0

I am setting up a microservices architecture using docker for each service. I am also using kong API gateway running in its own docker container. The docker host is Centos 7 running in a VM with an IP 192.168.222.76.

On the host command line, I can access the starter service on port 7000 fine. However, within the kong VM, I ping the IP address but cannot access the service. As you can see from the output below, it says "Host is unreachable".

I am starting docker with --icc=true and --iptables=true and I have made several suggested changes to the firewalld and rich rules, etc. but I continue to not be able to reach the other container from within the kong container.

I am starting the kong container with a named network "kong-net" and the kong database is instance is in the same docker network and THEY seem to be able to communicate. I have added my starter service container to the same network on start up and still no joy. The kong container CAN access the outside world, just not other docker containers on the same host.

Output is below:

[root@docker ~]# clear
[root@docker ~]# curl 192.168.222.76:7000/starter/hello
Hello Anonymous Person!!
[root@docker ~]# docker exec -it kong /bin/ash
# curl 192.168.222.76:7000/starter/hello
curl: (7) Failed to connect to 192.168.222.76 port 7000: Host is unreachable

# curl www.google.com
HTML returned properly...

Any help on this appreciated!

Rich Schramm
  • 141
  • 1
  • 8
  • Do you have one VM, or two? Can you include the relevant `docker run` commands and the set of changes you’ve actually made to your firewall config? – David Maze Dec 07 '18 at 17:38

3 Answers3

0

You must have to reach the other container with his container name. Try this:

docker exec -t kong curl servicename:7000/starter/hello

Kong container and service containers must share the same network

bonaccorso.p
  • 160
  • 2
  • 6
0

I was able to get ICC working by disabling firewalld all together (stop, disable, mask with systemctl) and opening up everything in iptables. Now its just a matter of setting up rules to block inbound access except on the API gateway and SSH.

Thanks!

Rich Schramm
  • 141
  • 1
  • 8
0

I have come across this problem before. If disabling the firewall fixes the problem, DO NOT leave the firewall disabled, this is a very big security concern. The proper way to go about it is firstly, reactivate the firewall and then add a network masquerade.

firewall-cmd --zone=public --add-masquerade --permanent

James Wagstaff
  • 150
  • 1
  • 7