container cannot communicate with the host


Matthew Sykes <matthew.sykes@...>
 

Warden explicitly disables access to the container host. If you move up to
a more recent level of cf-release, that behavior is configurable with the
`allow_host_access` flag. When that flag is true, this line is skipped:

https://github.com/cloudfoundry/warden/blob/4f1e5c049a12199fdd1f29cde15c9a786bd5fac8/warden/root/linux/net.sh#L128

At the level you're at, that rule is always specified so you'd have to
manually change it.

https://github.com/cloudfoundry/warden/blob/17f34e2d7ff1994856a61961210a82e83f24ecac/warden/root/linux/net.sh#L124

On Fri, May 22, 2015 at 3:21 AM, Youzhi Zhu <zhuyouzhi03(a)gmail.com> wrote:

Hi all

I have an app A and a service B, service B is running on the dea
server(ip 10.0.0.254), app A need to connect with service B through tcp, it
works normally in my LAN, but when I push A to cf, it cannot connect to B,
then I execute bin/wsh to get into the container and ping the host ip,
it's unreachable, as below:







*root(a)18mkbd9n808:~# ping 10.0.0.254PING 10.0.0.254 (10.0.0.254) 56(84)
bytes of data.From 10.0.0.254 icmp_seq=1 Destination Port UnreachableFrom
10.0.0.254 icmp_seq=2 Destination Port Unreachable^C--- 10.0.0.254 ping
statistics ---2 packets transmitted, 0 received, +2 errors, 100% packet
loss, time 1002ms*

But if I ping another host in the LAN. it can be reached!!!








*root(a)18mkbd9n808:~# ping 10.0.0.253PING 10.0.0.253 (10.0.0.253) 56(84)
bytes of data.64 bytes from 10.0.0.253 <http://10.0.0.253>: icmp_seq=1
ttl=63 time=1.60 ms64 bytes from 10.0.0.253 <http://10.0.0.253>: icmp_seq=2
ttl=63 time=0.421 ms^C--- 10.0.0.253 ping statistics ---2 packets
transmitted, 2 received, 0% packet loss, time 1001msrtt min/avg/max/mdev =
0.421/1.013/1.606/0.593 ms*

It's wired!!! my cf-release is cf-175 and I have only one dea server.Does
anyone met this situation before? thanks!

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

--
Matthew Sykes
matthew.sykes(a)gmail.com


Lev Berman <lev.berman@...>
 

As far as I know, it is so by design - in order to setup a connection to
the same host you need to explicitly tell Warden to allow external traffic
-
https://github.com/cloudfoundry/warden/blob/master/warden/README.md#net-handle-out-addressmaskport
.

In more details:

1) ssh into your VM with DEA
2) find your Warden handle in /var/vcap/data/dea_ng/db/instances.json -
"warden_handle" field for the hash describing your specific application
("application_id" value is the same as cf app --guid)
3) cd into /var/vcap/packages/warden/warden
4) bundle install
5) ./bin/warden --socket /var/vcap/data/warden/warden.sock
6) > net_out --handle <your handle from instances.json> --port <your port
to open>

This is for CF v208, an earlier version of Warden client may have slightly
different API - see command help.

On Fri, May 22, 2015 at 10:21 AM, Youzhi Zhu <zhuyouzhi03(a)gmail.com> wrote:

Hi all

I have an app A and a service B, service B is running on the dea
server(ip 10.0.0.254), app A need to connect with service B through tcp, it
works normally in my LAN, but when I push A to cf, it cannot connect to B,
then I execute bin/wsh to get into the container and ping the host ip,
it's unreachable, as below:







*root(a)18mkbd9n808:~# ping 10.0.0.254 PING 10.0.0.254 (10.0.0.254) 56(84)
bytes of data. From 10.0.0.254 icmp_seq=1 Destination Port Unreachable From
10.0.0.254 icmp_seq=2 Destination Port Unreachable ^C --- 10.0.0.254 ping
statistics --- 2 packets transmitted, 0 received, +2 errors, 100% packet
loss, time 1002ms*

But if I ping another host in the LAN. it can be reached!!!








*root(a)18mkbd9n808:~# ping 10.0.0.253 PING 10.0.0.253 (10.0.0.253) 56(84)
bytes of data. 64 bytes from 10.0.0.253 <http://10.0.0.253>: icmp_seq=1
ttl=63 time=1.60 ms 64 bytes from 10.0.0.253 <http://10.0.0.253>:
icmp_seq=2 ttl=63 time=0.421 ms ^C --- 10.0.0.253 ping statistics --- 2
packets transmitted, 2 received, 0% packet loss, time 1001ms rtt
min/avg/max/mdev = 0.421/1.013/1.606/0.593 ms*

It's wired!!! my cf-release is cf-175 and I have only one dea server.Does
anyone met this situation before? thanks!
--
Lev Berman

Altoros - Cloud Foundry deployment, training and integration

Github
*: https://github.com/ldmberman <https://github.com/ldmberman>*


Youzhi Zhu
 

Hi all

I have an app A and a service B, service B is running on the dea
server(ip 10.0.0.254), app A need to connect with service B through tcp, it
works normally in my LAN, but when I push A to cf, it cannot connect to B,
then I execute bin/wsh to get into the container and ping the host ip,
it's unreachable, as below:







*root(a)18mkbd9n808:~# ping 10.0.0.254PING 10.0.0.254 (10.0.0.254) 56(84)
bytes of data.From 10.0.0.254 icmp_seq=1 Destination Port UnreachableFrom
10.0.0.254 icmp_seq=2 Destination Port Unreachable^C--- 10.0.0.254 ping
statistics ---2 packets transmitted, 0 received, +2 errors, 100% packet
loss, time 1002ms*

But if I ping another host in the LAN. it can be reached!!!








*root(a)18mkbd9n808:~# ping 10.0.0.253PING 10.0.0.253 (10.0.0.253) 56(84)
bytes of data.64 bytes from 10.0.0.253 <http://10.0.0.253>: icmp_seq=1
ttl=63 time=1.60 ms64 bytes from 10.0.0.253 <http://10.0.0.253>: icmp_seq=2
ttl=63 time=0.421 ms^C--- 10.0.0.253 ping statistics ---2 packets
transmitted, 2 received, 0% packet loss, time 1001msrtt min/avg/max/mdev =
0.421/1.013/1.606/0.593 ms*

It's wired!!! my cf-release is cf-175 and I have only one dea server.Does
anyone met this situation before? thanks!