I’m running Version 1.12.0-rc2-beta17 (build: 9779)
I have an image of Centos + JBoss EAP 6.4. It is running fine in the container and I can prove that I have the System Admin listening on 9990 (through telnet while ssh’ed to the container).
The JBoss log in the container has
13:30:31,937 INFO [org.jboss.as] (Controller Boot Thread) JBAS015961: Http management interface listening on http://127.0.0.1:9990/management
I also have an
EXPORT 9990
line in the original Dockerfile plus I am invoking run with -p 9990:9990. The docker ps -a command returns
brereton/jboss “/bin/sh -c '$JBOSS_H” 38 seconds ago Up 37 seconds 0.0.0.0:9080->9080/tcp, 9443/tcp, 0.0.0.0:9990->9990/tcp, 9999/tcp jboss
So, all seems as if it should be well. But it isn’t. From my host, I can’t telnet localhost 9990 (fails to connect) and I can’t see the jboss admin if I point a browser to http://localhost:9990/management.
The twist here is that if I run the basic nginx thing, it works fine, I can see the nginx server on localhost port 80 from my host.
What else should I look at to attempt to diagnose this problem?
If you run a service in a container only listening on 127.0.0.1 (or localhost), it will only accept connections that originate from within the container. You need to reconfigure this to listen on all addresses (maybe explicitly specify 0.0.0.0 as a bind address), and then use docker run -p 127.0.0.1:9990:9990 or something similar to re-limit what’s allowed to connect.
The management service, at a very very low level, is bind(2)'d only to localhost. The thing this means, though, is that you connect to port 9990 on the host; Docker forwards this connection the service, which sees it coming from something like 172.17.0.1; and that’s not 127.0.0.1, so the management service never sees it.
The docker ps output (which looks correct) says “anything I get, I’m forwarding on”, but it doesn’t guarantee anything inside the container is listening.
For anyone who may be looking at this thread. What I needed to do was
change the interfaces in my standalone-full.xml (or whichever configuration
file you are using…) such that they use <any-address/> rather than
inet-address. See this StackOverflow note for detail ->