I am trying to create a local swarm environment based on 'dind' images. Below are the steps for environment recreation:
docker network create --attachable --subnet 10.0.0.0/16 tools_network
docker run -d --privileged --name swarm-manager-1 --hostname swarm-manager-1 --network tools_network --ip 10.0.0.3 -p 42421:2375 docker:17.03.1-dind
docker --host localhost:42421 swarm init --advertise-addr 10.0.0.3
docker run -d --privileged --name swarm-worker-1 --hostname swarm-worker-1 --network tools_network --ip 10.0.0.4 -p 42423:2375 docker:17.03.1-dind
docker --host localhost:42423 swarm join --token <swarm-token> 10.0.0.3:2377
After that I add an nginx-based proxy:
docker run -d --name swarm-proxy --network tools_network -v $(pwd)/temp-proxy:/etc/nginx:ro -p 80:80 nginx:stable-alpine
with the following contents of nginx.conf in the 'temp-proxy' folder:
events {
worker_connections 1024;
}
http {
upstream swarm {
server 10.0.0.3;
server 10.0.0.4;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
proxy_pass http://swarm;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}
The service I use for testing purposes is launched by:
docker --host localhost:42421 service create --name test-web --publish 80:80 yeasy/simple-web
What I expect at this stage, based on the mesh networking documentation is that curl localhost will return the result from the deployed service. However, I get a 502 Bad Gateway response, with the following log messages from the proxy:
[error] 7#7: *4 connect() failed (111: Connection refused) while connecting to upstream, client: 10.0.0.1, server: , request: "GET / HTTP/1.1", upstream: "http://10.0.0.4:80/", host: "localhost"
[error] 7#7: *4 connect() failed (111: Connection refused) while connecting to upstream, client: 10.0.0.1, server: , request: "GET / HTTP/1.1", upstream: "http://10.0.0.3:80/", host: "localhost"
10.0.0.1 - - "GET / HTTP/1.1" 502 173 "-" "curl/7.47.0"
Same result (connection refused) for curling from a docker container deployed to the tools_network.
Running netstat -l from inside one of the swarm nodes shows that they don't listen on port 80:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.11:38943 0.0.0.0:* LISTEN
tcp 0 0 :::2375 :::* LISTEN
tcp 0 0 :::2377 :::* LISTEN
tcp 0 0 :::7946 :::* LISTEN
udp 0 0 127.0.0.11:35094 0.0.0.0:*
udp 0 0 0.0.0.0:4789 0.0.0.0:*
udp 0 0 :::7946 :::*
The questions are:
Is there something wrong with my configuration? What is it?
If not, what steps should I take to get to the problem's root?
After a lot of investigations I found the problem looking at this.
Docker inside dind images couldn't initialize properly due to absent modules and I actually saw the errors in the container logs (docker logs swarm-manager-1) but didn't pay attention to them.
So the solution for me was launching the swarm nodes like this:
docker run -d --privileged --name swarm-manager-1 --hostname swarm-manager-1 --network tools_network --ip 10.0.0.3 -p 42421:2375 -v /lib/modules:/lib/modules:ro docker:17.03.1-dind
where the /lib/modules mapping is the piece that was absent.
Related
I am running a HTTPS webserver. On the same host, I would like to run a docker container registry.
According to this tutorial, I need to run this command:
docker run -d \
--restart=always \
--name registry \
-v "$(pwd)"/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p 443:443 \
registry:2
But my nginx server already has 443 bound. So I guess I can't run the container registry with this port. What are my options here? Can I just use something other than 443?
