I have a Vagrant box in which I have a Docker container that runs PostgreSQL. The container is the official one found here
I want to be able to connect to Postgres from the host (i.e outside of Vagrant) using psql but can't get it to work. (Get a "could not connect"-error). I have added a port forward in my Vagrantfile:
config.vm.network "forwarded_port", guest: 5432, host: 5432
But I'm guessing this is not enough since the Docker container has its own IP (172.17.0.2)? My thought was that I would put a iptable rule on the box that forwards all requests to the Vagrant box on port 5432 to destination 172.17.0.2:5432 like this:
iptables -t nat -A PREROUTING -p tcp --dport 5432 -j DNAT --to-destination 172.17.0.2:5432
iptables -t nat -A POSTROUTING -j MASQUERADE
But I still can't make it work. Thankful for any help!
No need to add iptables rule externally. vagrant port forwarding will take care itself.
Check below points:
check your PostgreSQL port in vagrant instance. if port is bind with particular IP then you have to give IP in Vagrantfile to forward that IP and port. Like
guest_ip (string) - The guest IP to bind the forwarded port to. If
this is not set, the port will go to every IP interface. By default,
this is empty.
Similarly, you can give host IP also
host_ip (string) - The IP on the host you want to bind the forwarded
port to. If not specified, it will be bound to every IP. By default,
this is empty.
If everything ok and you can connect using command like:
psql -p 5432 -d db_name -U user -h localhost
Don't forget to add -h with hostname or ip. Also see These answer:
1.unable to connect to forwarded port over ssh
2.Accessing to a remote PostgreSQL server using port forwarding to another machine
Related
I am using a deployment yaml file ex:nginx which i am using port 30080.
Now i wrote another deployment yaml file but i want to use port number 30080.
The Service "web" is invalid: spec.ports[0].nodePort: Invalid value: 30080: >provided port is already allocated
How can i use the port number 30080 for my new deployment web.yaml file.
1)Deleted the nginx pod running.
2)Deleted nginx deployment running.
But how can i free up the port number 30080.
i checked the port number:
sudo iptables-save | grep 30080
-A KUBE-EXTERNAL-SERVICES -p tcp -m comment --comment "default/nginx-service: has no endpoints" -m addrtype --dst-type LOCAL -m tcp --dport 30080 -j REJECT --reject-with icmp-
port-unreachable
i deleted deployment and pod. But i forgot that service is running after deleting nginx service i am able to reuse the port number 30080 for other deployment.
socket.error: [Errno 48] Address already in use
this question also helped me but it points to killing that process, here the process running is kube-proxy.
sudo lsof -i:30080
COMMAND PID USER FD TYPE DEVICE SIZE/OFF
NODE NAME kube-prox 3320 root 8u IPv6 40388 0t0 TCP *:30080
(LISTEN)
which i cant delete.It might create issue deleting kube-prox
Please let me know if this was the right approach or not.
I just installed Kubernetes with minkube on my desktop(running Ubuntu 18.10) and was then trying to install Postgresql on the desktop machine using Helm.
After installing helm, I did:
helm install stable/postgresql
When this completed successfully, I forwarded postgres port with:
kubectl port-forward --namespace default svc/wise-beetle-postgresql 5432:5432 &
and then I tested connecting to it locally from my desktop with:
psql --host 127.0.0.1 -U postgres
which succeeds.
I attempted to connect to postgres from my laptop and that fails with:
psql -h $MY_DESKTOP_LAN_IP -p 5432 -U postgres
psql: could not connect to the server: Connection refused
Is the server running on host $MY_DESKTOP_LAN_IP and accepting TCP/IP connections on port 5432?
To ensure that my desktop was indeed listening on 5432, I did:
netstat -natp | grep 5432
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 17993/kubectl
tcp6 0 0 ::1:5432 :::* LISTEN 17993/kubectl
Any help anyone? I'm lost.
you need to configure postgresql.conf to allow external client connections look for listen parameter and set it to *, it is under your postgres data directory, and then add your laptop's ip in pg_hba.conf. It controls the client access to your postgresql server, more on this here - https://www.postgresql.org/docs/9.3/auth-pg-hba-conf.html
In my case the solution was a little bit of deeper understanding of networking.
For clarity, let's call the machine on which minikube is installed "A".
The IP of this machine as it is visible from other computers on my Wifi maybe be say: 192.100.200.300.1
Since Postgres was being exposed on port 5432, my expectation was that postgres should be visible externally on: 192.100.200.300.1:5432.
But this understanding is wrong which is what was leading to unexpected behavior.
The problem was that minikube runs in a VM and it gets its own IP address. It doesn't simply use the IP of the machine on which it is running. Minikube's IP is different from the IP
of the machine on which it is running. To find out the IP of minikube, run: minikube ip. Let's call this IP $MINIKUBE_IP.
And then I had to setup port forwarding like:
kubectl port-forward --address "192.100.200.300" --namespace default svc/wise-beetle-postgresql 5000:5432 &
So now, if you called a service on: 192.100.200.300:5000 it would be forwarded to port 5432 on the machine which is running minikube and then 5432 would be received by your postgres instance.
Hope this untangles or clarifies this problem that others might encounter.
I am running a tomcat based application inside a container, and a Postgres database container on my ubuntu host using docker compose. They are in same docker bridge network defined by me. I have my firewall enabled. My firewall doesn't have any deny rule for 5432 port. When my firewall is disabled, my tomcat application can connect to a database container by using either its IP or service name. But when the firewall is enabled, it does not connect to the database container. I have set DOCKER_OPTS="--iptables=false" in docker.conf and restarted docker. Why it is not connecting when firewall is enabled?
