In advance sorry if my question has been already raised but I did not manage to find the answer.
I have a simple requirement, being able to access a container from its private port onto the Rancher managed network.
Let’s imagine I have deployed a new Docker instance on 172.17.0.2 without exposing any port on the host machine. But still, if my container has a private port 8080, I am able to accessible from 172.17.0.2:8080.
Now I would like to do the same thing from the Rancher managed network. The same container is also accessible from the managed network to 10.42.216.20, but I cannot access its private port 10.42.216.20:8080.
Access from where? Any port that is listening on any container with managed networking is accessible from elsewhere in the managed network, e.g. other containers. But that is not accessible from, say, your laptop.
Even if the port is not mapped onto the host machine? It is actually my test case, a port exposed but not mapped anywhere.
But I wonder how to access it from the Rancher managed network (let’s say another instance running in the same managed network).
The port 8080 is not mapped on any interface so far but it is exposed though:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
62b887f00147 elasticsearch:0.7.0 “/usr/lib/jvm/java-8-” 4 minutes ago Up 3 minutes 8051/tcp r-Default_ES_1
I ran the command (on my host OS) but unfortunately I did not get anything related to my container IP (by container IP I mean the private IP within the Rancher managed network ofc).
I actually told you to use netstat as most of the time that is available and ss is not
It looks like you ran the ss command on the host, not the container, hence the 172.x.x.x address shown. That, or your container is using host mode networking? Which is it?
Odd then that we see the host IP address in the ss output. Can you run a ifconfig or ip a in the container to confirm please. If that shows a 10 address, we know we’re good.
Btw, you’ve switched from port 8080 to 8051, I assume your testing has also changed to accommodate that? How are you testing connectivity?
root@a2ed30efbe60:/component# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 43: eth0@if44: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:68:da:ba:13:d4 brd ff:ff:ff:ff:ff:ff inet 172.17.0.5/16 scope global eth0 valid_lft forever preferred_lft forever inet 10.42.212.155/16 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::68:daff:feba:13d4/64 scope link valid_lft forever preferred_lft forever
From my point of view this looks like pretty normal. We do see the internal Docker IP (172.17.x.x) and the Rancher IP (10.42.x.x). Do you confirm?
Yes I switched to 8051, actually I used 8080 at the beginning just for the description. My private port is still 8051.
I am testing connectivity from another container (basically a tcp call), launched with Rancher using managed network and I created a link between both containers.
By the way a netstat command output, still from my container exposing the 8051 private port:
root@a2ed30efbe60:/component# netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp6 0 0 a2ed30efbe60:33380 192.168.56.101:2181 ESTABLISHED Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ] STREAM CONNECTED 88612 unix 2 [ ] STREAM CONNECTED 89580
It’s odd that that listening port is only shown listening on an IPv6 address. Normally I’d expect to see *:8051 or :::8051 for the Local Address: Port.
Perhaps some Java misconfiguration? Or maybe just your OS.
