search

lyft / metadataproxy

A proxy for AWS's metadata service that gives out scoped IAM credentials from STS
Other
456 stars 69 forks source link

Curl hangs on 169.254.169.254 #74

Closed mhumeSF closed 6 years ago

mhumeSF commented 6 years ago

These are the steps to reproduce:

Create IAM Roles:

But the curl command just hangs and times out. Running curl localhost:8000 on the ec2 instance give me the results.

Output from iptables:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
DNAT       tcp  --  anywhere             instance-data.ec2.internal  tcp dpt:http to:127.0.0.1:8000

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  ip-172-17-0-0.ec2.internal/16  anywhere            

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere
ryan-lane commented 6 years ago

Are you able to connect to the port while inside of the container? If so, do other endpoints work? This feels like some kind of weird docker networking issue, but the iptables setup looks correct.

mhumeSF commented 6 years ago

From inside the lyft container? Yea, I can curl http://169.254.169.254/latest/meta-data/iam/info and other endpoints.

ryan-lane commented 6 years ago

No, from the xenial container you're running via docker run -e IAM_ROLE=role1 -it ubuntu:xenial bash

mhumeSF commented 6 years ago

No sorry, should've clarified. That's where it hangs. I can curl from the docker host, but inside any container, aside from metadataproxy, the endpoint hangs.

ryan-lane commented 6 years ago

All endpoints, or just that one endpoint? :) (I'm trying to figure out if it's timing out in the service, or at the network)

mhumeSF commented 6 years ago

All endpoints... it cannot resolve 169.254.169.254. Again this is inside a container I run on the host using docker run -e IAM_ROLE=role1 -it ubuntu:xenial bash

ryan-lane commented 6 years ago

Resolve? It shouldn't need to resolve it, since it's an IP.

This kind of feels like the container isn't networked at all. The container you're starting needs to be networked in the docker0 network (standard network for docker containers that aren't in the host network).

mhumeSF commented 6 years ago

The ubuntu:xenial container is not running on host network, but the docker0 standard network. As this seems probably more an issue with iptables and not related to metadataproxy, I'll keep debugging on my own. Was curious if anything stood out. Thanks for looking into this.

sozuuuuu commented 6 years ago

I've faced with same problem on ubuntu xenial/bionic. Changing iptables rule solved the problem.

  iptables -t nat \
                -I PREROUTING \
                -p tcp \
                -d 169.254.169.254 \
                --dport 80 \
                -j REDIRECT \
                --to-ports 8000 \
                -i docker0
ryan-lane commented 6 years ago

Awesome. Thanks for following up with your fix!

mhumeSF commented 6 years ago

Working now, many thanks!

Beautiful! Tremendous! Bigly!