Tuesday, December 12, 2017

Allow the outside world access your server in a container

I run docker containers of Nexus and httpd on a CentOS 7 host. I added a nexus.service to start the containers using docker-compose. I could access the nexus server from any machine after I started the service. But the next day, I could not access that server from other machines, running curl -k -X GET https://<host-ip> always got time out. The containers were still running and they were still bound to all interfaces because I could run curl -k -X GET https://<host-ip> on that host. The below shows those three ports 80,443,15001 of all interfaces are listened. NOTE: Proto=tcp6 doesn’t means “not listening on ipv4”.
# netstat -l -t
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp6       0      0 [::]:http               [::]:*                  LISTEN     
tcp6       0      0 [::]:15001              [::]:*                  LISTEN     
tcp6       0      0 [::]:https              [::]:*                  LISTEN
If I restart the service docker using systemctl restart docker, and service nexus systemctl start nexus, everything works again. If I reboot the server, docker starts and the containers are running, but I cannot access the Nexus server from any machine except the host.
It turns out that the host runs chef-client in the early morning and after rebooting, and set net.ipv4.ip_forward = 0. I can run sysctl net.ipv4.ip_forward=1 to make remote access to the Nexus server, and sysctl net.ipv4.ip_forward=0 to deny any access.
If I restarts the service docker, docker set net.ipv4.ip_forward=1 automatically. Check the docker document Communcating to the outside world
IP packet forwarding is governed by the ip_forward system parameter. Packets can only pass between containers if this parameter is 1. Usually you will simply leave the Docker server at its default setting —ip-forward=true and Docker will go set ip_forward to 1 for you when the server starts up. If you set —ip-forward=false and your system’s kernel has it enabled, the —ip-forward=false option has no effect. To check the setting on your kernel or to turn it on manually:
Posted by at
Labels: , , ,

1 comment:

Subscribe to: Post Comments (Atom)