6

I have been running a media cluster for sometime without any issues. I have everything networked into two different docker networks... the first network just bridges the docker instance to the local machine, the second network is a docker VPN container that I use for the other media services (an earlier version of what I am working on can be found here: https://github.com/Xander-Rudolph/MediaDocker)

The strangest thing happened today though. I ran the docker update for windows and now docker spools up without any errors or issues, however none of the services work outside of the machine running docker. Usually I have a poke through for a couple of the services in my router (namely wordpress/joomla which is on the bridge) and they work outside of my local network, but none of them are working anymore. I was able to confirm its not the DNS A record because I'm able to use the RDP ports I have mapped for my router, and when I test on another machine in the same network, it can't access the services via the internal IP (but it can RDP).

Anyone have any idea what could have changed to break this? I've already updated all my docker images and even rebuilt my VPN container (before I realized its a networking issue). What are some steps I can do to try to troubleshoot what is going wrong in docker to prevent access outside of localhost?

Update

I've been able to rule out the docker update as the root cause... I upgraded docker on my laptop (which was previously running the same version as my desktop) and its not having the same issue... this configuration must be localized to this desktop... No idea what the issue is... Will try a linux VM on the desktop instead of docker for windows...

Update 2

After a lot of screwing around in both a VM and in WSL, I'm still only able to access the docker services from localhost but not a different machine on my network or via the IP on the host machine (perhaps something similar to this: Can't access localhost via IP address). RDP does work so the computer is accessible but the services are not.

I'm not sure if this is a result of a docker networking config or a windows network config (I'm using WSL with docker installed on ubuntu 20.08) but I'm not seeing anything stick out. I'm going to remove the tag for docker windows but this is definitely an issue with networking and I suspect it has something to do with the fact that the containers are running behind a VPN... although I don't know why I would be able to access them on localhost but not the IP on another VM...

When I run

netstat -a -o

on WSL I can see the established ports on localhost... EX:

tcp        0      0 localhost:7878          localhost:37520         ESTABLISHED

but when I look on the host machine (for wsl) I don't see the connection. I tried to use netsh to create a firewall rule to see if that would help:

netsh advfirewall firewall add rule name="TCP Port 7878" dir=in localport=7878 protocol=TCP action=allow

but it didn't have any effect.

Any suggestions for ways to trace the network to see where/how its failing/getting blocked would be extremely helpful.

Xanderu
  • 747
  • 1
  • 8
  • 30

3 Answers3

2

Your question: "...What are some steps I can do to try to troubleshoot what is going wrong in docker to prevent access outside of localhost?..."

Troubleshooting help for you, first do you have multiple networking adapters (Ethernet, Wi-Fi, etc.) present on the host. First ensure, the priority of these adapters needs to be configured in correct order so the Windows networking stack can correctly choose gateway routes.

Now, to fix this set your primary internet-connected networking adapter to have the lowest InterfaceMetric value, use can use these Powershell commands from an elevated console:

Get-NetIPInterface -AddressFamily IPv4 | Sort-Object -Property InterfaceMetric -Descending

Please ensure that the host's primary internet-connected network adapter has the lowest InterfaceMetric value.

// Use this command to make the change for e.g. lets say your 
// primary adapter InterfaceAlias is 'Wi-Fi'
Set-NetIPInterface -InterfaceAlias 'Wi-Fi' -InterfaceMetric 3

Now step two, if your host's primary network adapter is bridged because you have an External virtual switch setup in Hyper-V, then you will set the external virtual switch to have the lowest InterfaceMetric value.

Lastly, confirm/verify your routing tables, when you run this, the last line should show the primary adapter's gateway address along with it's ifMetric value):

Get-NetRoute -AddressFamily IPv4
Transformer
  • 6,963
  • 2
  • 26
  • 52
2

If you’re using Docker Toolbox then any port you publish with docker run -p will be published on the Toolbox VM’s private IP address.

docker-machine ip will tell you.

It is frequently

192.168.99.100

Taken from: https://forums.docker.com/t/cant-connect-to-container-on-localhost-with-port-mapping/52716/25

Derple
  • 865
  • 11
  • 28
  • i switched to docker inside wsl so there is no "docker-machine" command. I did read through that article and apparently switching to wsl and then back to windows docker fixed it for someone... I'll try that next. – Xanderu Sep 23 '21 at 09:43
2

After several attempts using the references below, I was still not getting anywhere. The recommendation by @derple didn't get me anywhere (since I was in wsl) but the article he linked someone had said they switched to linux and uninstalled and reinstalled docker desktop... and for some stupid reason that works.

These are my exact steps I took to fix it:

  1. Uninstall docker desktop
  2. Install WSL and docker inside an ubuntu18.04 instance in wsl
  3. Test docker in wsl with localhost (worked only on localhost still)
  4. Uninstall WSL using windows add/remove features
  5. reinstall docker desktop

Oddly the get-netipinterface and get-netroute look exactly the same as they did before I did the uninstall and reinstall but things seem to be working now... I have no idea why the above worked...

Xanderu
  • 747
  • 1
  • 8
  • 30