Running script gives error

[ecamaj]

iptables v1.4.21: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.

[ecamaj]

Found out that when container uses some docker defined network, this returns "":
docker inspect -f {{.NetworkSettings.IPAddress}} <container_id>

This is NetworkSettings object for one of those containers:

"NetworkSettings": {
            "Bridge": "",
            "SandboxID": "2864b7681ef9236a5d337bddab9bf3aecfa098a7fdf8b378a699bb5e4ef1ba07",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": {
                "443/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "32818"
                    }
                ],
                "80/tcp": null
            },
            "SandboxKey": "/var/run/docker/netns/2864b7681ef9",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "",
            "Gateway": "",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "",
            "IPPrefixLen": 0,
            "IPv6Gateway": "",
            "MacAddress": "",
            "Networks": {
                "ee_user1-network": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": [
                        "31a2a3a34eea"
                    ],
                    "NetworkID": "9e5b020ff896c39dc68481810dc1d0a46577b9668231683922a6c8e4cc5c907d",
                    "EndpointID": "2bcea03cdd3a90d7d86e09977ca6e0a25e889b6d6307001f4240780e03e14bba",
                    "Gateway": "172.18.0.1",
                    "IPAddress": "172.18.0.3",
                    "IPPrefixLen": 16,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "02:42:ac:12:00:03"
                }
            }
        }

[ecamaj]

It seems that it might be connected with docker network iptables creation.
Did you take in mind DOCKER-ISOLATION rule in FORWARD chain

moby/moby#20217
moby/moby#23897

[ghost]

Hi Eddie,

Could you send the full output of inspect without filtering please.

[ecamaj]

The problem is when --network=<some_manually_created_network> is given to docker container.

[
    {
        "Id": "9911d27bcbba729c179fe30345620bf71df5d77cd7d8335630d1b85ac5d11d41",
        "Created": "2016-09-26T09:19:25.891882135Z",
        "Path": "supervisord",
        "Args": [
            "-n",
            "-c",
            "/home/eratoexpert/install/docker/supervisord.conf"
        ],
        "State": {
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 419,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2016-09-26T09:19:27.36663266Z",
            "FinishedAt": "0001-01-01T00:00:00Z"
        },
        "Image": "sha256:f736e031cdd821adbe2730cf35aaa24e043cb6ffcd375a652d3382d2acc135df",
        "ResolvConfPath": "/var/lib/docker/containers/9911d27bcbba729c179fe30345620bf71df5d77cd7d8335630d1b85ac5d11d41/resolv.conf",
        "HostnamePath": "/var/lib/docker/containers/9911d27bcbba729c179fe30345620bf71df5d77cd7d8335630d1b85ac5d11d41/hostname",
        "HostsPath": "/var/lib/docker/containers/9911d27bcbba729c179fe30345620bf71df5d77cd7d8335630d1b85ac5d11d41/hosts",
        "LogPath": "/var/lib/docker/containers/9911d27bcbba729c179fe30345620bf71df5d77cd7d8335630d1b85ac5d11d41/9911d27bcbba729c179fe30345620bf71df5d77cd7d8335630d1b85ac5d11d41-json.log",
        "Name": "/ee_user2-test",
        "RestartCount": 0,
        "Driver": "devicemapper",
        "MountLabel": "",
        "ProcessLabel": "",
        "AppArmorProfile": "",
        "ExecIDs": null,
        "HostConfig": {
            "Binds": [
                "/https_server_key/:/ssl"
            ],
            "ContainerIDFile": "",
            "LogConfig": {
                "Type": "json-file",
                "Config": {}
            },
            "NetworkMode": "ee_user1",
            "PortBindings": {
                "443/tcp": [
                    {
                        "HostIp": "",
                        "HostPort": ""
                    }
                ],
                "80/tcp": [
                    {
                        "HostIp": "",
                        "HostPort": ""
                    }
                ]
            },
            "RestartPolicy": {
                "Name": "no",
                "MaximumRetryCount": 0
            },
            "AutoRemove": false,
            "VolumeDriver": "",
            "VolumesFrom": null,
            "CapAdd": null,
            "CapDrop": null,
            "Dns": [],
            "DnsOptions": [],
            "DnsSearch": [],
            "ExtraHosts": null,
            "GroupAdd": null,
            "IpcMode": "",
            "Cgroup": "",
            "Links": null,
            "OomScoreAdj": 0,
            "PidMode": "",
            "Privileged": false,
            "PublishAllPorts": false,
            "ReadonlyRootfs": false,
            "SecurityOpt": null,
            "UTSMode": "",
            "UsernsMode": "",
            "ShmSize": 67108864,
            "Runtime": "runc",
            "ConsoleSize": [
                0,
                0
            ],
            "Isolation": "",
            "CpuShares": 0,
            "Memory": 0,
            "CgroupParent": "",
            "BlkioWeight": 0,
            "BlkioWeightDevice": null,
            "BlkioDeviceReadBps": null,
            "BlkioDeviceWriteBps": null,
            "BlkioDeviceReadIOps": null,
            "BlkioDeviceWriteIOps": null,
            "CpuPeriod": 0,
            "CpuQuota": 0,
            "CpusetCpus": "",
            "CpusetMems": "",
            "Devices": [],
            "DiskQuota": 0,
            "KernelMemory": 0,
            "MemoryReservation": 0,
            "MemorySwap": 0,
            "MemorySwappiness": -1,
            "OomKillDisable": false,
            "PidsLimit": 0,
            "Ulimits": null,
            "CpuCount": 0,
            "CpuPercent": 0,
            "IOMaximumIOps": 0,
            "IOMaximumBandwidth": 0
        },
        "GraphDriver": {
            "Name": "devicemapper",
            "Data": {
                "DeviceId": "627",
                "DeviceName": "docker-253:1-4063377-2ca4582d5547df6055d92eb4696c9291502604079a53e6bfe845d40cdff08bcd",
                "DeviceSize": "107374182400"
            }
        },
        "Mounts": [
            {
                "Source": "/https_server_key",
                "Destination": "/ssl",
                "Mode": "",
                "RW": true,
                "Propagation": "rprivate"
            }
        ],
        "Config": {
            "Hostname": "9911d27bcbba",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "443/tcp": {},
                "80/tcp": {}
            },
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "TERM=linux",
                "TERMINFO=/etc/terminfo",
                "LANG=en_US.UTF-8",
                "LANGUAGE=en_US:en"
            ],
            "Cmd": [
                "supervisord",
                "-n",
                "-c",
                "/home/eratoexpert/install/docker/supervisord.conf"
            ],
            "Image": "erato/eratoexpert",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": null,
            "Labels": {}
        },
        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "2685f5d0da2a287c1441718b86a284f1889b5b503cdf458334221bc27f2c5411",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": {
                "443/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "32771"
                    }
                ],
                "80/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "32772"
                    }
                ]
            },
            "SandboxKey": "/var/run/docker/netns/2685f5d0da2a",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "",
            "Gateway": "",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "",
            "IPPrefixLen": 0,
            "IPv6Gateway": "",
            "MacAddress": "",
            "Networks": {
                "ee_user1": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": [
                        "9911d27bcbba"
                    ],
                    "NetworkID": "e1e2ad0cf6e48b6796b3e94f13e2b3c08ae94e1d54346c7e93f44bc73a5be1b0",
                    "EndpointID": "e45a9ab6a385c5da3c19392c5f274fbee74a0c2bb7df2ad988632e1186cecee9",
                    "Gateway": "172.18.0.1",
                    "IPAddress": "172.18.0.2",
                    "IPPrefixLen": 16,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "02:42:ac:12:00:02"
                }
            }
        }
    }
]

