I have configured web servers to run from Docker containers in the past. This time, one does not work. My Docker host is running Ubuntu. When the Docker container that has a web server application in it is running, nmap commands show that the external IP address and port are "filtered." When the Docker container is not running, nmap shows the state as "closed." This is not at all what I would expect.
The web browser shows "The connection was reset" regardless of whether the Docker container is running or not. This is not surprising given the nmap results that I have seen.
Inside a Docker container supporting a web service I can normally run apt-get update and other apt-get install commands. But I cannot with this problem container. I get "failure resolving 'deb.debian.org'." I'm not sure if this is related or not. I tried configuring a file /etc/docker/daemon.json with 8.8.8.8 and 8.8.4.4. This file did not seem to do anything. I tried rebooting the Docker server.
I disabled IP version 6 on the Docker server. I can disabled the firewall. Why would a Docker container configured to use a port cause an nmap command to show the port is filtered when the Docker container is running?
I am using an AWS server. The contents of resolv.conf that are not commented out are these:
nameserver 172.31.0.2
search us-east-2.compute.internal
Update / edit. To respond to a previous comment, I want to post the info here where the formatting is better.
curl ipinfo.io shows this (but I replaced the IP address with x.x.x.x)
{
"ip": "x.x.x.x",
"hostname": "ec2-x-x-x-x.us-east-2.compute.amazonaws.com",
"city": "Columbus",
"region": "Ohio",
"country": "US",
"loc": "39.9653,-83.0235",
"org": "AS16509 Amazon.com, Inc.",
"postal": "43215"
}
sudo iptables -S shows this (but I replaced the last two octets of the IP address with x.x)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o br-5d57542faf97 -j DOCKER
-A FORWARD -o br-5d57542faf97 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br-5d57542faf97 ! -o br-5d57542faf97 -j ACCEPT
-A FORWARD -i br-5d57542faf97 -o br-5d57542faf97 -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.31.x.x/32 ! -i br-5d57542faf97 -o br-5d57542faf97 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION -i docker0 -o br-5d57542faf97 -j DROP
-A DOCKER-ISOLATION -i br-5d57542faf97 -o docker0 -j DROP
-A DOCKER-ISOLATION -j RETURN
Update/clarification: I use a command like this to create the Docker container:
sudo docker run --name docker-nginx -p 7777:80 --network=isolated_nw --ip 172.31.x.x nginx
I created a user defined network earlier called isolated_nw. I have no problems when I do this on a RedHat server. When the Docker host is running Ubuntu, that is when I have the problem. Should I move this question to an Ubuntu forum?
Another update: This is primarily a networking problem (as the web service is not working). The results of an nmap command show a port appears to be filtered when a Docker container is running that is supposed to listen on that port. apt-get commands cannot retrieve from public repository packages like a normal Docker container could on a RedHat Docker host. This command journalctl -u docker.service did not show me anything obviously wrong with the networking issues that I am having.
I went to the work of obtaining a .deb package to copy into a Docker container for installing netstat. I then ran this command:
netstat -plnat
I saw this:
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1/nginx: master pro
tcp 0 0 127.0.0.11:44720 0.0.0.0:* LISTEN -
This may be a DNS setting issue then.
Create a file
/etc/docker/daemon.jsonwith below contentAnd then restart the docker service. This will set the container DNS for every container your launch