denisit
September 29, 2020, 1:00pm
1
Hello,
Container KO with port 8443:devices:
myport8443:*
connect: tcp:127.0.0.1:8443*
listen: tcp:0.0.0.0:8443*
proxy_protocol: “true”*
type: proxy*
Container OK with port 443:myport443:
connect: tcp:127.0.0.1:443*
listen: tcp:0.0.0.0:443*
proxy_protocol: “true”*
type: proxy*
command used : lxc config device add WordpressContainer myport8443 proxy listen=tcp:0.0.0.0:8443 connect=tcp:127.0.0.1:8443 proxy_protocol=true
thank you.
turtle0x1
September 29, 2020, 1:11pm
2
Sounds silly but;
Are you aware LXD listens on 8443 by default if enabled to listen on the network, is LXD listening on the network?
I.E on mine
me@me:/ lxc config show
config:
core.https_address: '[::]:8443'
core.trust_password: true
1 Like
tomp
September 29, 2020, 1:22pm
3
As @turtle0x1 suggested, its worth checking if anything is listening on that port.
Running would show this:
sudo ss -tlpn
denisit
September 29, 2020, 1:22pm
4
below the output of the command :
tomp
September 29, 2020, 1:23pm
5
Also can you check your firewall is allowing the ports, iptables-save should show you the rules active.
denisit
September 29, 2020, 2:08pm
6
I use nftables. The port 7443 is open. Maybe I can use port redirection via nftables.
tomp
September 29, 2020, 2:11pm
7
Can you show the output of ss -tlpn and sudo nft list ruleset
Also can you show the output of lxc config show <instance> --expanded for the problem container.
Finally, please show the output of ip a inside the container.
Thanks
tomp
September 29, 2020, 2:12pm
8
Also, you would not expect to see any traffic on the container’s network interface (eth0) when using the proxy connecting to 127.0.0.1, so please also show the tcpdump command you run inside the container.
denisit
September 29, 2020, 2:13pm
9
tomp:
ss -tlpn
ss -tlpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
LISTEN 0 10 127.0.0.1:587 0.0.0.0:*
LISTEN 0 32 10.49.6.1:53 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 10 127.0.0.1:25 0.0.0.0:*
LISTEN 0 128 [::1]:6010 [::]:*
LISTEN 0 4096 *:8443 *:*
LISTEN 0 4096 *:443 *:*
LISTEN 0 4096 *:80 *:*
LISTEN 0 4096 *:7443 *:*
architecture: x86_64
config:
image.architecture: amd64
image.description: ubuntu 20.04 LTS amd64 (release) (20200504)
image.label: release
image.os: ubuntu
image.release: focal
image.serial: "20200504"
image.type: squashfs
image.version: "20.04"
volatile.base_image: 647a85725003d873f8bb9a5bd1a09bdc7fd4bcb393b2cf629f7e0edaa58f5637
volatile.eth0.host_name: vethe4301269
volatile.eth0.hwaddr: 00:16:3e:39:55:b8
volatile.idmap.base: "0"
volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.last_state.power: RUNNING
devices:
eth0:
name: eth0
network: lxdbr0
type: nic
myport7443:
connect: tcp:127.0.0.1:7443
listen: tcp:0.0.0.0:7443
proxy_protocol: "true"
type: proxy
myport8443:
connect: tcp:127.0.0.1:8443
listen: tcp:0.0.0.0:8443
proxy_protocol: "true"
type: proxy
root:
path: /
pool: default
type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""
I use tcpdump -i eth0 port 7443 or tcpdump -i eth0
tomp
September 29, 2020, 2:15pm
10
Please can you run it as sudo ss -tlpn as I originally asked for, so I can see the process names. Thanks
denisit
September 29, 2020, 2:16pm
11
tomp:
sudo ss -tlpn
sudo ss -tlpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 127.0.0.1:6010 0.0.0.0:* users:(("sshd",pid=2139910,fd=11))
LISTEN 0 10 127.0.0.1:587 0.0.0.0:* users:(("sendmail-mta",pid=1016213,fd=5))
LISTEN 0 32 10.49.6.1:53 0.0.0.0:* users:(("dnsmasq",pid=2004294,fd=9))
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=610,fd=13))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=738,fd=3))
LISTEN 0 10 127.0.0.1:25 0.0.0.0:* users:(("sendmail-mta",pid=1016213,fd=4))
LISTEN 0 128 [::1]:6010 [::]:* users:(("sshd",pid=2139910,fd=10))
LISTEN 0 4096 *:8443 *:* users:(("lxd",pid=2147531,fd=8),("lxd",pid=2147531,fd=3))
LISTEN 0 4096 *:443 *:* users:(("lxd",pid=542001,fd=8),("lxd",pid=542001,fd=4))
LISTEN 0 4096 *:80 *:* users:(("lxd",pid=542092,fd=8),("lxd",pid=542092,fd=4))
LISTEN 0 4096 *:7443 *:* users:(("lxd",pid=2148474,fd=8),("lxd",pid=2148474,fd=3))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=738,fd=4))
1 Like
tomp
September 29, 2020, 2:19pm
12
Thanks, ive reformatted them using three backticks so they are more readable.
So LXD proxy is listening on the port.
You won’t see traffic on the container’s eth0 as the proxy device switches into the container’s network namespace and then establishes a connection to 127.0.0.1, so at most you may see traffic on the lo interface inside the container.
So we just need to see your firewall rules to check its not being blocked on the LXD host (you may still see traffic hitting the LXD host’s external interface using tcpdump and it could still be blocked by the firewall).
Also check that the service you are using inside your container is listening on 127.0.0.1 (using sudo ss -tlpn inside the container).
denisit
September 30, 2020, 10:32am
13
Hello,