Closed mhumeSF closed 6 years ago
Are you able to connect to the port while inside of the container? If so, do other endpoints work? This feels like some kind of weird docker networking issue, but the iptables setup looks correct.
From inside the lyft container? Yea, I can curl http://169.254.169.254/latest/meta-data/iam/info and other endpoints.
No, from the xenial container you're running via docker run -e IAM_ROLE=role1 -it ubuntu:xenial bash
No sorry, should've clarified. That's where it hangs. I can curl from the docker host, but inside any container, aside from metadataproxy, the endpoint hangs.
All endpoints, or just that one endpoint? :) (I'm trying to figure out if it's timing out in the service, or at the network)
All endpoints... it cannot resolve 169.254.169.254. Again this is inside a container I run on the host
using docker run -e IAM_ROLE=role1 -it ubuntu:xenial bash
Resolve? It shouldn't need to resolve it, since it's an IP.
This kind of feels like the container isn't networked at all. The container you're starting needs to be networked in the docker0 network (standard network for docker containers that aren't in the host network).
The ubuntu:xenial container is not running on host network, but the docker0 standard network. As this seems probably more an issue with iptables and not related to metadataproxy, I'll keep debugging on my own. Was curious if anything stood out. Thanks for looking into this.
I've faced with same problem on ubuntu xenial/bionic. Changing iptables rule solved the problem.
iptables -t nat \
-I PREROUTING \
-p tcp \
-d 169.254.169.254 \
--dport 80 \
-j REDIRECT \
--to-ports 8000 \
-i docker0
Awesome. Thanks for following up with your fix!
Working now, many thanks!
Beautiful! Tremendous! Bigly!
These are the steps to reproduce:
Create IAM Roles:
metadataproxy:
role1 Added S3 Read Only Access and populated trust relationship with the rollowings
Launch ec2 instance with
metadataproxy
role applied to it.Install docker
Forward docker requests of
169.254.169.254
tolocalhost:8000
Run
lyft/metadataproxy
docker imageLaunch ubuntu ami with
-e IAM_ROLE=role1
But the curl command just hangs and times out. Running curl localhost:8000 on the ec2 instance give me the results.
Output from iptables: