ecamaj
commented
8 years ago Of course, when I disable csf and restart docker service, it works from both domain and 127.0.0.1.
Closed ecamaj closed 8 years ago
ecamaj
commented
8 years ago Of course, when I disable csf and restart docker service, it works from both domain and 127.0.0.1.
ghost
commented
8 years ago Hi Eddie,
I tried to query a webpage using curl http://localhost and curl http://<domain>. Both worked for me.
Could you try to remove the script csfpost.sh and see if it works.
Thanks Julien
ecamaj
commented
8 years ago No, when I remove csfpost.sh and I restart csf, docker is not accessible at all (both domain and localhost). Can I give you some details from server maybe?
ecamaj
commented
8 years ago iptables -L -n -t nat:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
MASQUERADE tcp -- 172.17.0.4 172.17.0.4 tcp dpt:5601
MASQUERADE tcp -- 172.17.0.4 172.17.0.4 tcp dpt:9200
MASQUERADE tcp -- 172.17.0.5 172.17.0.5 tcp dpt:8000
MASQUERADE tcp -- 172.17.0.5 172.17.0.5 tcp dpt:8888
MASQUERADE tcp -- 172.17.0.5 172.17.0.5 tcp dpt:8889
MASQUERADE tcp -- 172.17.0.7 172.17.0.7 tcp dpt:80
Chain DOCKER (2 references)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5601 to:172.17.0.4:5601
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9200 to:172.17.0.4:9200
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000 to:172.17.0.5:8000
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8888 to:172.17.0.5:8888
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8889 to:172.17.0.5:8889
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5001 to:172.17.0.7:80
Chain WEAVE (0 references)
target prot opt source destination I just noticed that when I restart docker service, this line in iptables is different:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCALgoes to:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCALAnd first line in POSTROUTING is added:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type LOCALSmells like a clue. :)
ghost
commented
8 years ago which version of docker do you use?
ecamaj
commented
8 years ago Downgraded little because of docker cloud for which this is latest version ...
root@server1 [/etc/init.d]# docker version
Client:
Version: 1.9.1-cs2
API version: 1.21
Go version: go1.4.3
Git commit: 4ade326
Built: Mon Nov 30 21:56:07 UTC 2015
OS/Arch: linux/amd64
Server:
Version: 1.9.1-cs2
API version: 1.21
Go version: go1.4.3
Git commit: 4ade326
Built: Mon Nov 30 21:56:07 UTC 2015
OS/Arch: linux/amd64
i see that you are using Weave. Maybe something with that?
ecamaj
commented
8 years ago no, I even don't know what's that ... I think docker cloud uses that. Anyway, from what I sent you - changes of iptables before and after - you don't think that the exact line mentioning 127.0.0.1 holds information about the problem?
Don't this means something like (not)127.0.0.0/8?
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
ghost
commented
8 years ago i checked 2 of my servers and they both have that line. And not reporting prob.
ecamaj
commented
8 years ago Interesting... and do you have this line in your servers?
Chain OUTPUT (policy ACCEPT) DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
ghost
commented
8 years ago i have the same as in your first output
Chain OUTPUT (policy ACCEPT)
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
ecamaj
commented
8 years ago Then I don't know. Can I send you something that would lead you to the problem why restarting CSF kills routing to localhost:port exposed previously by Docker?
ghost
commented
8 years ago sure
ecamaj
commented
8 years ago :) that was a question - what to send for you to check? I'm not sure.
ghost
commented
8 years ago :) sorry, didnt catch that.
access to the server :D
ecamaj
commented
8 years ago :) anything else? send some output? :)
ghost
commented
8 years ago verbose output of iptables:
iptables -nvLiptables -nvL -t natoutput of docker: docker ps
ecamaj
commented
8 years ago any thoughts? thanks
ghost
commented
8 years ago the output that you sent was with or without csfpost?
ecamaj
commented
8 years ago Hi, did you had time to check this out? Just to remove it from the list... :) This would make script complete. thanks
ghost
commented
8 years ago Hi Eddie,
Let's try teamviewer (http://www.teamviewer.com/) so I can see your terminal.
ecamaj
commented
8 years ago ghost
commented
8 years ago contact me by email
ecamaj
commented
8 years ago Can't find one... I'm ready to accept connection now. :)
ghost
commented
8 years ago do a git log on the clone of the repo
ecamaj
commented
8 years ago Solved, I guess Julien will merge it in the script.
I still have issues with csf even when I used this script, which helps with restarts of csf in most part.
The main issue for me is that I cannot access containers from localhost (centos) via "127.0.0.1". For example "curl 127.0.0.1:5432" just hangs. Everything works when accessing with domain name:port. This is major issue for me, because I would like to set the access only to localhost and use subdomain forwarding to localhost so that ports are not directly accessible but only through subdomain which allows using basic auth and similar features.
I'm still not very handy with "ops" part of "devops", so I might be missing something obvious, sorry about that.
Any help solving this would be much appreciated.
Thanks, Eddie