0

Fairly new to Docker. Our containers work fine when hitting localhost with curl or a browser, but any external calls to http://[ip address] just time out. We're seeing the exact same behavior with Kong and also a basic whoami. The only way the containers are externally accessible is when we add --network host to the docker run command, but that's not an option for our production use.

The server itself and firewall are configured correctly; when I shut down docker and spun up a simple webserver it was reachable at the IP address. Essentially, any bridge-type network for Docker is inaccessible to the outside world and produces time-outs on any call to a port we set it to listen for (vs immediate connection refused for random unmapped ports).

The run commands we're using:

docker run -d -p 80:80 containous/whoami

  docker run -d --name kongtest \
  -p 0.0.0.0:80:8000 -p 0.0.0.0:443:8443 \
  kong/kong-gateway:3.0.0.0-alpine

Output from docker ps:

88a4bf28bbcd   kong/kong-gateway:3.0.0.0-alpine   "/docker-entrypoint.…"   5 seconds ago   Up 5 seconds (health: starting)   8001-8004/tcp, 8444-8447/tcp, 0.0.0.0:80->8000/tcp, 0.0.0.0:443->8443/tcp   kongtest

netstat -lntup using default or custom Docker bridge network:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      384272/sshd: /usr/s 
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      640858/docker-proxy 
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      384297/systemd-reso 
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      640845/docker-proxy 
tcp6       0      0 :::22                   :::*                    LISTEN      384272/sshd: /usr/s 
udp        0      0 127.0.0.53:53           0.0.0.0:*                           384297/systemd-reso 
udp        0      0 140.82.10.213:68        0.0.0.0:*                           384291/systemd-netw

netstat -lntup using --network=host:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      384272/sshd: /usr/s 
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      384297/systemd-reso 
tcp6       0      0 :::22                   :::*                    LISTEN      384272/sshd: /usr/s 
tcp6       0      0 :::80                   :::*                    LISTEN      708481/whoami       
udp        0      0 127.0.0.53:53           0.0.0.0:*                           384297/systemd-reso 
udp        0      0 140.82.10.213:68        0.0.0.0:*                           384291/systemd-netw
Jay McEh
  • 1
  • 1
  • Are you saying that without `--network host`, external calls to `http://[ip-address]:8000` time out (your question doesn't mention the`8000` on the external calls)? That would be pretty strange - what does a port scan show for that port? – atrocia6 Sep 29 '22 at 21:29
  • Correct. Kong looks for calls on 8000/8443 by default. With the run script above, http://localhost:80 (or just localhost) are correctly forwarded to 8000 and produce results, but http://[ip address] or http://[ip address] time out, while http://[ip address]:8000 gets an immediate "Connection refused". If I add --network host, then both http://localhost:8000 and http://[ip address]:8000 work, but that setting disables Docker's port mapping. Essentially, if the network type is bridge, I can't get Docker to recognize the outside world at all. Port scan added above in edit. – Jay McEh Sep 30 '22 at 01:13
  • ...and when we use --nework=host, the netstat shows docker listening on ports 8000 and 8443 as expected. – Jay McEh Sep 30 '22 at 01:19
  • Weird. Why don't you try another dockerized server (e.g. [this](https://hub.docker.com/r/traefik/whoami) or [this](https://hub.docker.com/r/containous/whoami/#!)), to see whether the problem is something specific to kong, or an issue with your docker setup in general. – atrocia6 Sep 30 '22 at 02:53
  • Excellent thought! You're right, `docker run -d -p 80:80 containous/whoami` works on localhost but not from external. `docker run -d --network=host containous/whoami` works on both. So it's something about docker or the docker bridge network specifically. – Jay McEh Sep 30 '22 at 04:24
  • This really sounds like a firewall issue - see what looks like a very similar issue [here](https://stackoverflow.com/questions/65630416/docker-network-bridge-not-working-from-outside). Can you try to turn off the firewall temporarily and see if the problem goes away? See also [here](https://stackoverflow.com/a/71132061). – atrocia6 Sep 30 '22 at 16:46

0 Answers0