Some ports on Ubuntu container not accessible from Gentoo host

pajot · August 25, 2021, 9:46am

I have a Ubuntu container (Focal) from which I am (trying) to serve a Django application via an unprivileged port (8000).

The application starts fine, and I can see that the port is being listened on:

$ python manage.py runserver 0.0.0.0:8000
Watching for file changes with StatReloader
Performing system checks...

System check identified no issues (0 silenced).
August 25, 2021 - 11:40:42
Django version 3.2.6, using settings 'blob.settings'
Starting development server at http://0.0.0.0:8000/
Quit the server with CONTROL-C.


$ ss -l
Netid       State        Recv-Q       Send-Q                                          Local Address:Port                              Peer Address:Port       Process       
nl          UNCONN       0            0                                                        rtnl:systemd/1                                     *                         
nl          UNCONN       0            0                                                        rtnl:kernel                                        *                         
nl          UNCONN       0            0                                                        rtnl:systemd-resolve/132                           *                         
nl          UNCONN       0            0                                                     tcpdiag:kernel                                        *                         
nl          UNCONN       0            0                                                        xfrm:kernel                                        *                         
nl          UNCONN       0            0                                                       audit:systemd/1                                     *                         
nl          UNCONN       0            0                                                       audit:kernel                                        *                         
nl          UNCONN       0            0                                                   fiblookup:kernel                                        *                         
nl          UNCONN       0            0                                                         nft:kernel                                        *                         
nl          UNCONN       0            0                                                      uevent:systemd/1                                     *                         
nl          UNCONN       0            0                                                      uevent:-2006140055                                   *                         
nl          UNCONN       0            0                                                      uevent:-1004791466                                   *                         
nl          UNCONN       0            0                                                      uevent:-1724956465                                   *                         
nl          UNCONN       0            0                                                      uevent:kernel                                        *                         
nl          UNCONN       0            0                                                      uevent:systemd-logind/129                            *                         
nl          UNCONN       0            0                                                      uevent:systemd/182                                   *                         
nl          UNCONN       0            0                                                        genl:kernel                                        *                         
nl          UNCONN       0            0                                                        genl:systemd-network/114                           *                         
nl          UNCONN       0            0                                                      crypto:kernel                                        *                         
p_raw       UNCONN       0            0                                                        LLDP:eth0                                          *                         
u_str       LISTEN       0            0                                        /run/systemd/private 30474                                        * 0                        
u_str       LISTEN       0            0                  /run/systemd/userdb/io.systemd.DynamicUser 30478                                        * 0                        
u_str       LISTEN       0            0                     /run/systemd/journal/io.systemd.journal 30506                                        * 0                        
u_str       LISTEN       0            0                                 /run/systemd/journal/stdout 32202                                        * 0                        
u_str       LISTEN       0            0                                 /run/dbus/system_bus_socket 33417                                        * 0                        
u_str       LISTEN       0            0                           /var/run/postgresql/.s.PGSQL.5432 33766                                        * 0                        
u_str       LISTEN       0            0                              /run/user/1001/systemd/private 39414                                        * 0                        
u_seq       LISTEN       0            0                                           /run/udev/control 32209                                        * 0                        
raw         UNCONN       0            0                                                           *:ipv6-icmp                                    *:*                        
udp         UNCONN       0            0                                                  127.0.0.53:domain                                 0.0.0.0:*                        
udp         UNCONN       0            0                                  [fe80::216:3eff:fe8f:3d93]:dhcpv6-client                                *:*                        
tcp         LISTEN       0            0                                                  127.0.0.53:domain                                 0.0.0.0:*                        
tcp         LISTEN       0            0                                                     0.0.0.0:ssh                                    0.0.0.0:*                        
tcp         LISTEN       0            0                                                   127.0.0.1:postgresql                             0.0.0.0:*                        
tcp         LISTEN       0            0                                                     0.0.0.0:8000                                   0.0.0.0:*                        
tcp         LISTEN       0            0                                                           *:ssh                                          *:*                        
tcp         LISTEN       0            0                                                       [::1]:postgresql                                   *:*

But connections to the port from the host time out, even though nmap says the port is open:

# nmap -sT -O postgres.monitoring
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-25 09:46 CEST
Nmap scan report for postgres.monitoring (10.248.20.120)
Host is up (0.000033s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
8000/tcp open  http-alt
MAC Address: 00:16:3E:8F:3D:93 (Xensource)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds

When I serve the application on the loopback interface, it’s accessible from the container, so I know the application works.

I should note that ssh connections to this container from the host also work fine.

I have not done any device configurations, but for my other containers that hasn’t been necessary (although these are all Gentoo containers). I thought maybe it’s a firewall issue? But the default Ubuntu Focal container does not have iptables installed. I installed nptables and tried sudo nft list and sudo nft flush ruleset; the latter failed with

Error: Could not process rule: Operation not supported
        flush ruleset

I’ve set the IP address of the container from inside the container itself. Is that a mistake? Should I be assigning the IP address through LXD? If so, how does that work?

cemzafer · August 25, 2021, 3:10pm

Hi,

That’s not a mistake but normally containers getting ip address from lxd host dhcp server.
Can you make dhclient -v in the container to fetch the ip automatically if that mentioned dhcp server is running.

pajot · August 31, 2021, 7:40pm

Are you asking me if dhclient -v is working in the container?

cemzafer · September 1, 2021, 5:39am

I’m not experienced too much with Gentoo, but containers fetch ip address from the lxd dnsmasq process. Another way to make them get the ip address from the dhcp server is get into the shell of the container and execute the dhclient -v inside the container to force. I just clarify the issue, the cause of the problem is not related with it. Is there any firewall running on the Gentoo side? As I mentioned I have not so much Gentoo experience.
Regards.

pajot · September 1, 2021, 9:38am

The Gentoo host is not running a firewall.

I cannot tell for certain whether the Ubuntu container is running a firewall. As I mentioned, the container does (did) not have iptables or nptables installed.

pajot · September 1, 2021, 9:50am

The other Gentoo containers also set the IP address manually, and services on those containers work fine. I can’t help but think this is some Ubuntu configuration issue that I’m missing. Or something specific to the default Ubuntu Focal container.

cemzafer · September 1, 2021, 10:03am

What is the version of that Ubuntu container? and the output of this command.

lxc config show <container_name> --expanded

pajot · September 1, 2021, 10:10am

“Good news, everyone!” I found the cause of the problem. It’s a bit arcane and specific to my setup.

My browser (Firefox) uses a local SOCKS proxy provided by an ssh client. I have the container network behind the bridge in a list of proxy-exempted addresses:

10.0.0.0/24

but for convenience I’ve added a local name (postgres.monitoring) to the /etc/hosts file on the host.

It appears that Firefox only considers the address as entered in the address bar and not any address that a name might resolve to. postgres.monitoring was not in the exempt list, so Firefox was passing it to the proxy.

I found this by doing curl postgres.monitoring on the host. All the services are responding.

Thanks for your patience, @cemzafer .

EDIT: I just realized that the network listed in the exemptions is improperly masked. It needed to be 10.0.0.0/8 in order to work.

cemzafer · September 1, 2021, 10:14am

No problem, you are welcome.