search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
22.98k stars 2.34k forks source link

How to connect to a local service using mac-client from inside a container #12037

Closed svenmueller closed 2 years ago

svenmueller commented 2 years ago

Description

I'm using the podman mac-client and try to access a service running on my host (laptop) from within a container (cerebro, ES web admin tool). The connection fails as shown 

❯ podman version
Client:
Version:      3.4.0
API Version:  3.4.0
Go Version:   go1.17.2
Built:        Thu Sep 30 20:44:31 2021
OS/Arch:      darwin/amd64

Server:
Version:      3.3.1
API Version:  3.3.1
Go Version:   go1.16.6
Built:        Mon Aug 30 22:46:36 2021
OS/Arch:      linux/amd64

MacOS 11.4

Steps to reproduce the issue:

  1. Port forward to the ES client service 
    $ kubectl -n elasticsearch port-forward svc/elasticsearch-client 9200
Forwarding from 127.0.0.1:9200 -> 9200
  2. Run Cerebro container
docker run --rm -it -p 9000:9000 lmenezes/cerebro:latest
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$1 (file:/opt/cerebro/lib/com.google.inject.guice-4.2.3.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[info] play.api.Play - Application started (Prod) (no global state)
[info] p.c.s.AkkaHttpServer - Listening for HTTP on /0:0:0:0:0:0:0:0:9000
  1. Open Cerebro UI
open -a Firefox "http://localhost:9000/#!/connect?host=http:%2F%2Fhost.containers.internal:9200"

As Cerebro connection string I'm using "http://host.containers.internal:9200"

Describe the results you received:

The connection to the local service fails from within the container. Logs from Cerebro (noticed used domain/ip:port):

[error] p.a.h.DefaultHttpErrorHandler -

! @7ldfec55n - Internal server error, for (POST) [/connect] ->

play.api.UnexpectedException: Unexpected exception[ConnectException: Connection refused: host.containers.internal/10.88.0.1:9200]

Describe the results you expected:

I expected that the container is able to connect the the local service (running on the host) via host host.containers.internal.

Additional information you deem important (e.g. issue happens only occasionally):

When I use the connection string "http://192.168.127.254:9200" instead, Cerebro is able to connect successfully.

DNS configuration inside the container

cerebro@6cf18697db04:/opt/cerebro$ cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.88.0.2   6cf18697db04 brave_babbage
10.88.0.1 host.containers.internal

DNS inside machine

podman machine ssh podman-machine-default
Connecting to vm podman-machine-default. To close connection, use `~.` or `exit`
Warning: Permanently added '[localhost]:51134' (ECDSA) to the list of known hosts.
Fedora CoreOS 34.20211004.2.0
Tracker: https://github.com/coreos/fedora-coreos-tracker
Discuss: https://discussion.fedoraproject.org/c/server/coreos/

Last login: Tue Oct 19 15:19:14 2021 from 192.168.127.1
[core@localhost ~]$ dig +short host.containers.internal
192.168.127.254

Output of podman version:

(paste your output here)

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.22.3
  cgroupControllers: []
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.29-2.fc34.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.29, commit: '
  cpus: 1
  distribution:
    distribution: fedora
    version: "34"
  eventLogger: journald
  hostname: localhost
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.14.9-200.fc34.x86_64
  linkmode: dynamic
  logDriver: ""
  memFree: 1241976832
  memTotal: 2061860864
  ociRuntime:
    name: crun
    package: crun-1.0-1.fc34.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.0
      commit: 139dc6971e2f1d931af520188763e984d6cdfbf8
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.12-2.fc34.x86_64
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.0
  swapFree: 0
  swapTotal: 0
  uptime: 26m 6.75s
plugins:
  log: null
  network: null
  volume: null
registries:
  search:
  - docker.io
store:
  configFile: /var/home/core/.config/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 1
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/core/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 2
  runRoot: /run/user/1000/containers
  volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
  APIVersion: 3.3.1
  Built: 1630356396
  BuiltTime: Mon Aug 30 20:46:36 2021
  GitCommit: ""
  GoVersion: go1.16.6
  OsArch: linux/amd64
  Version: 3.3.1

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes/

Additional environment details (AWS, VirtualBox, physical, etc.):

rhatdan commented 2 years ago

@Luap99 @mheon Is this the problem of newer podman talking to older server?

Luap99 commented 2 years ago

This is fixed on main AFAIK. Podman will no longer hard code host.containers.internal when run inside podman machine instead the gvproxy dns server will handle it.

svenmueller commented 2 years ago

@Luap99 In which release is this fixed? Can you please point me to the commit/PR?