OpenSearch Dashboards with Podman gets the wrong unexposed IP - opensearch

I have a machine X with a lot of IPs, podman-compose with OpenSearch and OpenSearch Dashboards links the images to the wrong (unexposed) IP. I tried to force the IP but if I do so, podman-compose would break. How can I do so?
I tried to add an IPv4 in the docker-compose.yml, I tried to modify the images and force the right IP whenever I found 0.0.0.0, but it keeps breaking.

Docker / Podman container IPs are not accessible from external clients.
You need to expose TCP or UDP ports from your container to the host system and then clients will connect to :.
The host port and the container port do not need to be the same port.
i.e. you can run multiple web server containers all using port 80 however you will need to pick unique ports on your host OS that are not used by other services to port-map to the containers. i.e 80->80, 81->80, 8080->80 etc.
Once you create the port definitions in your container configuration Podman will handle the port forwarding from the host to the container.
You might need to open the ports on the host firewall to allow clients to connect. 0.0.0.0 is another way of representing the local host.
Let say your host is 10.1.1.20 and your OpenSearch Dashboards container is 172.16.8.4 and your dashboard web app is configured to listen on port 5001/TCP.
You will need a ports directive in your docker-compose.yml file to map the host port 5001 to the container port 5001 similar to the below.
containers:
opensearch-dashboard:
ports:
- "5001:5001"
As long as port 5001 is permitted on your host firewall, the client should be able to connect using https://10.1.1.20:5001/

Related

How can I expose a custom port on k8s?

The script I want to deploy listens to :4123 and k8s probably expose only :80 by default. How can I expose :4123 such that my script will be able to accept requests?
I tried port forwarding but there's a permission error to forward :80 to :4123 and k8s didn't allow to deploy an image that listens to :80 (since it's probably busy already).
You can choose which port to use locally, so you can just choose that the local port 8888 will be forwarded to the port 4123 in your container
kubectl port-forward your-pod 8888:4123
You can use 8888 or any other free port on your computer.
As advised by #fiunchinho, local port forwarding might help in your case. Adding --address 0.0.0.0 to this command makes it avaiable for all your interfaces like below:
$ kubectl port-forward --address 0.0.0.0 nginx-55bd7c9fd-6fpnx 8888:80
You can also expose it via External LoadBalancer like below:
kubectl expose <your-deploy> --port 80 --target-port 4123 --type LoadBalancer
Note: You need to have cloud provider in order to use type: LoadBalancer. For more info check Cloud providers in the Kubernetes documentation.
See Kubernetes documentation for more details:
Forward a local port to a port on the pod
Exposing an External IP Address to Access an Application in a Cluster

Connect to MongoDB server through Elastic IP

I have one AWS EC2 instance. I have installed MongoDB there.
Private IP :- 10.x.x.x
Port :- 27017
I can ssh into that system and connect the MongoDB server by using private IP within the VPN.
10.x.x.x:27017 - MongoDB is running here.
But, I have assigned one Elastic IP into that EC2 instance.
Public IP :- 132.x.x.x
When I am trying to connect MongoDB server by using Public IP (132.x.x.x:27017) it is showing connection timed out.
MongoDB network config, /etc/mongod.conf
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1
I am starting the MongoDB server by using,
sudo mongod
inbound rules,
27017 tcp 0.0.0.0/0
27017 tcp 0.0.0.0/0, ::/0
Check to make sure your setup has the following:
The elastic IP is attached to the instance.
The security group allows incoming traffic from the client on the correct port.
The network ACL of the subnet that allow for the needed inbound and outbound traffic, or you're using the non-existent/default ACLs, which allow all inbound/outbound traffic.
An Internet Gateway is in the same VPC as the instance.
There is a rule in the subnet's route table that sends internet-bound traffic to the Internet Gateway.
You may also find this AWS article helpful for using the Internet Gateway in your VPC.

why pods not getting incoming connections

I am making my first steps with Kubernetes and I have some difficulties.
I have a pod with it's service defined as NodePort at port 30010.
I have a load balancer configured in front of this Kubernetes cluster where port 8443 directs traffic to this 30010 port.
when I try to access this pod from outside the cluster to port 8443 the pod is not getting any connections but I can see the incoming connections via tcptrack in the host in port 30010 with means the load balancer is doing it's job.
when I do curl -k https://127.0.0.1:30010 in the host I get a response from the pods.
what am I missing?
how can I debug it?
thanks

