Docker Community Forums

Share and learn in the Docker community.

BYON fails to set up reverse tunnel

(Justinlong) #1

Hi there, using Docker Cloud Bring Your Own Node (BYON). We have some private infrastructure set up behind a router, and none of our nodes have a public IP. Although the firewall in each node is turned off, we’ve allowed TCP/UDP traffic to pass on the ports recommended by Docker Cloud.

It would appear that the dockercloud-agent is unable to set up a reverse tunnel from our private infrastructure. I’ve browsed the documentation extensively to determine the settings for our nodes, and as far as I can see we are following everything properly. The only difference is that each node does not have a public IP. Can someone please help clarify what settings need to be in place for a setup like ours?


Update: a copy/paste from our logs

2016/06/22 11:13:48 UUID has been changed from  to blahblahabc123
2016/06/22 11:13:48 Updating configuration file...
2016/06/22 11:13:48 New TLS certificates generated
2016/06/22 11:13:48 Registering in Docker Cloud via PATCH:
2016/06/22 11:13:49 Downloading docker binary...
2016/06/22 11:13:49 Downloading docker definition from
2016/06/22 11:13:49 Downloading docker from
2016/06/22 11:13:50 Saving docker to /usr/bin/
2016/06/22 11:13:50 Uncompressing: /usr/bin/._docker
2016/06/22 11:13:50 Uncompressing: /usr/bin/docker
2016/06/22 11:13:51 Found docker: version 1.9.1-cs2
2016/06/22 11:13:51 Initializing docker daemon
2016/06/22 11:13:51 Loading NAT tunnel module
2016/06/22 11:13:51 Verifying the registration with Docker Cloud
2016/06/22 11:13:51 Docker server started. Entering maintenance loop
2016/06/22 11:13:51 Waiting for docker unix socket to be ready
2016/06/22 11:13:51 Starting docker daemon: [/usr/bin/docker daemon -H unix:///var/run/docker.sock -H tcp:// --userland-proxy=false --tlscert /etc/dockercloud/agent/cert.pem --tlskey /etc/dockercloud/agent/key.pem --tlscacert /etc/dockercloud/agent/ca.pem --tlsverify]
2016/06/22 11:13:51 Docker daemon (PID:2598) has been started
2016/06/22 11:13:53 Docker unix socket opened
2016/06/22 11:13:53 Node is publicly reachable
2016/06/22 11:18:55 Node registration to succeeded

Note above what we had to do here was deploy the node, and it appears the NAT tunnel for a moment started to set itself up. However after waiting 5 minutes, we opened 2375/tcp from our router only to then have the node publicly reachable. However, even after we close 2375/tcp Docker Cloud thinks the node is unreachable but the node itself fails to detect this in state.

(Justinlong) #2

Note I’ve been able to narrow this problem to a bug in the agent, I’ve provided info on this Github issue:

Can someone recommend a way of “fooling” the agent in the meantime?