You could use Nginx as a proxyserver and have (sub)domains pointing to the two different services (Webserver and Docker Container Registry)
Step 1 : Set up domainnames
DNS: registry.mycompany.com to IP address of the Host
DNS: www.mycompany.com to IP address of the Host
Step 2 : Config Nginx as a proxyserver
Nginx sites.conf
# Main Server
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
# The Webserver
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.mycompany.com;
ssl_certificate /etc/ssl/private/star_mycompany_com.chained.crt;
ssl_certificate_key /etc/ssl/private/star_mycompany_com.key;
access_log /var/log/nginx/webserver_access.log;
error_log /var/log/nginx/webserver_error.log;
location / {
proxy_pass http://172.30.0.3:80/;
}
}
# The Registry
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name registry.mycompany.com;
ssl_certificate /etc/ssl/private/star_mycompany_com.chained.crt;
ssl_certificate_key /etc/ssl/private/star_mycompany_com.key;
access_log /var/log/nginx/registry_access.log;
error_log /var/log/nginx/registry_error.log;
location / {
proxy_pass http://172.30.0.2:80/;
}
}
In your docker-compose.yml of the registry, put it on IP 172.30.0.2,
and in the docker-compose.yml of the webserver, put it on IP 172.30.0.3
Step 3 : Run Nginx itself in a Docker Container
docker-compose.yml
version: "3.9"
services:
proxyserver:
image: nginx:latest
container_name: Proxyserver
working_dir: /usr/share/nginx/html
ports:
- "80:80"
- "443:443"
volumes:
- ./etc/nginx/conf.d:/etc/nginx/conf.d:ro
- ./etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./etc/ssl/private:/etc/ssl/private
- ./var/log/nginx:/var/log/nginx
networks:
my-net:
ipv4_address: 172.30.0.254
networks:
my-net:
external: true
name: cops-net
Step 4 : Create your external Docker Network
create_network.sh
docker network create \
--driver=bridge \
--subnet=172.30.0.0/16 \
--attachable \
--gateway=172.30.0.1 \
my-net
Step 5 : Start everything up
Start the container with the webserver
Start the container with the registry
Start the proxyserver
I have a dockerized app and I use the following docker-compose.yml to run it:
version: '3.1'
services:
db:
image: mysql:5.7
ports:
- "3306:3306"
env_file:
- ./docker/db/.env
volumes:
- ./docker/db/data:/var/lib/mysql:rw
- ./docker/db/config:/etc/mysql/conf.d
command: mysqld --sql_mode="NO_ZERO_IN_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
php:
build: ./docker/php/7.4/
volumes:
- ./docker/php/app.ini:/usr/local/etc/php/conf.d/docker-php-ext-app.ini:ro
- ./docker/logs/app:/var/www/app/var/log:cached
- .:/var/www/app:cached
working_dir: /var/www/app
links:
- db
env_file:
- ./docker/php/.env
webserver:
image: nginx:1
depends_on:
- php
volumes:
- ./docker/webserver/app.conf:/etc/nginx/conf.d/default.conf:ro
- ./docker/logs/webserver/:/var/log/nginx:cached
- .:/var/www/app:ro
ports:
- "80:80"
I have a server that is not dockerized runing on my machine, I can access it via localhost:3000. I would like my php service to be able to access it.
I found people suggesting to add to following to my php service configuration:
extra_hosts:
- "host.docker.internal:host-gateway"
But when I add this, then docker-compose up -d and try docker exec -ti php_1 curl http://localhost:3000, I get curl: (7) Failed to connect to localhost port 3000 after 0 ms: Connection refused. I have the same error when I try to curl http://host.docker.internal:3000.
I desperatly tried to add a port mapping to the php container:
ports:
- 3000:3000
But then when I start the services I have the following error:
ERROR: for php_1 Cannot start service php: driver failed programming external connectivity on endpoint php_1 (9dacd567ee97b9a46699969f9704899b04ed0b61b32ff55c67c27cb6867b7cef): Error starting userland proxy: listen tcp4 0.0.0.0:3000: bind: address already in use
ERROR: for php Cannot start service php: driver failed programming external connectivity on endpoint php_1 (9dacd567ee97b9a46699969f9704899b04ed0b61b32ff55c67c27cb6867b7cef): Error starting userland proxy: listen tcp4 0.0.0.0:3000: bind: address already in use
Which is obvious since my server is running on that 3000 port.
I also tried to add
network_mode: host
But it fails because I already have a links. I get the following error:
Cannot create container for service php: conflicting options: host type networking can't be used with links.
I am running docker v20.10.6 on Ubuntu 21.10.
Any help appreciated, thanks in advance!
Make sure you are using version of docker that supports host.docker.internal.
If you are using linux version, then 20.10+ supports it.
For other systems you should probably consult documentation and probably some issues on github of docker-for-linux / other projects OS revelant.
After that...
Make sure extra_hosts is direct child of php service:
php:
extra_hosts:
host.docker.internal: host-gateway
build: ./docker/php/7.4/
Try using ping host.docker.internal first to check whether your host machine responds correctly.
Make sure that your service on port 3000 is working properly and there is no firewall issue.
Remember that localhost means always local ip from current container point of view. It means that localhost inside container maps to local container IP and not your host machine IP. This is a reason for sending extra_hosts section.
