search

mozilla-services / syncserver

Run-Your-Own Firefox Sync Server
Mozilla Public License 2.0
1.87k stars 145 forks source link

Fix Docker 'run' command #104

Closed sbach closed 6 years ago

sbach commented 6 years ago

The official README.rst uses --network host thus giving the container full access to the host's networking. The following -p 5000:5000 thus becomes unnecessary.

After quick investigation, I would like to offer a different solution (note: the use of --network comes from #90).

Here are the ports used by the container:

/ # netstat -tupln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:5000          0.0.0.0:*               LISTEN      1/python2
tcp        0      0 0.0.0.0:34543           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:34359           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:45021           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8001          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:38691           0.0.0.0:*               LISTEN      -
tcp        0      0 :::43143                :::*                    LISTEN      -
tcp        0      0 :::111                  :::*                    LISTEN      -
tcp        0      0 :::51155                :::*                    LISTEN      -
tcp        0      0 :::22                   :::*                    LISTEN      -
tcp        0      0 ::1:631                 :::*                    LISTEN      -
tcp        0      0 :::34263                :::*                    LISTEN      -
tcp        0      0 :::2049                 :::*                    LISTEN      -
tcp        0      0 :::44259                :::*                    LISTEN      -

After isolating the required ports to be exposed (by changing the bind IP address) it looks like we only need 5000 and 631. However, I have yet to determine which piece of code listen on 631.

The first commit of this PR only cleanup the Docker command so it can be pasted in a shell without error(s).

rfk commented 6 years ago

Thanks for digging into this @sbach! I just want to note that I'm travelling for the next few weeks so it may take me a while before I can look at this in any detail, but I'm definitely interested in following up.

sbach commented 6 years ago

Bad state of my networking stack made that work. 631 isn't the required port. @rfk I will investigate more and come with a real fix. Will re-open at that time.

sbach commented 6 years ago

Using tcpdump and strace, I validated this is not an issue of unpublished port and discovered that requests aren't received by gunicorn.

As gunicorn is listening on localhost:5000 (see README.rst) it is not binding to the container's IP address. That said, it will not receive requests from the outside. Using gunicorn --bind 0.0.0.0:5000 should be a safe fix.

I have updated my branch at: https://github.com/sbach/syncserver/tree/fix/docker

@rfk Can you validate the updated Docker command works on you side? I could then open a proper PR.

rfk commented 6 years ago

@sbach thanks, yes, it looks like this change should work. We recently found a similar issue with a trial docker deployment in production.