[ghost]

I have a change to the script. Let me know if it works for you.

Thanks

[ecamaj]

Script now runs but containers are not visible on the same docker network. Did you recreate state of DOCKER-ISOLATION?

csf gives:
"Deleting chain `DOCKER-ISOLATION'"

[ghost]

I will update the script with that new information soon

[ecamaj]

Great, thank you

[mahgblack]

any update?

[ecamaj]

@juliengk, sorry for bothering you, I would really appreciate if we could try to fix this, docker containers are not working after csf is restarted (with server reboot).

Thanks

[ghost]

Hi Eddie,

I'm busy those days. I haven't forget about that prob. I cannot promess anything but will try to put some time on it the coming weekend.

[ecamaj]

Great, thanks a lot! Just send me a message when you want me to test it.

[ghost]

Eddie,

the script has been updated. Let me know when you will have the chance to test it.

Thanks

[ecamaj]

@juliengk, no, it doesn't seem to work.
I'm available to test it today throughout the day, just send a message.

[ecamaj]

From what I see, on a quick look:

• there is this exception in firewall configuration:

ACCEPT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   state NEW tcp dpts:30000:35000
ACCEPT  tcp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0   state NEW tcp dpts:30000:35000

but after csf restart these ports (docker containers mapped on them) are not anymore accessible from outside of server.

• "iptables -L -n -t nat" shows difference in only one row:

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0  

This "RETURN all" is missing after csf restart. Maybe not important ...

• containers cannot see each other within specified docker network inside containers

[ghost]

have you received my email?

[ecamaj]

no, just this one: "the script has been updated. Let me know when you will have the chance to test it."

On 24 Oct 2016, at 05:51, Julien Kassar [email protected] wrote:

Eddie,

the script has been updated. Let me know when you will have the chance to test it.

Thanks

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub #7 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/AB0G4w1H_nh8syZPS7LCXVW8Zl_9fstUks5q3CsvgaJpZM4JnVHd.

[ghost]

is your gmail address still good?