Port mapping to Rancher network

Hello all,

In advance sorry if my question has been already raised but I did not manage to find the answer.

I have a simple requirement, being able to access a container from its private port onto the Rancher managed network.

Let’s imagine I have deployed a new Docker instance on 172.17.0.2 without exposing any port on the host machine. But still, if my container has a private port 8080, I am able to accessible from 172.17.0.2:8080.

Now I would like to do the same thing from the Rancher managed network. The same container is also accessible from the managed network to 10.42.216.20, but I cannot access its private port 10.42.216.20:8080.

So, is there any way to do it?

Thanks for your help

Access from where? Any port that is listening on any container with managed networking is accessible from elsewhere in the managed network, e.g. other containers. But that is not accessible from, say, your laptop.

Even if the port is not mapped onto the host machine? It is actually my test case, a port exposed but not mapped anywhere.
But I wonder how to access it from the Rancher managed network (let’s say another instance running in the same managed network).

The port 8080 is not mapped on any interface so far but it is exposed though:

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
62b887f00147 elasticsearch:0.7.0 “/usr/lib/jvm/java-8-” 4 minutes ago Up 3 minutes 8051/tcp r-Default_ES_1

It still does not work :frowning:

It should and it shouldn’t require any special configuration.

Can you run this command in your container to ensure it’s actually listening please:

netstat -ltn

Thanks for your help.

I ran the command (on my host OS) but unfortunately I did not get anything related to my container IP (by container IP I mean the private IP within the Rancher managed network ofc).

Sorry I just saw you asked me to run this command within my container.

I have some troubles to install net-tools for netstat but if I run a docker inspect, I do see:

"Config": { ... "ExposedPorts": { "8051/tcp": {} }

and

"NetworkSettings": { "Bridge": "", ... "Ports": { "8051/tcp": null },

With a $ss -l I got:

tcp LISTEN 0 128 ::ffff:172.17.0.5:8051 :::*

But still not reachable from other container within the Rancher network.

I actually told you to use netstat as most of the time that is available and ss is not :wink:

It looks like you ran the ss command on the host, not the container, hence the 172.x.x.x address shown. That, or your container is using host mode networking? Which is it?

No I ran the ss command from my container.

And I’m not using the host mode. I use the managed option.
My goal is to expose something on 10.42.x.x not on 172.x.x.x

Odd then that we see the host IP address in the ss output. Can you run a ifconfig or ip a in the container to confirm please. If that shows a 10 address, we know we’re good.

Btw, you’ve switched from port 8080 to 8051, I assume your testing has also changed to accommodate that? How are you testing connectivity?

Hi,

An ip command within a container:

root@a2ed30efbe60:/component# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 43: eth0@if44: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:68:da:ba:13:d4 brd ff:ff:ff:ff:ff:ff inet 172.17.0.5/16 scope global eth0 valid_lft forever preferred_lft forever inet 10.42.212.155/16 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::68:daff:feba:13d4/64 scope link valid_lft forever preferred_lft forever

From my point of view this looks like pretty normal. We do see the internal Docker IP (172.17.x.x) and the Rancher IP (10.42.x.x). Do you confirm?

Yes I switched to 8051, actually I used 8080 at the beginning just for the description. My private port is still 8051.

I am testing connectivity from another container (basically a tcp call), launched with Rancher using managed network and I created a link between both containers.

I don’t understand though when you said we see the host IP address in the ss output…

When I executed the $ss command from my container, I got a 172.17.0.0/16 IP which is my private Docker IP (managed within the docker0 interface)

By the way a netstat command output, still from my container exposing the 8051 private port:

root@a2ed30efbe60:/component# netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp6 0 0 a2ed30efbe60:33380 192.168.56.101:2181 ESTABLISHED Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ] STREAM CONNECTED 88612 unix 2 [ ] STREAM CONNECTED 89580

No idea please :frowning: ?

Hey.

Apologies, getting my IP’s confused.

It’s odd that that listening port is only shown listening on an IPv6 address. Normally I’d expect to see *:8051 or :::8051 for the Local Address: Port.

Perhaps some Java misconfiguration? Or maybe just your OS.

I guess I will have to find another solution. This standard way is not working and this is actually pretty disappointing.

Are you using a host with ipv6? If so, that’s not supported.

https://github.com/rancher/rancher/issues/1403

Hi Denise,

Nope I am using plain old ipv4.