-private-key,15.sftp-passphrase,14.sftp-directory,19.sftp-root-directory,26.sftp-server-alive-interval,21.sftp-disable-download,19.sftp-disable-upload,14.recording-path,14.recording-name,24.recording-exclude-output,23.recording-exclude-mouse,22.recording-include-keys,21.create-recording-path,12.disable-copy,13.disable-paste,15.wol-send-packet,12.wol-mac-addr,18.wol-broadcast-addr,12.wol-udp-port,13.wol-wait-time,14.force-lossless;
On guacamole VNC connection configuration, I have
Parameters
Network
Hostname: 172.17.0.1
Port: 5901
I believe the apparent error message "Cannot connect. Connection already in use by this user" is a red herring. It's more likely that the guacamole app has problem connecting to the guacd server at the protocol or the application level. I'm really baffled. I have posted onto the apache mailing list for guacamole a few days ago but haven't got a reply yet. So I'm trying my luck on SO.
I am running Mosquitto 1.4.8 on Ubuntu successfully on port 1883 (tested from another machine with mosquitto_sub/mosquitto_pub). However I am encountering issues when attempting to use another port eg.
mosquitto -p 1884 -c moddebug.conf
This works OK if I access it from the same machine e.g.:
mosquitto_pub -h 127.0.0.1 -p 1884
but if I attempt to connect from another machine I get an error:
mosquitto_pub -h IP_ADDRESS -t exmapleTopic -p 1884
Connection timed out
My moddebug.conf file is:
log_type all
log_dest file mosquitto2_log.log
The log does not provide any extra information:
Config loaded from mosdebug.conf.
Opening ipv4 listen socket on port 1884.
Opening ipv6 listen socket on port 1884.
mosquitto version 1.4.8 terminating
I have tried altering the firewall rules (but this did not help):
ufw allow 1884/tcp
Rules updated
Rules updated (v6)
I have installed a fresh Centos 7 box on virtualbox running in a bridged network adapter. I have installed ruby on rails and setup a simple app. I started the server on port 3000, but when I try to reach it from my host machine hitting the IP I get no response.
On the server I can do a
wget "http://127.0.0.1:3000"
and I get the right index.html file. So I figured my port was getting blocked.
So I installed firewalld and issued the following commands
sudo firewall-cmd --zone=public --add-port=3000/tcp --permanent
sudo firewall-cmd --reload
firewall-cmd --list-all
The list all shows the following ;
public (default, active)
interfaces: enp0s3
sources:
services: dhcpv6-client ssh
ports: 3000/tcp 80/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
However when I run nmap I see it's closed
sudo nmap -p 3000 127.0.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-26 01:47 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000071s latency).
PORT STATE SERVICE
3000/tcp closed ppp
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
From my host machine I can ping the machine but when I nmap to port 3000 it says the host is unreachable.
I don't know how to go any further. Any thoughts?
I run a docker container with the following command:
docker run -d --name frontend_service -net host --publish=3001:3000 frontend_service
As I understand it maps the local port 3001 to the container port 3000.
I already ssh to the container and checked curl localhost:3000. Works. But outside, on the host, I can't curl localhost:3001.
I checked nmap. The port is open:
nmap -v -sT localhost
Starting Nmap 6.47 ( http://nmap.org ) at 2016-10-19 01:24 UTC
Initiating Connect Scan at 01:24
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 5051/tcp on 127.0.0.1
Discovered open port 3001/tcp on 127.0.0.1
Completed Connect Scan at 01:24, 0.06s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0011s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
3001/tcp open nessus
5051/tcp open ida-agent
How can i connect the container port with my host port?
When you specify --net=host, you are completely turning off Docker's network setup steps. The container won't get its own network namespace, won't get its own interfaces, and the port publishing system will have nothing to route to.
If you want your -p 3001:3000 to work, don't use --net=host.