1

Can someone explain why I can't access my website running in a docker container thru nomad or what I'm doing wrong ? I'm beginner in system and networking.

I would like to make the container http listen on 127.0.0.1:8088 so that nginx can proxy.

Nomad server and client are running on the same machine

Machine is fedora, disabled SELinux, firewall disabled.

What I expect : Request to <server_ip>:8088 responds website

What I get : Response is Connection refused.

nomad conf :

data_dir  = "/opt/nomad/data"
bind_addr = "0.0.0.0"
log_level = "DEBUG"

server {
  # license_path is required for Nomad Enterprise as of Nomad v1.1.1+
  #license_path = "/etc/nomad.d/license.hclic"
  enabled          = true
  bootstrap_expect = 1
}
acl {
   enabled = true
}

client {
  enabled = true
  servers = ["127.0.0.1"]
}

nomad job :


job "ctprods-app" {
  datacenters = ["*"]

  group "ctprods-group" {
    count = 1
    network {
      port "http" {
         static = 8088
         to = 8088
      }
    }
    task "ctprods-task" {
      driver = "docker"
      env {
          ENVIRONMENT = "production"
      }
      config {
        image = "ctaque/ctprods:latest"
        ports = [
          "http"
        ]
      }
    }
  }
}

nginx block :

location / {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_pass http://127.0.0.1:8088/;
}

ss -nplut :

tcp LISTEN  0  4096 <server_public_ip>:8088 0.0.0.0:*

nomad job port map : nomad job port map

nomad job running : nomad job running

C Taque
  • 997
  • 2
  • 15
  • 31
  • `client {}` Nomad by default is using public interface. Configure Nomad to use localhost like https://github.com/hashicorp/nomad/issues/12203 . `equest to :8088 responds website` Why? Is nginx listening on 8088? I would expect it listens on :80. – KamilCuk May 31 '23 at 12:27
  • `firewall disabled` And you are running Nomad? Anyone can run a job on your server. I would suggest to invest time to setup even simple ufw. – KamilCuk May 31 '23 at 12:38
  • I get this error : ```failed to setup alloc: pre-run hook "network" failed: failed to configure networking for alloc: failed to configure network: plugin type="loopback" failed (add): failed to find plugin "loopback" in path [/opt/cni/bin]``` "I would suggest to invest time to setup even simple ufw." even with an ACL ? – C Taque May 31 '23 at 13:27
  • Plugin loopback? I do not know where do you have that error from, just add `client { host_network "lo" { interface = "lo" }}` and then `network { port { static = 8088 host_network = "lo" }}` to job. There is no plugin involved. `even with an ACL ?` The problem with lack of firewall, is that there are too many ports. One insecure application or, forgotten X server port, and someone has full access. – KamilCuk May 31 '23 at 14:21
  • `failed to find plugin "loopback" in path [/opt/cni/bin]` this looks like some docker problem related to kubernetes. `host_network "lo"` works fine for me with newest nomad. – KamilCuk May 31 '23 at 14:25
  • Yep, your conf. work but now it’s the docker image that does not respond to the requests. Even by running the image with ````docker run``` . Dockerfile: ``` FROM rust@sha256:80f2e747f4d6b572e79b845df87b47dd9102f236113efd8921a115f4515b7df1 COPY ./target/release/ctprods . EXPOSE 8088 CMD ["./ctprods", "listen"] ``` – C Taque May 31 '23 at 15:12
  • 1
    `does not respond to the requests` `it’s listening to 127.0.0.1:8088` seem contradictory. If you have it listening on 127.0.0.1, then nginx should redirect. – KamilCuk May 31 '23 at 15:16

0 Answers0