Closed ozbillwang closed 6 years ago
Seems the error is from src/docker/container_store.go
if len(ips) == 0 {
return nil, fmt.Errorf("Unable to find IP address for container: %s", id)
}
We have firewall applied to ec2 instance, should we open the port 8080
which is not list in the inbound rules?
You should not need to open up port 8080
, all of the requests are internal relative to the instance.
I see that you're setting IAM_ROLE
on the iam-docker
container. You should instead be setting that environment variable on each container that you run.
Also, can you confirm that you ran the iptables
setup instructions from the README?
So I need run iptables
command before docker run
? I will try it.
Thanks.
Correct.
@nahiluhmot
I have added the REDIRECT
$ iptables -t nat -L --line-numbers |grep instance-data
2 REDIRECT tcp -- anywhere instance-data.xxx.compute.internal tcp dpt:http redir ports 8080
$ nslookup instance-data.xxx.compute.internal
Non-authoritative answer:
Name: instance-data.xxx.compute.internal
Address: 169.254.169.254
But still get same error when docker run
.
Seems my problem is closed to this issue #9, port 8080 is used already. I change to 8888
$ iptables -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination "172.17.0.1:8888" -i "docker0"
$ docker run --volume /var/run/docker.sock:/var/run/docker.sock --restart=always --net=host swipely/iam-docker:latest /iam-docker -listen-addr=0.0.0.0:8888 -verbose
Now I got the same error:
Unable to find label named 'com.swipely.iam-docker.iam-profile' or environment variable 'IAM_ROLE' for container
@nahiluhmot
Seems the issue is a bug about some new commits between v1.0.0 and v1.2.0
I did tests with v1.2.0. v1.1.0 and v1.0.0, it runs fine with v1.0.0
only
curl 172.17.0.1:8888
1.0
2007-01-19
2007-03-01
2007-08-29
172.17.0.1
is the gateway IP.
Now I start testing the real function, will update for the result.
Got below error.
$ docker run -ti --rm --label com.swipely.iam-docker.iam-profile="arn:aws:iam::xxxx:role/s3-readonly" fstab/aws-cli sh
$ /home/aws/aws/env/bin/aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".
And error login container iam-docker
2018-07-03T06:44:25Z [app] Refreshing credentials worker=refresh-credentials
2018-07-03T06:44:25Z [iam] Refreshing all IAM credentials
2018-07-03T06:44:25Z [iam] Done refreshing all IAM credentials
2018-07-03T06:44:28Z [http] Delegating request upstream remoteAddr=172.17.0.2:34638 path=/latest/meta-data/iam/security-credentials method=GET
2018-07-03T06:44:28Z [http] Serving list IAM credentials request method=GET remoteAddr=172.17.0.2:34638 path=/latest/meta-data/iam/security-credentials/
2018-07-03T06:44:28Z [docker] Looking up IAM role ip=172.17.0.2
2018-07-03T06:44:28Z [http] Unable to find credentials path=/latest/meta-data/iam/security-credentials/ method=GET remoteAddr=172.17.0.2:34638 error="Unable to find container for IP: 172.17.0.2"
I can get the iam role name when run curl command on its host
$ curl 169.254.169.254/latest/meta-data/iam/security-credentials/
But when run the same command in container, I got 404
error
The gateway is 172.17.0.1, but the error log in container iam-docker
is pointed to 172.17.0.2
, that's why it can't get host iam role's security-credentials
If I manually curl to 172.17.0.1
in container, it works.
I am very close to make it work, in fact the error in update 2
can be ignored, then I found the real error which point to the right direction.
2018-07-03T07:21:53Z [http] Unable to find credentials path=/latest/meta-data/iam/security-credentials/ method=GET remoteAddr=172.17.0.4:32856 error="AccessDenied: User: arn:aws:sts::xxx:assumed-role/dev_iam_role/i-0a9099bcxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxx:role/s3-readonly\n\tstatus code: 403, request id: c2c220c1-7e91-11e8-bb64-xxx"
But I have applied below trust relationships policy to the host's iam role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxx:root"
},
"Action": "sts:AssumeRole"
}
]
}
I finally made it work.
The missing part is, I didn't set properly for Setup an instance IAM role that can perform sts:assume-role on the roles you'd like to assume.
in the README
So Make sure you set the assume role on both (instance iam role and the role which container will be assumed)
reference https://github.com/Netflix/security_monkey/issues/732#issuecomment-303153412
I have followed the Usage README, set
sts:assume-role
and trust Relationship to be assumed by the root role.I currently login the ec2 instance which has the iam role with above changes.
But when I run the first docker command (
docker run --volume /var/run/docker.sock:/var/run/docker.sock --restart=always --net=host swipely/iam-docker:latest
), I got below error:then I feed environment variable
iam-profile
into container:I got another error
how to fix the issue?
I already run the docker command with root permission.
Conslution
1) Only image
swipely/iam-docker:v1.0.0
works in my enviroinment. Tags with latest, v1.2.0 and v1.1.0 doesn't work. 2) Make sure you set the assume role on both (instance iam role and the role which container will be assumed) 3) Make sure port8080
is not used by the host, otherwise, use other ports (reference: https://github.com/swipely/iam-docker/issues/25#issuecomment-402015777)