Exposed ports only accessible on localhost, even with "--port name:0.0.0.0:dport" #3886
Comments
This used to work until about 9 months ago. I've googled furiously and can only find people with the exact opposite problem (they want to bind only to |
I also tried using a bridged network with the following file at
Then using |
I've found out why it is this way, the following two firewall rules:
If I add the same rules again but without the Don't get it, given I'm using |
This is the commit that changed rkt's behaviour: cd05e8b#diff-adb1d51f0a72db7676d3dcb3d42d010d Hm, this is looking like a bug where the bind address from the port forwarding specification isn't being respected. |
FYI, |
shrugs The ports are only accessible from 127.0.0.1 without the additional less-restrictive |
As we've been unable to fix this my company has had to abandon rkt and re-adopt docker :( |
I'm getting this problem as well. It's weird, rkt works fine on a cluster of EC2/Ubuntu servers. On Linode/Slackware though, can only connect to containers using
^ Using this version for both environments. The Linode servers DO have custom iptables rules to allow traffic between the servers, and I'm wondering if that's the problem...however after disabling my custom rules, going clean-slate, and restarting my container I get the same problem. @ohjames What OS/environment are you running into this issue on? |
@orthecreedence on archlinux and Ubuntu, both with zero iptables rules set up before running rkt. As far as I can tell rkt is just for clusters and from squeed's comment it seems these guys don't understand iptables very well. So back to docker and its silly daemon architecture for my company :( |
Also started a PR to try to fix the code but got zero support or even acknowledgement... on such a key issue. Doesn't give me much faith in rkt. |
I saw your PR, and yeah it kind of upsets me that it didn't get acknowledged. I also am really put off by Docker's architecture, so rkt is a natural choice. This probably won't help you (hopefully it does), but I went mucking around in my iptables rules, and found that the
I set FORWARD to ACCEPT:
And now I can connect to my containers again. It seems so easy it's probably not the answer to your problem, but wanted to share in the off-chance that's it. I'm not sure what the implications of allowing all FORWARDs so I have some reading to do...I set these firewall rules up probably back in 2010 and of course didn't document it =]. |
Ha, blanket ACCEPTing on FORWARD just opens the server to the world. Looks like I have more work to do on this... |
I have |
Hi! I've tried to reproduce this problem but I couldn't, here's what I did. Starting from a clean system:
I started a pod with nginx:
The rules were changed like so:
Then, from another machine in the network:
|
I'm using 1.29.0 too:
I think this depends on what you have in
and you probably have something like
Passing the |
@iaguis I switched them but it makes no difference. Also whether whether you use |
Since there isn't really a one liner solution to this common problem, I do feel like I should share the two snippets that have just blatantly worked for me that didn't take a ton of setup in order to get pod ports exposed on the hosts public ports.
Note: I am not proud of this at all but it works and is a single step.
Slightly less ashamed with this one, but still feel like this shouldn't be as difficult as it is to expose a port. Ive seen people throw together systemd services that used |
Environment
What did you do?
The aci was built with:
acbuild port add proxy tcp 1080
I have zero firewall rules set up other than those that rkt sets up.
What did you expect to see?
Port 1080 should be bound to
0.0.0.0
, I should be able to reach port 1080 from any host on my network.What did you see instead?
I can only access port 1080 from
localhost
.The text was updated successfully, but these errors were encountered: