2

I have setup: Rancher (1.6.30) and Docker (18.09.9).

When I create a rancher cluster from docker-compose:

version: '2'
services:
  mongo:
    image: mongo:4.4.2
    stdin_open: true
    volumes:
    - /var/lib/mongo/data/db:/data/db
    tty: true
    ports:
    - 27017:27017/tcp
  app1:
    image: XX
    stdin_open: true
    tty: true
    ports:
    - 10503:80/tcp
    labels:
      io.rancher.container.pull_image: always
  app2:
    image: XX
    stdin_open: true
    tty: true
    ports:
    - 10504:8080/tcp
  app3:
    image: XX
    stdin_open: true
    tty: true
    ports:
    - 10502:8080/tcp
    - 15502:8500/tcp
    labels:
      io.rancher.container.pull_image: always
  db:
    image: postgres:11.7-alpine
    stdin_open: true
    volumes:
    - /var/lib/postgresql/data:/var/lib/postgresql/data
    tty: true
    ports:
    - 10501:5432/tcp
    labels:
      io.rancher.container.pull_image: always

There are no ports exposed to the world. As we can see by using docker ps

docker ps

Although, I can reach the service from outside the container, but only from current machine, when I use "localhost" in url. But when I try to connect from different IP - there is a timeout.

I think there is something wrong with rancher, because when i create container manually

docker run -p 10503:80 -d registry/service

service is accessible from anywhere and docker ps prints binding in "port" column.

This is iptables after creating docker containers by rancher:

iptables -L -n --line-numbers -t nat

As we can see, there are no bindings.

It's quite weird, because I have same situation in other server (same rancher + docker, same applications), and there everything works well.

Thanks in advance

afxtwin
  • 21
  • 2
  • Please check whether this helps you https://stackoverflow.com/questions/66754519/docker-accessing-another-container-by-host/66755591#66755591 – Sachith Muhandiram Mar 26 '21 at 15:31
  • Thanks, but this doesn't solve my problem. Containers in my application can communicate with each other (by container name) . But I can't reach any of these services from outside of the machine with rancher. I tried something, and when I have set networking to "Bridge" on every container and expose ports - I could successfully execute curl -v :10503 (but with Bridge mode, containers must communicate by IP, not by name). And there is another problem - I cant configure load balancer (ssl + redirect from port 443 too internal container) – afxtwin Mar 29 '21 at 15:24
  • Did you find any solution? I'm facing exactly the same problem and can't solve it – Rodion Baskakov Jul 06 '23 at 14:25

1 Answers1

1

I had the same problem and tried different things for the last hours and what seems to be the cause is, that if you're using Debian 10 like me, Rancher 1.6 uses iptables for some rules and iptables-nft (which is simlinked from iptables) for other rules. Debian 10 uses iptables-nft but after switching back to iptables-legacy and rebooting, everything works as expected:

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set arptables /usr/sbin/arptables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy

Source: https://wiki.debian.org/iptables

Isotop7
  • 11
  • 1