How to expose NodePort to internet on GCE

How can I expose service of type NodePort to internet without using type LoadBalancer? Every resource I have found was doing it by using load balancer. But I don't want load balancing its expensive and unnecessary for my use case because I am running one instance of postgres image which is mounting to persistent disk and I would like to be able to connect to my database from my PC using pgAdmin. If it is possible could you please provide bit more detailed answer as I am new to Kubernetes, GCE and networking.
Just for the record and bit more context I have deployment running 3 replicas of my API server to which I am connecting through load balancer with set loadBalancerIP and another deployment which is running one instance of postgres with NodePort service through which my API servers are communicating with my db. And my problem is that maintaining the db without public access is hard.
using NodePort as Service type works straight away e.g. like this:
apiVersion: v1
kind: Service
metadata:
name: nginx
spec:
type: NodePort
ports:
- port: 80
nodePort: 30080
name: http
- port: 443
nodePort: 30443
name: https
selector:
name: nginx
More details can be found in the documentation.
The drawback of using NodePort is that you've to take care of integrating with your providers firewall by yourself. A starting port for that can also be found in the Configuring Your Cloud Provider's Firewalls section of the official documentation.
For GCE opening up the above for publicly on all nodes could look like:
gcloud compute firewall-rules create myservice --allow tcp:30080,tcp:30443
Once this is in place your services should be accessable through any of the public IPs of your nodes. You'll find them with:
gcloud compute instances list
You can run kubectl in a terminal window (command or power shell in windows) to port forward the postgresql deployment to your localhost.
kubectl port-forward deployment/my-pg-deployment 5432:5432
While this command is running (it runs in the foreground) you can use pgAdmin to point to localhost:5432 to access your pod on the gke. Simply close the terminal once you are done using the pgadmin.
For the sake of improved security: if in doubt about exposing a service like a database to the public internet, you might like the idea of hiding it behind a simple linux VM called jump host, also called bastion host in the official GCP documentation which is recommended. This way your database instance will continue being open towards the internal network. You then can remove the external IP address so that it stops being exposed to the internet.
The high level concept:
public internet <- SSH:22 -> bastion host <- db:5432 -> database service
After setting up your ssh connection and establishing connection, you could reach out to the database by forwarding the database port (see example below).
The Procedure Overview
Create the GCE VM
Specific requirements:
Pick the image of a Linux distribution you are familiar with
VM Connectivity to internet: Attach a public IP to the VM (you can do this during or after the installation)
Security: Go to Firewall rules and add a new rule opening port 22 at internal VM IP. Restrict the incoming connections to your home public IP
Go to your local machine, from which you would connect, and setup the connection like in the following example below.
SSH Connect to the bastion host VM
An example setup for your ssh connection, located at $HOME/.ssh/config (if this file called config doesn't exist, just create it):
Host bastion-host-vm
Hostname external-vm-ip
User root
IdentityFile ~/.ssh/id_ed25519
LocalForward 5432 internal-vm-ip:5432
Now you are ready for connecting from your local machine terminal with this command:
ssh bastion-host-vm
Once connected, you could now pick your favorite database client and connect to localhost:5432 (which is the forwarded port through the ssh connection from the remote database instance, which is behind the ssh host).
CAUTION: The port forwarding is only function as long as the ssh connection is established. If you disconnect or close the terminal window the ssh connection will close, and so the database port forwarding as well. So keep the terminal open and connection to your bastion host established as long as you are using the database connection.
Pro tipp for cost saving on the GCE VM
you could use the free tier offer for creating the bastion host VM which means increased protection for free.
Search for "Compute Engine" in the official table.
You could check this thread for more details on GCE free limits.

closing a port in a running kubernetes service

Im trying to create a load balancer service in kubernetes which will have 2 ports: 80 and 8080. For the port 80 I want to open this port only when I want to use it. Is it possible to do this while the service is running?
Im trying to use 8080 for serving outside requests and 80 for debugging purpose.
I would suggest not exposing the debugging port at all by means of service (aspecially that you dont really know it will hit the same backing pod as port for real traffic). Instead it might be good enough for you to use kubectl port-forward to access the debug port when you need.