1)These are my active rules:-
To Action From
-- ------ ----
2377/tcp ALLOW Anywhere
7946/tcp ALLOW Anywhere
7946/udp ALLOW Anywhere
4789/udp ALLOW Anywhere
22 ALLOW Anywhere
8443 ALLOW 10.20.220.185
8443 ALLOW 10.20.220.78
8081 ALLOW 10.5.0.7
5432 ALLOW Anywhere
8081 ALLOW 10.5.0.5
2377/tcp (v6) ALLOW Anywhere (v6)
7946/tcp (v6) ALLOW Anywhere (v6)
7946/udp (v6) ALLOW Anywhere (v6)
4789/udp (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
5432 (v6) ALLOW Anywhere (v6)
=========================================================================
2)These is my application configuration to connect to database using service name:-
driverClass=org.postgresql.Driver
jdbcUrl=jdbc:postgresql://PostgresDatabase:5432/dockerdb
user=dockeruser
Setting --iptables=false means that docker daemon could not configure iptables rule(s) on host. However it's kind of essential while you have ufw enabled.
I am sure this issue would disappear after you delete DOCKER_OPTS="--iptables=false" in configuration and restart docker daemon.
During start process, Docker daemon would configure some extra iptable rules to make communication going well among containers/between container and outside world, since firewall/ufw would DROP packets by DEFAULT_FORWARD_POLICY.
Below, it is a rough process how docker create iptable rules:
Enable Enable NAT on docker0 with iptables tool.
iptables -I POSTROUTING -t nat -s 172.17.0.1 ! -o docker0 -j MASQUERADE
Enable communication within containers.
iptables -I FORWARD -i docker0 -o docker0 -j ACCEPT
Enable communication between container and out world.
iptables -I FORWARD -i docker0 ! -o docker0 -j ACCEPT
Accept any packets from outside connections which already established.
iptables -I FORWARD -o docker0 -m conntrack -ctstate RELATED,ESTABLISHED -j ACCEPT.
Above all, you have iptables set false and firewall enabled without any extra moves. Just like you throw the key away with door locked, but you still want to go outside. So I strongly suggest you not to change any docker network settings before you totally understand the architecture of docker network and how those components work together.
This is another question asked in a different way. May the answers help you more.
I have a docker image that implements a tcp node via twisted and I would like to establish a communication to and from the host
on the host I start netcat
nc -l -p 6789
if I run the docker with
docker run -it -p 6789:6789 image_name
I get
Bind for 0.0.0.0:6789 failed: port is already allocated
If I try the opposite order, so docker run and after start netcat on the host I get
Error: Couldn't setup listening socket (err=-3)
is there a way to bind an allocated port from the host to the container?
The problem is that you are using the same port on the host to run nc -l -p 6789 and to map the containers port (-p 6789:6789). Try to change one of them.
I am trying to open up some ports on my compute VM.
For example, I have this in firewall-rules
$ gcloud compute firewall-rules list
NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS
default-allow-http default 0.0.0.0/0 tcp:80 http-server
default-allow-https default 0.0.0.0/0 tcp:443 https-server
default-allow-icmp default 0.0.0.0/0 icmp
default-allow-internal default 10.128.0.0/9 tcp:0-65535,udp:0-65535,icmp
default-allow-rdp default 0.0.0.0/0 tcp:3389
default-allow-ssh default 0.0.0.0/0 tcp:22
test-24284 default 0.0.0.0/0 tcp:24284 test-tcp-open-24284
I have created a centos 7 instance to which I have attached the tags
$ gcloud compute instances describe test-network-opened
...
...
items:
- http-server
- https-server
- test-tcp-open-24284
...
...
Now when I try to check from my dev box to see whether the port is opened or not using nmap on the public IP showed in the console for the VM
$ nmap -p 24284 35.193.xxx.xxx
Nmap scan report for 169.110.xxx.xx.bc.googleusercontent.com (35.193.xxx.xxx)
Host is up (0.25s latency).
PORT STATE SERVICE
24284/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 1.15 seconds
Now it's hitting the external NAT IP for my VM which would be 169.110.xxx.xx
I tried checking using the iptables rules, but that didn't show anything
[root#test-network-opened ~]# iptables -S | grep 24284
[root#test-network-opened ~]#
So I enabled firewalld and tried opening the port with it
[root#test-network-opened ~]# firewall-cmd --zone=public --add-port=24284/tcp --permanent
success
[root#test-network-opened ~]# firewall-cmd --reload
success
[root#test-network-opened ~]# iptables -S | grep 24284
[root#test-network-opened ~]#
I am not sure where I am doing it wrong with this. I referred these relevant questions on SO about this
How to open a specific port such as 9090 in Google Compute Engine
Can't open port 8080 on Google Compute Engine running Debian
How to open a port on google compute engine
https://cloud.google.com/compute/docs/vpc/using-firewalls
https://cloud.google.com/sdk/gcloud/reference/compute/instances/describe
The ports were opened by the firewall but since I didn't have an application using the port already, nmap was showing the closed port which meant it was able to reach to the server and not firewalled
If it was it would have showed filtered.
I didn't have any application running on it so, didn't know this as a possibility. Careless of me.
Thanks for pointing this out.