linux - Docker swarm, listening in container but not outside -
we have number docker images running in swarm-mode , having trouble getting 1 of them listen externally.
if exec container can curl url on 0.0.0.0:8080.
when @ networking on host see 1 packet being stuck in recv-q listening port (but not others working correctly.
looking @ nat rules can curl 172.19.0.2:8084 on docker host (docker_gwbridge) not on actual docker-host ip (172.31.105.59).
i've tried number of different points (7080, 8084, 8085) , stopped docker, did rm -rf /var/lib/docker, , tried running container no luck. ideas on why wouldn't working 1 container image 5 others work fine?
docker service
docker service create --with-registry-auth --replicas 1 --network myoverlay \ --publish 8084:8080 \ --name containerimage \ docker.repo.net/containerimage ss -ltn
state recv-q send-q local address:port peer address:port listen 0 128 172.31.105.59:7946 *:* listen 0 128 *:ssh *:* listen 0 128 127.0.0.1:smux *:* listen 0 128 172.31.105.59:2377 *:* listen 0 128 :::webcache :::* listen 0 128 :::tproxy :::* listen 0 128 :::us-cli :::* listen 0 128 :::us-srv :::* listen 0 128 :::4243 :::* listen 1 128 :::8084 :::* listen 0 128 :::ssh :::* listen 0 128 :::cslistener :::* iptables -n -l -t nat
chain prerouting (policy accept) target prot opt source destination docker-ingress -- 0.0.0.0/0 0.0.0.0/0 addrtype match dst-type local docker -- 0.0.0.0/0 0.0.0.0/0 addrtype match dst-type local chain input (policy accept) target prot opt source destination chain output (policy accept) target prot opt source destination docker-ingress -- 0.0.0.0/0 0.0.0.0/0 addrtype match dst-type local docker -- 0.0.0.0/0 !127.0.0.0/8 addrtype match dst-type local chain postrouting (policy accept) target prot opt source destination masquerade -- 172.19.0.0/16 0.0.0.0/0 masquerade -- 0.0.0.0/0 0.0.0.0/0 addrtype match src-type local masquerade -- 172.17.0.0/16 0.0.0.0/0 masquerade -- 172.18.0.0/16 0.0.0.0/0 chain docker (2 references) target prot opt source destination return -- 0.0.0.0/0 0.0.0.0/0 return -- 0.0.0.0/0 0.0.0.0/0 chain docker-ingress (2 references) target prot opt source destination dnat tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8084 to:172.19.0.2:8084 dnat tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9000 to:172.19.0.2:9000 dnat tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8083 to:172.19.0.2:8083 dnat tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:172.19.0.2:8080 dnat tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 to:172.19.0.2:8081 dnat tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8082 to:172.19.0.2:8082 return -- 0.0.0.0/0 0.0.0.0/0 ip | grep 172.19
inet 172.19.0.1/16 scope global docker_gwbridge ip a
1: lo: <loopback,up,lower_up> mtu 65536 qdisc noqueue state unknown link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <broadcast,multicast,up,lower_up> mtu 9001 qdisc pfifo_fast state qlen 1000 link/ether 12:d1:da:a7:1d:1a brd ff:ff:ff:ff:ff:ff inet 172.31.105.59/24 brd 172.31.105.255 scope global dynamic eth0 valid_lft 3088sec preferred_lft 3088sec inet6 fe80::10d1:daff:fea7:1d1a/64 scope link valid_lft forever preferred_lft forever 3: docker0: <no-carrier,broadcast,multicast,up> mtu 1500 qdisc noqueue state down link/ether 02:42:55:ae:ff:f5 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 scope global docker0 valid_lft forever preferred_lft forever 4: docker_gwbridge: <broadcast,multicast,up,lower_up> mtu 1500 qdisc noqueue state link/ether 02:42:ce:b5:27:49 brd ff:ff:ff:ff:ff:ff inet 172.19.0.1/16 scope global docker_gwbridge valid_lft forever preferred_lft forever inet6 fe80::42:ceff:feb5:2749/64 scope link valid_lft forever preferred_lft forever 23: vethe2712d7@if22: <broadcast,multicast,up,lower_up> mtu 1500 qdisc noqueue master docker_gwbridge state link/ether 92:58:81:03:25:20 brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet6 fe80::9058:81ff:fe03:2520/64 scope link valid_lft forever preferred_lft forever 34: vethc446bc2@if33: <broadcast,multicast,up,lower_up> mtu 1500 qdisc noqueue master docker_gwbridge state link/ether e2:a7:0f:d4:aa:1d brd ff:ff:ff:ff:ff:ff link-netnsid 4 inet6 fe80::e0a7:fff:fed4:aa1d/64 scope link valid_lft forever preferred_lft forever 40: vethf1238ff@if39: <broadcast,multicast,up,lower_up> mtu 1500 qdisc noqueue master docker_gwbridge state link/ether e6:1a:87:a4:18:2a brd ff:ff:ff:ff:ff:ff link-netnsid 5 inet6 fe80::e41a:87ff:fea4:182a/64 scope link valid_lft forever preferred_lft forever 46: vethe334e2d@if45: <broadcast,multicast,up,lower_up> mtu 1500 qdisc noqueue master docker_gwbridge state link/ether a2:5f:2c:98:10:42 brd ff:ff:ff:ff:ff:ff link-netnsid 6 inet6 fe80::a05f:2cff:fe98:1042/64 scope link valid_lft forever preferred_lft forever 58: vethda32f8d@if57: <broadcast,multicast,up,lower_up> mtu 1500 qdisc noqueue master docker_gwbridge state link/ether ea:40:a2:68:d3:89 brd ff:ff:ff:ff:ff:ff link-netnsid 7 inet6 fe80::e840:a2ff:fe68:d389/64 scope link valid_lft forever preferred_lft forever 41596: veth9eddb38@if41595: <broadcast,multicast,up,lower_up> mtu 1500 qdisc noqueue master docker_gwbridge state link/ether fa:99:eb:48:be:b0 brd ff:ff:ff:ff:ff:ff link-netnsid 9 inet6 fe80::f899:ebff:fe48:beb0/64 scope link valid_lft forever preferred_lft forever 41612: veth161a89a@if41611: <broadcast,multicast,up,lower_up> mtu 1500 qdisc noqueue master docker_gwbridge state link/ether b6:33:62:08:da:c4 brd ff:ff:ff:ff:ff:ff link-netnsid 3 inet6 fe80::b433:62ff:fe08:dac4/64 scope link valid_lft forever preferred_lft forever
ok that's normal behavior of container, port mapping usable host ip. if use container ip have reach port 8080 (the real port of application).
because of --publish used, port 8080 of container mapped port 8084 on host ip
Comments
Post a Comment