Closed ecamaj closed 8 years ago
Of course, when I disable csf and restart docker service, it works from both domain and 127.0.0.1.
Hi Eddie,
I tried to query a webpage using curl http://localhost
and curl http://<domain>
. Both worked for me.
Could you try to remove the script csfpost.sh and see if it works.
Thanks Julien
No, when I remove csfpost.sh and I restart csf, docker is not accessible at all (both domain and localhost). Can I give you some details from server maybe?
iptables -L -n -t nat
:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
MASQUERADE tcp -- 172.17.0.4 172.17.0.4 tcp dpt:5601
MASQUERADE tcp -- 172.17.0.4 172.17.0.4 tcp dpt:9200
MASQUERADE tcp -- 172.17.0.5 172.17.0.5 tcp dpt:8000
MASQUERADE tcp -- 172.17.0.5 172.17.0.5 tcp dpt:8888
MASQUERADE tcp -- 172.17.0.5 172.17.0.5 tcp dpt:8889
MASQUERADE tcp -- 172.17.0.7 172.17.0.7 tcp dpt:80
Chain DOCKER (2 references)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5601 to:172.17.0.4:5601
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9200 to:172.17.0.4:9200
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000 to:172.17.0.5:8000
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8888 to:172.17.0.5:8888
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8889 to:172.17.0.5:8889
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5001 to:172.17.0.7:80
Chain WEAVE (0 references)
target prot opt source destination
I just noticed that when I restart docker service, this line in iptables is different:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
goes to:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
And first line in POSTROUTING is added:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type LOCAL
Smells like a clue. :)
which version of docker do you use?
Downgraded little because of docker cloud for which this is latest version ...
root@server1 [/etc/init.d]# docker version
Client:
Version: 1.9.1-cs2
API version: 1.21
Go version: go1.4.3
Git commit: 4ade326
Built: Mon Nov 30 21:56:07 UTC 2015
OS/Arch: linux/amd64
Server:
Version: 1.9.1-cs2
API version: 1.21
Go version: go1.4.3
Git commit: 4ade326
Built: Mon Nov 30 21:56:07 UTC 2015
OS/Arch: linux/amd64
i see that you are using Weave. Maybe something with that?
no, I even don't know what's that ... I think docker cloud uses that. Anyway, from what I sent you - changes of iptables before and after - you don't think that the exact line mentioning 127.0.0.1 holds information about the problem?
Don't this means something like (not)127.0.0.0/8?
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
i checked 2 of my servers and they both have that line. And not reporting prob.
Interesting... and do you have this line in your servers?
Chain OUTPUT (policy ACCEPT) DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
i have the same as in your first output
Chain OUTPUT (policy ACCEPT)
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Then I don't know. Can I send you something that would lead you to the problem why restarting CSF kills routing to localhost:port exposed previously by Docker?
sure
:) that was a question - what to send for you to check? I'm not sure.
:) sorry, didnt catch that.
access to the server :D
:) anything else? send some output? :)
verbose output of iptables:
iptables -nvL
iptables -nvL -t nat
output of docker: docker ps
any thoughts? thanks
the output that you sent was with or without csfpost?
Hi, did you had time to check this out? Just to remove it from the list... :) This would make script complete. thanks
Hi Eddie,
Let's try teamviewer (http://www.teamviewer.com/) so I can see your terminal.
contact me by email
Can't find one... I'm ready to accept connection now. :)
do a git log on the clone of the repo
Solved, I guess Julien will merge it in the script.
I still have issues with csf even when I used this script, which helps with restarts of csf in most part.
The main issue for me is that I cannot access containers from localhost (centos) via "127.0.0.1". For example "curl 127.0.0.1:5432" just hangs. Everything works when accessing with domain name:port. This is major issue for me, because I would like to set the access only to localhost and use subdomain forwarding to localhost so that ports are not directly accessible but only through subdomain which allows using basic auth and similar features.
I'm still not very handy with "ops" part of "devops", so I might be missing something obvious, sorry about that.
Any help solving this would be much appreciated.
Thanks, Eddie