I installed docker registry 2.0 in a Ubuntu 14.04, following the official site: https://docs.docker.com/registry/deploying/
It will be used for testing so the development so I don't think we need a production instance:
All clients will be 1.6 so just registry 2.0 required
We don't need any kind of authentication
I install it:
docker run -d -p 5000:5000 registry:2.0
Then I prepare a new image for docker:
docker tag ubuntu:14.04 juandapc:5000/ubuntu:14.04
docker tag ubuntu:14.04 juandapc:5000/ubuntu:14.04
I've replace localhost as in docs for juandapc, the machine hostname.
Howerver when I try to access the repository from another machine (telnet juandapc 5000) I get this error:
FATA[0000] Error response from daemon: v1 ping attempt failed with error: Get https://juandapc:5000/v1/_ping: dial tcp 192.168.1.50:5000: connection refused. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry juandapc:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/juandapc:5000/ca.crt
If I pull, same error:
# docker pull juandapc:5000/ubuntu
FATA[0000] Error response from daemon: v1 ping attempt failed with error: Get https://juandapc:5000/v1/_ping: tls: oversized record received with length 20527. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry juandapc:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/juandapc:5000/ca.crt
Do I need to configure nginx? Documentation install nginx for production mode with registry 1.6 and 2.0 but it's not my case...
The firewall in the host (juandapc):
# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE tcp -- 172.17.0.5 172.17.0.5 tcp dpt:5000
Chain DOCKER (2 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:5000 to:172.17.0.5:5000
Ports from the host juandapc (ESCUCHAR is LISTEN):
# netstat -natp
Conexiones activas de Internet (servidores y establecidos)
Proto Recib Enviad Dirección local Dirección remota Estado PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* ESCUCHAR 919/sshd
tcp 0 0 192.168.1.50:22 172.30.164.14:38412 ESTABLECIDO 3924/sshd: administ
tcp6 0 0 :::22 :::* ESCUCHAR 919/sshd
tcp6 0 0 :::5000 :::* ESCUCHAR 3651/docker-proxy
5000 is there, but no ipv4????
The registry in the container:
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1978cdff5e8c registry:2.0 "registry cmd/regist 4 hours ago Up 4 hours 0.0.0.0:5000->5000/tcp mad_shockley
# docker exec mad_shockley ps -ax
PID TTY STAT TIME COMMAND
1 ? Ssl 0:00 registry cmd/registry/config.yml
14 ? Rs 0:00 ps -ax
From juandpc I can get into the container:
# docker exec -t -i mad_shockley /bin/bash
root#1978cdff5e8c:/go/src/github.com/docker/distribution# hostname
1978cdff5e8c
The error message was the key:
FATA[0000] Error response from daemon: v1 ping attempt failed with error: Get https://juandapc:5000/v1/_ping: dial tcp 192.168.1.50:5000: connection refused. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry juandapc:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/juandapc:5000/ca.crt
Added this line: /etc/default/docker:
DOCKER_OPTS="--insecure-registry juandapc:5000"
Restarted docker and perfect!
The remote host part of your tag must contain the name of the remote registry, not the name of the local (pushing/publishing) client.
So, in this case:
juandapc:5000/ubuntu:14.04
should be
<registry-server>:5000/ubuntu:14.04
where you replace <registry-server> with whatever machine you set up the registry on. As it is, you're trying to push from juandapc to a remote repository on juandapc, and since that doesn't exist, connection refused...
If juandapc is actually where you installed the service, on the other hand - you have DNS / name resolution problems. (Did you add an /etc/hosts entry for juandapc? Why does it resolve to 192.168.1.50, instead of the actual address of the interface that netstat shows?)
Related
How do I get my docker container running gunicorn / FastAPI server to respond to outside traffic?
This is how my container runs
docker run --detach --net host -v "/path/to/app/app":"/app" -it me/app:appfastapi_latest /start.sh
cat start.sh
#! /usr/bin/env sh
set -e
# Start Gunicorn
exec gunicorn -k "uvicorn.workers.UvicornWorker" -c /app/gunicorn_conf.py "main:app"
cat ./app/gunicorn_conf.py
...
host = "0.0.0.0"
port = "8000"
bind = f"{host}:{port}"
...
docker logs container_id
...
[2022-02-15 05:40:10 +0000] [1] [INFO] Listening at: http://127.0.0.1:8000 (1)
^^^ this was before a fix in the conf, now its
0.0.0.0:8000
...
Curl container from host
curl localhost:8000/hw {"message":"Hello World"}
This is how it should be. But when I do
curl domain:8000/hw
curl: (7) Failed to connect to domain port 8000: Connection refused
I do not know how to troubleshoot this. In the FastAPI main I have
ORIGINS = [
"http://127.0.0.1:8000",
"http://localhost:8000",
"http://domain:8000",
]
app = FastAPI(title="MY API", root_path=ROOT_PATH, docs_url="/")
app.add_middleware(
CORSMiddleware,
allow_origins=ORIGINS,
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
and I have the firewall open (I believe)
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 172.17.0.2 anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dpt:8000
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (1 references) target prot opt source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (1 references) target prot opt source destination DROP all -- anywhere anywhere RETURN all -- anywhere anywhere
that I have opened for port 8000 with
sudo iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
The system I am on is Debian9,
docker --version
Docker version 19.03.15, build 99e3ed8919
Listening at: http://127.0.0.1:8000
means that gunicorn listening localhost of docker container. Container's localhost is not accessible from external network. You should set 0.0.0.0:8000 to be able access from outside.
