search

jpetazzo / squid-in-a-can

361 stars 78 forks source link

Can't to start and configure squid dockerized container on Ubuntu 14.04 #10

Closed dvapelnik closed 9 years ago

dvapelnik commented 9 years ago

I'm trying to run your dockerized solution for caching with transparent squid but I can't do this and I'm trying to understand how it works and I have some questions

$ sudo docker info
Containers: 0
Images: 177
Storage Driver: aufs
 Root Dir: /home/docker/aufs
 Dirs: 177
Execution Driver: native-0.2
Kernel Version: 3.13.0-43-generic
Operating System: Ubuntu 14.04.1 LTS
CPUs: 2
Total Memory: 7.685 GiB
Name: dv-laptop
ID: DOAN:37FJ:5QLG:PHOW:OHCF:6OOS:2OGN:XSZK:5Q3C:W2FV:EI4X:NWB5
WARNING: No swap limit support
$ sudo docker version 
Client version: 1.4.1
Client API version: 1.16
Go version (client): go1.3.3
Git commit (client): 5bc2ff8
OS/Arch (client): linux/amd64
Server version: 1.4.1
Server API version: 1.16
Go version (server): go1.3.3
Git commit (server): 5bc2ff8

I understood that squid container works in host network namespace and 3129-th port of container will able in host machine for using for transparent proxying HTTP traffic for all containers. All HTTP container's traffic will preroute through caching proxy with iptable rule.

I'm using more clearly way without addition container for change host's iptable rules (i.e. run "squid-in-i-can" container and directly update iptables preroute rule).

But I see discrepancy in ports: nmap of 127.0.0.1 show my squid 3128 port and preroute assign the 3129 port. I read your comment about patch debian config and I seen the adding 3129 port in squid config in Dockerfile, but nmap can't mistake too.

And my new simple container can't use HTTP traffic when squid container is running and preroute configured. I'm trying to replace port 3129 to 3128 in preroute rule, but no result.

My steps:

Run squid container:

sudo docker run \
    --rm \
    --name squid \
    -e DISK_CACHE_SIZE:5120 \
    -e MAX_CACHE_OBJECT:1024 \
    -v /path/to/my/cache:/var/cache/squid3 \
    --net host \
    jpetazzo/squid-in-a-can

My nmap localhost result

$ sudo nmap localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2015-01-14 11:07 EET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000015s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
631/tcp  open  ipp
3128/tcp open  squid-http
9091/tcp open  xmltec-xmlmail

Nmap done: 1 IP address (1 host up) scanned in 2.42 seconds

I see this situation on ipdatables

$ sudo iptables --list -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 3129

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        anywhere            

Chain DOCKER (2 references)
target     prot opt source               destination

I run simple container and try to update my apt's cache:

$ sudo docker run --rm -it tianon/debian-debootstrap:jessie /bin/bash
root@6d159e962991:/# apt-get update
Err http://http.debian.net jessie InRelease                                                           

Err http://http.debian.net jessie-updates InRelease                                                   

Err http://http.debian.net jessie Release.gpg                                                         
  Cannot initiate the connection to http.debian.net:80 (2001:41c8:1000:21::21:35). - connect (101: Network is unreachable) [IP: 2001:41c8:1000:21::21:35 80]
Err http://http.debian.net jessie-updates Release.gpg  
  Cannot initiate the connection to http.debian.net:80 (2001:41c8:1000:21::21:35). - connect (101: Network is unreachable) [IP: 2001:41c8:1000:21::21:35 80]
0% [Connecting to security.debian.org (212.211.132.32)]

Internet link in container is enable

root@6d159e962991:/# ping google.com -c 4
PING google.com (173.194.116.232): 56 data bytes
64 bytes from 173.194.116.232: icmp_seq=0 ttl=55 time=49.587 ms
64 bytes from 173.194.116.232: icmp_seq=1 ttl=55 time=49.346 ms
64 bytes from 173.194.116.232: icmp_seq=2 ttl=55 time=50.718 ms
64 bytes from 173.194.116.232: icmp_seq=3 ttl=55 time=49.451 ms
--- google.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 49.346/49.776/50.718/0.551 ms

but nothing with HTTP :unamused:

What am I doing wrong?

dvapelnik commented 9 years ago

I have correctly used squid proxy from linked container

sudo docker \
    run -d \
    --name squid \
    -e DISK_CACHE_SIZE:5120 \
    -e MAX_CACHE_OBJECT:1024 \
    -v /path/to/my/cache:/var/cache/squid3 \
    jpetazzo/squid-in-a-can
sudo docker run --rm -it --link="squid:squid" ubuntu-debootstrap:trusty /bin/bash

in container:

export http_proxy="http://squid:3128"

PROFIT but this in not good solution

dvapelnik commented 9 years ago

It was my mistake. Any requests to 172.17.42.1:3129 was blocked by my firewall