Also docker.host.internal is not your host loopback interface.
If service you are trying to reach listens only on localhost interface then there is no chance to reach it without doing some magic with iptables / firewall.
You can check what service is listening on which interface / ip address running following command on your host machine: netstat -tulpn
This should return something like following output:
$ netstat -tulpn
(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:39195 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
From docker container I can reach services listening on 0.0.0.0 (all interfaces) but cannot access 631 port as it is only on 127.0.0.1
$ docker run --rm -it --add-host="host.docker.internal:host-gateway" busybox
/ # ping host.docker.internal
PING host.docker.internal (172.17.0.1): 56 data bytes
64 bytes from 172.17.0.1: seq=0 ttl=64 time=0.124 ms
64 bytes from 172.17.0.1: seq=1 ttl=64 time=0.060 ms
^C
--- host.docker.internal ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.060/0.092/0.124 ms
/ # telnet host.docker.internal 631
telnet: can't connect to remote host (172.17.0.1): Connection refused
/ # telnet host.docker.internal 22
Connected to host.docker.internal
SSH-2.0-OpenSSH_8.6
I am having ubuntu 18.04 running on a server. I am got a JasperServer image running on docker in it. I am trying to access it from my system. But it throws the following error:
jamshaid#jamshaid:~$ telnet my_server_address 9095
Trying my_server_ip...
telnet: Unable to connect to remote host: Connection refused
Here is the output for sudo docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
69c31ba800ab bitnami/jasperreports "/app-entrypoint.sh …" 5 hours ago Up 5 hours 0.0.0.0:9095->8080/tcp, 0.0.0.0:443->8443/tcp ceyedev_jasperreports_1
2a7cb72da0c7 bitnami/mariadb:10.3 "/opt/bitnami/script…" 5 hours ago Up 5 hours 0.0.0.0:3306->3306/tcp ceyedev_mariadb_1
if I telnet on localhost, it connects and then connection closes which means it is running well.
Here is the output when I telnet it from localhost:
ceyedev#ub18servertiny:~$ telnet localhost 9095
Trying ::1...
Connected to localhost.localdomain.
Escape character is '^]'.
Connection closed by foreign host.
Here is the docker-compose file
version: '2'
services:
mariadb:
restart: always
image: 'bitnami/mariadb:10.3'
environment:
- MARIADB_USER=bn_jasperreports
- MARIADB_DATABASE=bitnami_jasperreports
- ALLOW_EMPTY_PASSWORD=yes
ports:
- 3306:3306
volumes:
- 'mariadb_data:/bitnami'
jasperreports:
restart: always
image: 'bitnami/jasperreports'
environment:
- MARIADB_HOST=mariadb
- MARIADB_PORT_NUMBER=3306
- JASPERREPORTS_DATABASE_USER=bn_jasperreports
- JASPERREPORTS_DATABASE_NAME=bitnami_jasperreports
- ALLOW_EMPTY_PASSWORD=yes
ports:
- '9095:8080'
- '443:8443'
volumes:
- 'jasperreports_data:/bitnami'
depends_on:
- mariadb
volumes:
mariadb_data:
driver: local
jasperreports_data:
driver: local
Here is the output for sudo docker logs container_id_for_jasper
I can telnet other ports from my local machine but having an issue with this one. Any ideas? thanks
keeping in the view of bullet 2 from answers, I executed the below command and found that 9095 is allocated by the server. Any ideas, please?
ceyedev#ub18servertiny:~$ netstat -atn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN
tcp 0 244 10.0.114.15:22 182.185.223.147:54326 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:5432 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN
tcp6 0 0 :::9095 :::* LISTEN
tcp6 0 0 :::3306 :::* LISTEN
To people who got there and didn't find solution:
Make sure your web server is listening on 0.0.0.0 to listen ALL interfaces, including docker bridge to outer network
Based on your question, you know:
Docker container is running
Docker container is listening to port 9095
telnet from Linux server to docker container is working
telnet from other client somewhere in Internet to docker container is NOT working
I guess your Ubuntu server is not accepting incoming requests from Internet on port 9095.
There can be many reasons for that:
Your server has firewall settings, which block connection
Your server did not publish port 9095 to Internet
Your client has no Internet access, when using port 9095
So I would investigate these aspects.
The docker part seems to be ok, because telnet to localhost is working.
