acesso negado na porta exposta publicada de outro contêiner na mesma rede de encaixe

2

Não consigo me conectar a um contêiner na rede lonelyisland de outro que reside na mesma rede.

docker run --rm --name spaceship --net lonelyisland --expose 8080 -p 8080:8080 --ip 172.18.0.8 quay.io/ahoi/spaceship:latest target/release/spaceship

A meu ver, -p não é necessário, --expose é redundante em relação ao dado no Dockerfile .

O aplicativo funciona muito bem sem a janela de encaixe, por isso deve ser algo relacionado ao docker (rede).

O procedimento para o teste baseado em curl é o seguinte:

docker run --rm -it --name "curl-test" --net lonelyisland fedora:latest /bin/bash

Configuração de test-curl

[root@52ac28b36b93 /]# dnf install iproute iputils
Fedora 24 - x86_64                                             54 MB/s |  47 MB     00:00    
Fedora 24 - x86_64 - Updates                                   54 MB/s |  21 MB     00:00    
Last metadata expiration check: 0:00:12 ago on Fri Feb 24 06:19:26 2017.
Dependencies resolved.
==============================================================================================
 Package                  Arch             Version                    Repository         Size
==============================================================================================
Installing:
 iproute                  x86_64           4.4.0-3.fc24               fedora            658 k
 iputils                  x86_64           20160308-3.fc24            updates           157 k
 linux-atm-libs           x86_64           2.5.1-14.fc24              fedora             40 k

Transaction Summary
==============================================================================================
Install  3 Packages

Total download size: 854 k
Installed size: 1.9 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): linux-atm-libs-2.5.1-14.fc24.x86_64.rpm                4.1 MB/s |  40 kB     00:00    
(2/3): iputils-20160308-3.fc24.x86_64.rpm                      12 MB/s | 157 kB     00:00    
(3/3): iproute-4.4.0-3.fc24.x86_64.rpm                         22 MB/s | 658 kB     00:00    
----------------------------------------------------------------------------------------------
Total                                                         752 kB/s | 854 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : linux-atm-libs-2.5.1-14.fc24.x86_64                                       1/3 
  Installing  : iproute-4.4.0-3.fc24.x86_64                                               2/3 
  Installing  : iputils-20160308-3.fc24.x86_64                                            3/3 
Failed to connect to bus: No such file or directory
  Verifying   : iproute-4.4.0-3.fc24.x86_64                                               1/3 
  Verifying   : linux-atm-libs-2.5.1-14.fc24.x86_64                                       2/3 
  Verifying   : iputils-20160308-3.fc24.x86_64                                            3/3 

Installed:
  iproute.x86_64 4.4.0-3.fc24                      iputils.x86_64 20160308-3.fc24             
  linux-atm-libs.x86_64 2.5.1-14.fc24             

Complete!

Verifique se temos a diversão correta da sub-rede ip:

[root@52ac28b36b93 /]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
35: eth0@if36: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:12:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.18.0.3/16 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe12:3/64 scope link 
       valid_lft forever preferred_lft forever

Na primeira tentativa, esqueci de iniciar o container

[root@52ac28b36b93 /]# curl -v 172.18.0.8:8080/
*   Trying 172.18.0.8...
* connect to 172.18.0.8 port 8080 failed: No route to host
* Failed to connect to 172.18.0.8 port 8080: No route to host
* Closing connection 0
curl: (7) Failed to connect to 172.18.0.8 port 8080: No route to host

Aqui, o contêiner ao qual desejo se conectar está ativo e em execução, o problema real que estou enfrentando

[root@52ac28b36b93 /]# curl -v 172.18.0.8:8080/
*   Trying 172.18.0.8...
* connect to 172.18.0.8 port 8080 failed: Connection refused
* Failed to connect to 172.18.0.8 port 8080: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 172.18.0.8 port 8080: Connection refused
[root@52ac28b36b93 /]# 

A rede é assim:

docker network inspect lonelyisland
[
    {
        "Name": "lonelyisland",
        "Id": "2bab66f7ba770cc4866afe1322ebf82985b078c614404333119bb54c5535b444",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.18.0.0/16",
                    "Gateway": "172.18.0.1"
                }
            ]
        },
        "Internal": false,
        "Containers": {
            "1c2522ee9f06ec1d20a827ac0d8f2037081d0b7d25008057d016d0d1ba31b24c": {
                "Name": "spaceship",
                "EndpointID": "d18eaf2141c60e683e73967674c8d4f701793d9143480c5ad40c151be4464024",
                "MacAddress": "02:42:ac:12:00:08",
                "IPv4Address": "172.18.0.8/16",
                "IPv6Address": ""
            },
            "82cc532808d815236b638448a0c4b00c1dae44570d36837e314d5d6b05a7ff22": {
                "Name": "curl-test",
                "EndpointID": "cfd4a8e203980a6a848938a021d04631ade8d3724dc0af5f9027096bf894e0fb",
                "MacAddress": "02:42:ac:12:00:03",
                "IPv4Address": "172.18.0.3/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true"
        },
        "Labels": {}
    }
]

O docker criou o iptables

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-ISOLATION  all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.18.0.8           tcp dpt:http-alt

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere 

Alguma sugestão / ideia?

    
por drahnr 24.02.2017 / 07:25

1 resposta

2

Então comecei a cavar nível por nível - e acabei na imagem de base que era fedora:24 Eu entrei no contêiner com um shell bash e iniciei o aplicativo e executei o curl a partir daí. Não funcionou também Por alguma razão estranha, o aplicativo não funcionou naquele container e eu tentei uma imagem de base diferente (versão atual no git). E isso funciona muito bem. Então, o material acima é bom.

    
por 25.02.2017 / 11:49