Closed kheuton closed 4 years ago
That's expected. If a container is running in host-mode networking, it's running with the IP of the host, so there's no way to properly identify the container. metadataproxy matches container IPs to containers running in docker.
Basically, if a container is running in host-mode networking, the assumption is that it has the privilege level of the host, from the metadata point of view (it should not get captured by metadataproxy, but should instead go directly to the metadata service on the host).
I'm using this for testing in environments outside of ec2 where there isn't a metadata service. Is there any way to have the metadataproxy return a role in this situation?
The metadataproxy server always needs to be in host-mode containers. The other host-mode containers are the problem. Maybe it's possible to use DEFAULT_ROLE to map host-mode containers to some standard IAM role, but it would also affect containers that don't have an IAM role mapped (https://github.com/lyft/metadataproxy/blob/master/metadataproxy/settings.py#L72-L78).
Otherwise, metadataproxy doesn't have any way to map a host-mode containers to roles, because to metadataproxy, every request from any of those containers all look the same, which would cause it to not be able to map it to a single container via docker.
Unfortunately DEFAULT_ROLE
doesn't work because if the container look up fails it stops trying. Maybe that's a bug, maybe not.
The things I tried were
I think I'm all set, so I'll close this issue for now. Thanks for your help
I've got the metadataproxy service running in a container using host-mode networking. Another service that is calling the metadataproxy is also running with host-node networking. I'm using iptables to re-direct traffic from 169.254.169.254 to 0.0.0.0:8000
However, the metadataproxy service replies with:
ts=2019-11-05 20:07:18,209 name=metadataproxy.roles lvlname=ERROR msg=No container found for ip 192.168.65.3
Running docker-inspect on my containers, I see that I have no IPAddresses listed:
My docker-compose, where pipeline is my service that calls the metadataproxy:
What am I missing about using host-mode networking?