I have several web apps running in docker on a ubuntu host. Each app is listening on a different port. When inside any container in the docker network, I can connect and receive data from the service, however, when running a request from the host, I can connect successfully, but no data is received. Why aren't the services returning any data when I connect to them from outside the container???
Docker reports this under "PORTS" when I run docker ps
:
0.0.0.0:8080->8080/tcp, :::8080->8080/tcp
and netstat reports that the server is listening on that port:
$ netstat -anp | grep 8080
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN -
However, when I visit localhost:8080 in my browser (I tried both firefox and chrome), the browser hangs, as if it is connected, but no data is being sent. Similarly, curl hangs forever:
$ curl -vvv localhost:8080
* Uses proxy env variable no_proxy == 'localhost,127.0.0.1,::1'
* Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.68.0
> Accept: */*
>
^C
I also tried connecting to it with telnet with a similar result. I tried running a quick http server directly on the host, and it works fine:
python3 -m http.server 8000
$ curl -vvv localhost:8000
* Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1'
* Trying 127.0.0.1:8000...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8000 (#0)
> GET / HTTP/1.1
> Host: localhost:8000
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Server: SimpleHTTP/0.6 Python/3.8.13
< Date: Fri, 09 Dec 2022 12:36:03 GMT
< Content-type: text/html; charset=utf-8
< Content-Length: 16768
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
...
I also tried connecting to the docker container ip: (172.17.0.3:8080) with the same results.
However, when I try running curl inside one of the containers, I am able to reach the http endpoints in any container.
All of this leads me to believe that there is a problem with the docker networking on my host (docker bridge?).
I am using docker compose. Docker inspect reports the following (in part):
"HostConfig": {
"Binds": [],
...
"NetworkMode": "docker-compose-example_default",
"PortBindings": {
"8080/tcp": [
{
"HostIp": "",
"HostPort": "8080"
}
]
},
...
"NetworkSettings": {
"Bridge": "",
"SandboxID": "1b53a5b6580187b714c6d7d0c9f81a015d585cd0bb0d62da579a4fe7514d47ea",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"8080/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "8080"
},
{
"HostIp": "::",
"HostPort": "8080"
}
]
},
"SandboxKey": "/var/run/docker/netns/1b53a5b65801",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "",
"Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "",
"IPPrefixLen": 0,
"IPv6Gateway": "",
"MacAddress": "",
"Networks": {
"docker-compose-example_default": {
"IPAMConfig": null,
"Links": null,
"Aliases": [
"dc0813038a3b",
"adminer"
],
"NetworkID": "65c6700f5445a6ce0f98a0a4e14e3e10577f40706411f639a4f9da5b1cfdd52e",
"EndpointID": "0f42ae8ce893fb4f33168c31df0d5de38d2e8ca67521802ba76589a8a0cb1bea",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.3",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:03",
"DriverOpts": null
}
}
}
Recap: I can connect to these services inside the containers, but I cannot connect to them from the host, even though by all reports, the servers are listening for connections.
What do I need to do so that I can connect to services running inside docker from my host?
답변1
I found a workaround, but not a solution. I found that this problem persists only when I am connected to a VPN. Apparently, this is a common complaint. When disconnected, connectivity works as expected.
The workaround is to turn off the VPN and re-start the docker containers. FWIW, this didn't always work, especially if I had run with the VPN turned on and then tried again after turning off the VPN. In this case, I found that changing the CIDR in the docker-compose network allowed me to get things working. Hopefully this helps anyone experiencing the same problem.
The jury's still out on how to get things working with the VPN turned on, no approaches (including creating a "tombstone" docker bridge) have worked for me so far.