Unable to connect to grpc service from Windows

Phan-Tom416 commented 1 year ago

[x] I have tried with the latest version of Docker Desktop
[x] I have tried disabling enabled experimental features
[x] I have uploaded Diagnostics
Diagnostics ID: 5F45D05F-B161-4B00-8ACF-D2E6EE39D9CD/20230306142038

Actual behavior

Cannot connect to a grpc service from Windows, but connecting from a different container to it works

Expected behavior

Should be able to connect to grpc service

Information

Windows Version: Windows 11
Docker Desktop Version: v4.16.3
WSL2 or Hyper-V backend? WSL2
Are you running inside a virtualized Windows e.g. on a cloud server or a VM: No Virtualization

Output of `& "C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" check`

[PASS] DD0027: is there available disk space on the host?
[PASS] DD0028: is there available VM disk space?
[PASS] DD0002: does the bootloader have virtualization enabled?
[SKIP] DD0018: does the host support virtualization?
[PASS] DD0001: is the application running?
[PASS] DD0022: is the Virtual Machine Platform Windows Feature enabled?
[PASS] DD0021: is the WSL 2 Windows Feature enabled?
[PASS] DD0024: is WSL installed?
[PASS] DD0025: are WSL distros installed?
[PASS] DD0026: is the WSL LxssManager service running?
[PASS] DD0029: is the WSL 2 Linux filesystem corrupt?
[PASS] DD0035: is the VM time synchronized?
[PASS] DD0017: can a VM be started?
[PASS] DD0016: is the LinuxKit VM running?
[PASS] DD0011: are the LinuxKit services running?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0031: does the Docker API work?
[PASS] DD0013: is the $PATH ok?
[PASS] DD0003: is the Docker CLI working?
[PASS] DD0005: is the user in the docker-users group?
[PASS] DD0038: is the connection to Docker working?
[PASS] DD0014: are the backend processes running?
[PASS] DD0007: is the backend responding?
[PASS] DD0008: is the native API responding?
[PASS] DD0009: is the vpnkit API responding?
[PASS] DD0010: is the Docker API proxy responding?
[PASS] DD0006: is the Docker Desktop Service responding?
[SKIP] DD0030: is the image access management authorized?
[PASS] DD0033: does the host have Internet access?
[PASS] DD0002: does the bootloader have virtualization enabled?
[PASS] DD0018: does the host support virtualization?
[PASS] DD0001: is the application running?
[PASS] DD0022: is the Virtual Machine Platform Windows Feature enabled?
[PASS] DD0021: is the WSL 2 Windows Feature enabled?
[PASS] DD0024: is WSL installed?
[PASS] DD0025: are WSL distros installed?
[PASS] DD0026: is the WSL LxssManager service running?
[PASS] DD0029: is the WSL 2 Linux filesystem corrupt?
[PASS] DD0035: is the VM time synchronized?
[PASS] DD0017: can a VM be started?
[PASS] DD0016: is the LinuxKit VM running?
[PASS] DD0011: are the LinuxKit services running?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0031: does the Docker API work?
[PASS] DD0032: do Docker networks overlap with host IPs?
No fatal errors detected.

Steps to reproduce the behavior

diambra run cmd.exe

discordianfish commented 1 year ago

I've worked with @Phan-Tom416 to investigate this issue, here is what we found so far:

Investigation

[x] Run our grpc server in docker:
- [x] grpcurl -plaintext 172.17.0.3:50051 list: Failed to dial target host "172.17.0.3:50051": context deadline exceeded
- [x] grpcurl -plaintext localhost:59667 list: Failed to dial target host "localhost:59667": dial tcp [::1]:59667: connectex: No connection could be made because the target machine actively refused it."
- [x] grpcurl -plaintext host.docker.internal:59667 list: Failed to dial target host "host.docker.internal:59667": dial tcp 192.168.101.23:59667: connectex: No connection could be made because the target machine actively refused it.

There seems to be an issue with the portmapping. We tried to reproduce this with nginx but couldn't:

[x] Run docker run -p 80:80 nginx -> Reachable on localhost:80

But binding the hostport to 127.0.0.1 makes it unreachable. On my windows machine this works so I suspect this points already to some issue:

[x] Run docker run -p 127.0.0.1:80:80 nginx -> Unreachable

To rule out the container port <-> vm port mapping as the problem we tried running with host networking:

[x] Run our grpc server with net=host as described here and...
- [x] Connect to localhost:50051 -> failed
- [x] Connect to host.docker.internal:50051: 192.168.101.23:50051: connectex: No connection could be made because the target machine actively refused it.

Finally to show that it's not an issue with our grpc server itself, we ran grpcurl from another linked container which was successful:

[x] Manually connect to grpc from container as described here

Conclusion

There seems to be two related? issues:

portmapping issue that only affects certain types of connections with http connections to nginx not being able to reproduce this
binding any port on 127.0.0.1 makes it unreachable from the windows host

More discussion/details also in diambra/arena#62

jtnord commented 1 year ago

binding any port on 127.0.0.1 makes it unreachable from the windows host

I am seeing what appears to be exactly this behaviour to. binding to 127.0.0.2 as a workaround (-p 127.0.0.2:xxx:xxx) works (the port is reachable from windows and also not exposed on all public interfaces!)

Information Windows Version: Windows 11 22H1 (22000.1761) Docker Desktop Version: v4.18.0 WSL2 or Hyper-V backend? WSL2 (1.1.6.0)

docker / for-win