Yes, you tried to set
host = "0.0.0.0"
port = "8000"
But gunicorn config file doesn't have host and port parameters. You should use bind = '0.0.0.0:8000' instead.
And don't forget to publish port -p 8000:8000 when run container
i'm hosting a dockerized web application binded with port 8081 in my remote server.
I want to block that web application for external ips, as I already did wit port 8080 hosting a plain jenkins server.
Here's what i've tried:
iptables -A INPUT -d <my-server-ip> -p tcp --dport 8081 -j DROP
As I did with port 8080.
Here is
iptables -nv -L INPUT
output:
Chain INPUT (policy ACCEPT 2836 packets, 590K bytes)
pkts bytes target prot opt in out source destination
495 23676 DROP tcp -- * * 0.0.0.0/0 <my-ip-addr> tcp dpt:8080
0 0 DROP tcp -- * * 0.0.0.0/0 <my-ip-addr> tcp dpt:8081
Has it possibily something to do with DOCKER chain in iptables ?
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
9 568 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 <container-eth1-addr> tcp dpt:8080
There are more specific rules i need to add ?
Isn't my server INPUT rules supposed to be applied before those listed in the DOCKER chain?
UPDATE - SOLVED
Thanks to larsks's comments I found the solution.
The goal here was to block tcp traffic on port 8081 binded with docker docker container but being able to use ssh tunneling as "poor man" VPN (so non publish the port was not an option).
Just had to add this rule:
iptables -I DOCKER-USER 1 -d <container-eth-ip> ! -s 127.0.0.1 -p tcp --dport 8080 -j DROP
I want to restrict my database access to 127.0.0.1, so I executed the following command:
docker run -it mysql:5.5 -p 127.0.0.1:3306:3306 -name db.mysql
But I have some confusion...
You can see here that only the port of 127.0.0.1 will be forwarded:
; docker ps
mysql:5.5 127.0.0.1:3306->3306/tcp db.mysql
Interestingly, I cannot find this restriction in iptables:
; iptables -L
Chain FORWARD (policy DROP)
DOCKER all -- anywhere anywhere
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.112.2 tcp dpt:mysql
The source of this rule is anywhere.
The incoming traffic will go as next:
Incoming package to host's network -> use ip tables to forward to container
And, your restrict was not in iptables, it was in host's network, you just open 3306 bind on 127.0.0.1, not 0.0.0.0, so you of course not see anything in iptables. 127.0.0.1:3306:3306 means hostIp:hostPort:containerPort.
You could confirm it with netstat -oanltp | grep 3306 to see no 0.0.0.0 was there, so no foreign host could visit your host machine, thus also could not visit your container.
I have created a docker host on openstack and launched a container with it's port 22 mapped to a port on docker host. Followed this link
Still i can't ssh from docker host to container. It gives this error:
$> ssh -v root#172.17.0.9 -p 32775
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to 172.17.0.9 [172.17.0.9] port 32775.
debug1: connect to address 172.17.0.9 port 32775: Connection refused
ssh: connect to host 172.17.0.9 port 32775: Connection refused
Iptables rule is added by default when i used -P option in docker run. It looks like this:
$> iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
MASQUERADE tcp -- 172.17.0.3 172.17.0.3 tcp dpt:80
MASQUERADE tcp -- 172.17.0.9 172.17.0.9 tcp dpt:22
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 to:172.17.0.3:80
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:32775 to:172.17.0.9:22
And container looks like:
$> docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
46111bb52063 sshns "/usr/sbin/sshd -D" 9 hours ago Up 3 hours 0.0.0.0:32776->22/tcp TestSSHcontainer
I need to have ssh only for my purpose. I'm aware about docker exec option. Tried changes like PermitRootLogin yes on sshd_config and ssh_config on both docker host and container with no success.
bash-4.2# /usr/sbin/sshd -Dd
WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several problems.
debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type ECDSA
debug1: private host key: #1 type 3 ECDSA
debug1: private host key: #2 type 4 ED25519
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-Dd'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 22 on ::.
Bind to port 22 on :: failed: Address already in use.
debug1: Bind to port 22 on 0.0.0.0.
Bind to port 22 on 0.0.0.0 failed: Address already in use.
Cannot bind any address.
bash-4.2# netstat -anp | grep 22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
bash-4.2# ps -eaf | grep ssh
root 1 0 0 19:17 ? 00:00:00 /usr/sbin/sshd -D
root 26 16 0 22:58 ? 00:00:00 grep ssh
Is there something that i'm still missing?
You're using the ip of your container but the host port mapping of container. Try either ssh -v root#172.17.0.9 or ssh -v root#localhost -p <port_mapping_on_host>(Your docker ps -a shows your porting mapping on host is 32776)
Looking at the iptables of my docker host i get something like this:
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:http-alt
I was able to assign a durable IP address like this:
sudo ip addr add 10.0.0.99/8 dev eth0
docker run -d -p 10.0.0.99:8888:8080 tomcat:8
but that address is only available on this machine, as in I need to ssh into it and ping it from this box.
Reading through this, it looks like i need to add a custom bridge:
Custom Docker Bridge
Is there a way to make the bridge hand fresh ips from the DHCP server? For example if my DHCP server assigned addresses from 10.1.1.x - I want to assign those addresses to Docker containers.
Would this involve a generic *nix way of pushing my iptable /etc/hosts ip addresses and dns names to a DNS server so other machines outside of the Docker cluster can ping those machines?
I have port forwarding working but need to do the same with the ip addresses as Zookeeper only tracks the internal Docker ip addresses and hostnames as I've defined them in my docker-compose.yml.