0

I have an issue with connecting from my Docker container (hosted on Google Cloud Run) to my local machine via ssh. I’m getting a “Connection Timeout error”. I'm not a networking expert and I'm a newbie to Google Cloud Run, so, I'm going to try my best to explain the issue.

Let me explain the setup. I have a docker image in Google Cloud's artifact registry (for CI/CD purposes). I then created a Cloud Run service attached to the Docker image (already on the registry). The docker image is a simple FastAPI app that allows for API requests from remote machines. API requests work perfectly fine and I get the proper responses. There is 1 API request that requires establishing an SSH connection to a remote machine (my laptop for now), transfer files to that laptop and execute a couple of commands via the command prompt. It is this API call that is causing issues.

Here's a simplified schematic: Linked Image

Caption: Google Cloud Run (connected to Docker Image on Google Artifact Registry) > Docker Container houses FastAPI APP > Calls are made to the api via http requests > 1 call requires an ssh connection to a remote machine to execute commands for specialized software > Once commands are finished, scp some files back to the Docker container for processing.

Now, I have tested hosting the same docker image and container on my local machine via Docker Desktop (the one with the specialized software to be executed via ssh commands) and that approach works perfectly fine. I can ssh from the docker container to the local machine, execute the command, and scp some files just fine (the ssh calls are initiated via API calls). That same docker is on Google Cloud run and all API calls work except the one requiring an ssh connection to my local machine.

Here are some configurations that may help:

DOCKER:

  • port 22 exposed and mapped to port 22 (in docker-compose.yaml)
  • port 80 exposed and mapped to port 80 (in docker-compose.yaml)
  • Has the necessary rsa keys and known hosts for the local machine

Google Cloud Run:

  • VPC created with a Static IP address (Google Cloud Static IP)
  • ingress and egress are allowed on port 22
  • VPC is setup for the Cloud Run for the specified docker image

Local Machine:

  • Contains the specialized software Has the necessary rsa keys and known hosts for the docker container
  • Has the necessary rsa keys and knows hosts for the Google Cloud Run static IP

I can ping the static IP on google cloud from my machine with no problem. I'm not sure if all that information is useful and if my explanation is clear but I can adjust my question according to responses. Again, I'm a newbie here :).

TheNomad
  • 293
  • 1
  • 3
  • 10
  • Can you provide the exact error message? Also, can you provide a [minimal, reproducible example](https://stackoverflow.com/help/minimal-reproducible-example)? – Robert G Jun 16 '23 at 20:56
  • Thanks for your reply @RobertG . I had forgotten to mention the error. It’s a connection timeout error that I’m getting. Providing a minimal, reproducible example may take time as I would have to create an example by stripping out a lot of proprietary code. I can have something ready in not long but I hope the error can give you a hint as to the source of the issue. – TheNomad Jun 17 '23 at 00:40
  • Are you sure your laptop is publicly accessible? If you're connected through a router, with NAT do you have port forwarding set up? Will your firewall accept incoming tcp connections on the right port? – Ben K Jun 17 '23 at 02:32

1 Answers1

0

I solved this problem and it was mainly @Ben k’s comment that made me realize something was blocking and it was thanks to @Robert G’s suggestion to reproduce a minimal reproducible example.

Here are the main issues that were fixed (and their root cause) in hopes it may help another newbie like myself.

1- My IP address was not visible beyond my local network. I tried pinging my IP address from outside and had no response. My router was blocking any inbound connections. So, I created a special firewall rule on my router to allow for outside traffic but limited to certain IP addresses I trust.

2- By producing a minimal, reproducible example, I realized that I was setting up ssh with their associate rsa keys but I wasn’t sharing the right keys. My docker container had rsa keys that I had setup a while ago but these were since updated and I did not realize I never updated their values in the docker container.

3- I had setup a firewall rule in the Google Cloud Run VPC network to allow for connections to my home network. I had set up the 192.168.X.X IP address on Ggloud run but I was then told any 192.168.X.X addresses are local address that identify devices connected to your local network. These are not the actual IP addresses that are broadcasted outside the network. I then re-setup Gcloud run firewall rules to include my REAL IP address (the one that is actually visible to the outside world). The reason why the first scenario in the included graphics (original post) worked was because the docker container was hosted on my laptop and was readily accessible by my local network.

With these 3 changes, I now have a successful ssh connection and can scp as expected. I hope this helps anyone out there.

TheNomad
  • 293
  • 1
  • 3
  • 10