I am a bit stuck with configuring multiple services where nginx is the proxy server.
running :
docker -v
Docker version 19.03.8, build afacb8b7f0
docker-compose -v
docker-compose version 1.23.2, build 1110ad01
I want to start with this test, everything in the same docker-compose.yml-file :
link to jwilder/nginx
proxy : nginx-server (jwilder/nginx-proxy:0.7.0 , which is nginx 1.17.6)
container1 : httpd:2.4
container2 : httpd:2.4
updating my /etc/hosts before I start
127.0.0.1 container1.com
127.0.0.1 container2.com
Here is my docker-compose.yml-file (obs -> version 3.7)
version: '3.7'
services:
proxy:
image: jwilder/nginx-proxy:0.7.0
container_name: proxy-test
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- ./nginx-proxy.conf:/etc/nginx/conf.d/nginx-proxy.conf:ro
container1:
image: httpd:2.4
container_name: container-1
environment:
- VIRTUAL_HOST:container1.com
ports:
- 8080:80
container2:
image: httpd:2.4
container_name: container-2
environment:
- VIRTUAL_HOST:container2.com
ports:
- 8081:80
here is my nginx-proxy.conf:
server {
listen 80;
server_name container1.com;
location / {
proxy_pass http://localhost:8080;
}
}
server {
listen 80;
server_name container2.com;
location / {
proxy_pass http://localhost:8081;
}
}
After this I run the
docker exec container-1 sed -i 's/It works!/Container 1/' /usr/local/apache2/htdocs/index.html AND docker exec container-2 sed -i 's/It works!/Container 2/' /usr/local/apache2/htdocs/index.html
Test 1 : with curl to the port 8080 and port 8081
curl localhost:8080
response -> Container 1
curl localhost:8081
response -> Container 2
Test 2 : with curl to container1.com AND container2.com
curl container1.com
status 502
curl container2.com
status 502
Are the settings in my conf wrong ?
Troubleshooting 1:
docker exec -it proxy-test bash
I can see that the nginx-proxy.conf is in the directory (/etc/nginx/conf.d)
/etc/nginx/conf.d/default.conf is there as well
Troubleshooting 2: The proxy-log (Connection refused - while connecting to upstream)
proxy-test | nginx.1 | 2020/04/03 10:52:08 [error] 61#61: *9 connect() failed (111: Connection refused) while connecting to upstream, client: 172.29.0.1, server: container1.com, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8080/", host: "container1.com"
proxy-test | nginx.1 | 2020/04/03 10:52:08 [error] 61#61: *9 connect() failed (111: Connection refused) while connecting to upstream, client: 172.29.0.1, server: container1.com, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8080/", host: "container1.com"
Found 2 solutions to this.
(1)
the first is to update the nginx-proxy.conf with the name of the containers instead of pointing to http://localhost:8080; and http://localhost:8081; :
new config-file
server {
listen 80;
server_name container1.com;
location / {
proxy_pass http://container-1;
}
}
server {
listen 80;
server_name container2.com;
location / {
proxy_pass http://container-2;
}
}
(2)
Leaving out the nginx-proxy.conf-file , docker-compose.yml will map things correctly.
I have docker running on a machine with the IP address fd42:1337::31. One container is a nginx reverse proxy with the port mapping 443:443, in its configuration file it proxy_pass-es depending on the server name to other ports on the same machine, e.g.
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name plex.mydomain.tld;
location / {
proxy_pass http://[fd42:1337::31]:32400;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name file.mydomain.tld;
location / {
proxy_pass http://[fd42:1337::31]:2020;
}
}
These other ports refer to bottle py servers or other containers with mapped ports.
I've started this container with the command
docker run -d -p 443:443 (volume mappings) --name reverseproxy nginx
and it has served me well for a year.
I've now decided to work with docker-compose and have the following configuration file:
version: '3'
services:
reverseproxy:
image: "nginx"
ports:
- "443:443"
volumes:
(volume mappings)
When I shut down the original container and start my new one with docker-compose up, it starts, but every request gives me something like this:
2019/02/13 17:04:43 [crit] 6#6: *1 connect() to [fd42:1337::31]:32400 failed (99: Cannot assign requested address) while connecting to upstream, client: 192.168.178.126, server: plex.mydomain.tld, request: "GET / HTTP/1.1", upstream: "http://[fd42:1337::31]:32400/", host: "plex.mydomain.tld"
Why is the new container behaving differently? What do I have to change?
(I know I can have a virtual network mode to connect to other containers directly, but my proxy is supposed to connect to some services that are not inside containers (but on the same metal).)