search

containerd / nerdctl

contaiNERD CTL - Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ...
Apache License 2.0
7.86k stars 585 forks source link

Service accessible via container IP but not via host IP even when port mapping is done #2947

Open sakshiarora13 opened 4 months ago

sakshiarora13 commented 4 months ago

Description

I am trying to create a nerdctl local registry on my setup. The registry which is running on port 5000 inside the container is mapped to port 5001 of my host. I am able to access registry with container IP but not with host IP even when mapping is done correctly.

containers running: image

container details, nerdctl inspect omnia-registry : image

registry details via container IP: image

when trying to access registry via host IP/name: image

port mapping: image

ufw status: image

What can be the issue here?

Steps to reproduce the issue

  1. Created a service file for nerdctl-registry: cat /etc/systemd/system/nerdctl-registry.service 
    
[Unit]
Description=Nerdctl Registry

[Service] Type=oneshot RemainAfterExit=yes WorkingDirectory=/opt/omnia/nerdctl-registry ExecStart=/bin/bash nerdctl-registry start ExecStop=/bin/bash nerdctl-registry stop

[Install] WantedBy=default.target


3. cat /opt/omnia/nerdctl-registry/nerdctl-registry

!/bin/bash

nerdctl_command=$1 if [ $nerdctl_command = "start" ]; then nerdctl_ps_result=$(nerdctl ps -a | grep "omnia-registry") if [ -z $nerdctl_ps_result ]; then nerdctl run -d -p 5001:5000 --restart=always --name omnia-registry \ -v /opt/omnia/nerdctl-registry/images:/data \ -e REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data \ -v /opt/omnia/nerdctl-registry/certs:/certs \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ registry:2 else nerdctl start omnia-registry fi elif [ $nerdctl_command = "stop" ]; then nerdctl rm -f omnia-registry else echo "The parameter is wrong." fi


3. Create certificates for registry
![image](https://github.com/containerd/nerdctl/assets/73195862/bab4030f-3fa5-419b-a0a0-c16bcd02e7bf)

4. systemctl start nerdctl-registry

### Describe the results you received and expected

Registry should be accessible at HostIP:5001

### What version of nerdctl are you using?

root@monsooncp:~# nerdctl version
WARN[0000] unable to determine buildctl version: exec: "buildctl": executable file not found in $PATH
Client:
 Version:       v1.5.0
 OS/Arch:       linux/amd64
 Git commit:    b33a58f288bc42351404a016e694190b897cd252
 buildctl:
  Version:

Server:
 containerd:
  Version:      1.6.16
  GitCommit:    31aa4358a36870b21a992d3ad2bef29e1d693bec
 runc:
  Version:      1.1.4
  GitCommit:    v1.1.4-0-g5fd4c4d

### Are you using a variant of nerdctl? (e.g., Rancher Desktop)

Others

### Host information

root@monsooncp:~# nerdctl info
Client:
 Namespace:     default
 Debug Mode:    false

Server:
 Server Version: 1.6.16
 Storage Driver: overlayfs
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Log: fluentd journald json-file syslog
  Storage: aufs native overlayfs
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 5.4.0-176-generic
 Operating System: Ubuntu 20.04.6 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 48
 Total Memory: 125.4GiB
 Name: monsooncp.monsoon.test
 ID: c2878b4c-63e9-4048-8f6d-a91534c6080d

WARNING: No swap limit support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Shubhranshu153 commented 4 months ago

what does the following net commands show on host.

 ip route show
 iptables -S
 netstat -tuln

And wondering does changing the ip to localhost works for you?

fahedouch commented 4 months ago

traffic should be translated by a dnat rule and then routed to the bridge and then container socket as @Shubhranshu153 mentioned the output of these two commands will be very helpful :

iptables -t nat -v -n -L route