cf-dev@lists.cloudfoundry.org | container cannot communicate with the host

Home Messages Hashtags Subgroups

Date Date 1 - 3 of 3

container cannot communicate with the host

Youzhi Zhu #181 Hi all I have an app A and a service B, service B is running on the dea server(ip 10.0.0.254), app A need to connect with service B through tcp, it works normally in my LAN, but when I push A to cf, it cannot connect to B, then I execute bin/wsh to get into the container and ping the host ip, it's unreachable, as below: root(a)18mkbd9n808:~# ping 10.0.0.254PING 10.0.0.254 (10.0.0.254) 56(84) bytes of data.From 10.0.0.254 icmp_seq=1 Destination Port UnreachableFrom 10.0.0.254 icmp_seq=2 Destination Port Unreachable^C--- 10.0.0.254 ping statistics ---2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1002ms But if I ping another host in the LAN. it can be reached!!! root(a)18mkbd9n808:~# ping 10.0.0.253PING 10.0.0.253 (10.0.0.253) 56(84) bytes of data.64 bytes from 10.0.0.253 <http://10.0.0.253>: icmp_seq=1 ttl=63 time=1.60 ms64 bytes from 10.0.0.253 <http://10.0.0.253>: icmp_seq=2 ttl=63 time=0.421 ms^C--- 10.0.0.253 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1001msrtt min/avg/max/mdev = 0.421/1.013/1.606/0.593 ms It's wired!!! my cf-release is cf-175 and I have only one dea server.Does anyone met this situation before? thanks! attachment.html
More All Messages By This Member
Lev Berman <lev.berman@...> #182 As far as I know, it is so by design - in order to setup a connection to the same host you need to explicitly tell Warden to allow external traffic - https://github.com/cloudfoundry/warden/blob/master/warden/README.md#net-handle-out-addressmaskport . In more details: 1) ssh into your VM with DEA 2) find your Warden handle in /var/vcap/data/dea_ng/db/instances.json - "warden_handle" field for the hash describing your specific application ("application_id" value is the same as cf app --guid) 3) cd into /var/vcap/packages/warden/warden 4) bundle install 5) ./bin/warden --socket /var/vcap/data/warden/warden.sock 6) > net_out --handle <your handle from instances.json> --port <your port to open> This is for CF v208, an earlier version of Warden client may have slightly different API - see command help. toggle quoted messageShow quoted text On Fri, May 22, 2015 at 10:21 AM, Youzhi Zhu <zhuyouzhi03(a)gmail.com> wrote: Hi all I have an app A and a service B, service B is running on the dea server(ip 10.0.0.254), app A need to connect with service B through tcp, it works normally in my LAN, but when I push A to cf, it cannot connect to B, then I execute bin/wsh to get into the container and ping the host ip, it's unreachable, as below: root(a)18mkbd9n808:~# ping 10.0.0.254 PING 10.0.0.254 (10.0.0.254) 56(84) bytes of data. From 10.0.0.254 icmp_seq=1 Destination Port Unreachable From 10.0.0.254 icmp_seq=2 Destination Port Unreachable ^C --- 10.0.0.254 ping statistics --- 2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1002ms But if I ping another host in the LAN. it can be reached!!! root(a)18mkbd9n808:~# ping 10.0.0.253 PING 10.0.0.253 (10.0.0.253) 56(84) bytes of data. 64 bytes from 10.0.0.253 <http://10.0.0.253>: icmp_seq=1 ttl=63 time=1.60 ms 64 bytes from 10.0.0.253 <http://10.0.0.253>: icmp_seq=2 ttl=63 time=0.421 ms ^C --- 10.0.0.253 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.421/1.013/1.606/0.593 ms It's wired!!! my cf-release is cf-175 and I have only one dea server.Does anyone met this situation before? thanks! -- Lev Berman Altoros - Cloud Foundry deployment, training and integration Github : https://github.com/ldmberman <https://github.com/ldmberman> attachment.html
More All Messages By This Member
Matthew Sykes <matthew.sykes@...> #183 Warden explicitly disables access to the container host. If you move up to a more recent level of cf-release, that behavior is configurable with the `allow_host_access` flag. When that flag is true, this line is skipped: https://github.com/cloudfoundry/warden/blob/4f1e5c049a12199fdd1f29cde15c9a786bd5fac8/warden/root/linux/net.sh#L128 At the level you're at, that rule is always specified so you'd have to manually change it. https://github.com/cloudfoundry/warden/blob/17f34e2d7ff1994856a61961210a82e83f24ecac/warden/root/linux/net.sh#L124 toggle quoted messageShow quoted text On Fri, May 22, 2015 at 3:21 AM, Youzhi Zhu <zhuyouzhi03(a)gmail.com> wrote: Hi all I have an app A and a service B, service B is running on the dea server(ip 10.0.0.254), app A need to connect with service B through tcp, it works normally in my LAN, but when I push A to cf, it cannot connect to B, then I execute bin/wsh to get into the container and ping the host ip, it's unreachable, as below: root(a)18mkbd9n808:~# ping 10.0.0.254PING 10.0.0.254 (10.0.0.254) 56(84) bytes of data.From 10.0.0.254 icmp_seq=1 Destination Port UnreachableFrom 10.0.0.254 icmp_seq=2 Destination Port Unreachable^C--- 10.0.0.254 ping statistics ---2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1002ms But if I ping another host in the LAN. it can be reached!!! root(a)18mkbd9n808:~# ping 10.0.0.253PING 10.0.0.253 (10.0.0.253) 56(84) bytes of data.64 bytes from 10.0.0.253 <http://10.0.0.253>: icmp_seq=1 ttl=63 time=1.60 ms64 bytes from 10.0.0.253 <http://10.0.0.253>: icmp_seq=2 ttl=63 time=0.421 ms^C--- 10.0.0.253 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1001msrtt min/avg/max/mdev = 0.421/1.013/1.606/0.593 ms It's wired!!! my cf-release is cf-175 and I have only one dea server.Does anyone met this situation before? thanks! _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org https://lists.cloudfoundry.org/mailman/listinfo/cf-dev -- Matthew Sykes matthew.sykes(a)gmail.com attachment.html
More All Messages By This Member

1 - 3 of 3

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms