Cannot match ip to swarm container

[mrrusof]

Consider a swarm node where my-swarm-container and metadataproxy-container run. metadataproxy-container is not part of the swarm and is run in the following way.

$ docker run -d --net=host -v /var/run/docker.sock:/var/run/docker.sock --name metadataproxy-container metadataproxy-image
$ iptables PREROUTING -d 169.254.169.254/32 -i docker_gwbridge -p tcp -m tcp --dport 80 -j DNAT --to-destination $LOCAL_IPV4:8000

The problem is that my-swarm-container will ask metadataproxy-container for credentials and metadataproxy-container will respond with status 404 and will output the following in its logs.

{"asctime": "2020-04-09 01:10:05,003", "name": "metadataproxy.roles", "levelname": "ERROR", "message": "No container found for ip 172.18.0.7"}
{"asctime": "2020-04-09 01:10:05,003", "name": "metadataproxy.routes.proxy", "levelname": "ERROR", "message": "Role name not found; returning 404."}

The reason is that swarm bridge network docker_gwbridge is not reported in the output of docker inspect my-swarm-container (see https://github.com/moby/libnetwork/issues/1082). When metadataproxy tries to match request ip to its container, it looks at the ip of each container in the node and finds no match.

A solution to the problem is to match the ip to its container by looking at the list of containers for network docker_gwbridge. PR https://github.com/lyft/metadataproxy/pull/101 implements the lookup.

[dschaller]

Thank you for you contribution to this repository.

Closing this contribution as this repository is being archived.