search

TritonDataCenter / sdc-docker

Docker Engine for Triton
Mozilla Public License 2.0
183 stars 49 forks source link

docker client issue when setting Firewall rule to "tcp PORT all" #73

Closed moogle19 closed 8 years ago

moogle19 commented 8 years ago

If you create a docker container and add a Firewall rule that allows traffic from "any" to the docker vm on "tcp PORT all" the docker container is reachable from the outside, but the docker ps command fails with 

json: cannot unmarshal string into Go value of type int

Firewall rule:

screen shot 2016-03-22 at 3 22 49 pm

That is because the values in the ports array for PrivatePort and PublicPort are "any", but the docker client expects an integer.

curl output for /containers/json?all=1

[{
    "Id": "88993aa89a3b4de7b20617babc274b73ecb593bd914340e0a9618c78037b565b",
    "Created": 1458654290,
    "Command": "/assets/wrapper",
    "Names": ["/compassionate_perlman"],
    "Status": "Exited (127) 4 minutes ago",
    "Image": "gitlab/gitlab-ce",
    "Labels": {
        "com.joyent.package": "sample-1G"
    },
    "Ports": [{
        "IP": "0.0.0.0",
        "PrivatePort": "all", <-- here
        "PublicPort": "all",  <-- here
        "Type": "tcp"
    }, {
        "PrivatePort": 22,
        "Type": "tcp"
    }, {
        "PrivatePort": 443,
        "Type": "tcp"
    }, {
        "PrivatePort": 80,
        "Type": "tcp"
    }]
}]
notmatt commented 8 years ago

@moogle19 Thanks! I've opened an internal bug on this here.

The root cause of your specific problem is that when we map firewall rules to the docker port list, we aren't ensuring that we're displaying only ints for ports, which is what's required by the docker Port type.

Unfortunately, this also means that there aren't any extremely pleasing solutions to the problem of what to do for all. A list of 65k published ports (what docker does for port ranges) would likely be problematic for everyone (at least if you don't expect it). An int outside the normal port range (like '-1') that had special semantics in SDC would work on the SDC end, but making sure it didn't break anything in the docker client would be quite difficult (not to mention creating a portability problem).

So the best idea we have at the moment is probably not to translate firewall rules that don't have good representations in the docker container format. You would still be able to apply them via the SDC UI or APIs, but they wouldn't be reported by the docker client. Would that work for your usecase?

thanks, matt.

magnayn commented 8 years ago

I don't know about the OP, but that would work for me. At the moment any client listing containers dies because it can't parse "all" as an int, so it'd be better for that to work at the expense of not neccesarily knowing which ports were open.

melloc commented 8 years ago

This is fixed in 3e42224 which is in this week's release.