Ubuntu 16.04, cant access docker mapped ports

planetf1 · October 5, 2017, 10:36am

I have an Ubuntu 16.04 x86_64 system running under cloudfoundry.
The latest docker ce was installed, then I tried beta too
Currently at
Docker version 17.09.0-ce, build afdb6d4

I am running hadoop (HDP 2.6.1) under docker, which exposes a slew of ports, which can be accessed just fine from the docker host.

However I cannot seem to access any of these ports from other systems.
As best as I can see
a) forwarding is enabled in the kernel (see sysctl -a below)
b) I think iptables is ok
c) The external firewalling within the CF network is set to allow these ports - and in fact I’m using one of the same security groups as I do with a system running pretty much the same code natively (not docker), and there it works, suggesting that firewall config is just fine.

                                                     NAMES

93b77a0480c7 sandbox-hdp “/usr/sbin/sshd -D” 12 hours ago Up 12 hours 0.0.0.0:1000->1000/tcp, 0.0.0.0:1100->1100/tcp, 0.0.0.0:1220->1220/tcp, 0.0.0.0:1988->1988/tcp, 0.0.0.0:2100->2100/tcp, 0.0.0.0:2181->2181/tcp, 0.0.0.0:4040->4040/tcp, 0.0.0.0:4200->4200/tcp, 0.0.0.0:5007->5007/tcp, 0.0.0.0:5011->5011/tcp, 0.0.0.0:6001->6001/tcp, 0.0.0.0:6003->6003/tcp, 0.0.0.0:6008->6008/tcp, 0.0.0.0:6080->6080/tcp, 0.0.0.0:6188->6188/tcp, 0.0.0.0:8000->8000/tcp, 0.0.0.0:8005->8005/tcp, 0.0.0.0:8020->8020/tcp, 0.0.0.0:8040->8040/tcp, 0.0.0.0:8042->8042/tcp, 0.0.0.0:8050->8050/tcp, 0.0.0.0:8080->8080/tcp, 0.0.0.0:8082->8082/tcp, 0.0.0.0:8086->8086/tcp, 0.0.0.0:8088->8088/tcp, 0.0.0.0:8090-8091->8090-8091/tcp, 0.0.0.0:8188->8188/tcp, 0.0.0.0:8443->8443/tcp, 0.0.0.0:8744->8744/tcp, 0.0.0.0:8765->8765/tcp, 0.0.0.0:8886->8886/tcp, 0.0.0.0:8888-8889->8888-8889/tcp, 0.0.0.0:8983->8983/tcp, 0.0.0.0:8993->8993/tcp, 0.0.0.0:9000->9000/tcp, 0.0.0.0:9090->9090/tcp, 0.0.0.0:9995-9996->9995-9996/tcp, 0.0.0.0:10000-10001->10000-10001/tcp, 0.0.0.0:10500->10500/tcp, 0.0.0.0:11000->11000/tcp, 0.0.0.0:15000->15000/tcp, 0.0.0.0:16010->16010/tcp, 0.0.0.0:16030->16030/tcp, 0.0.0.0:18080->18080/tcp, 0.0.0.0:19888->19888/tcp, 0.0.0.0:21000->21000/tcp, 0.0.0.0:42111->42111/tcp, 0.0.0.0:50070->50070/tcp, 0.0.0.0:50075->50075/tcp, 0.0.0.0:50095->50095/tcp, 0.0.0.0:50111->50111/tcp, 0.0.0.0:60000->60000/tcp, 0.0.0.0:60080->60080/tcp, 0.0.0.0:61888->61888/tcp, 0.0.0.0:2222->22/tcp sandbox
cloudusr@dev:~$
cloudusr@dev:~$ sudo sysctl -a | grep '.forwarding’
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.docker0.forwarding = 1
net.ipv4.conf.ens3.forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.veth61e5501.forwarding = 1
sysctl: reading key "net.ipv6.conf.all.stable_secret"
net.ipv6.conf.all.forwarding = 1
sysctl: reading key "net.ipv6.conf.default.stable_secret"
net.ipv6.conf.default.forwarding = 1
sysctl: reading key "net.ipv6.conf.docker0.stable_secret"
net.ipv6.conf.docker0.forwarding = 1
sysctl: reading key "net.ipv6.conf.ens3.stable_secret"
net.ipv6.conf.ens3.forwarding = 1
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
net.ipv6.conf.lo.forwarding = 1
sysctl: reading key "net.ipv6.conf.veth61e5501.stable_secret"
net.ipv6.conf.veth61e5501.forwarding = 1

cloudusr@dev:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:61888
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:60080
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:60000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:50111
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:50095
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:50075
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:50070
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:42111
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:21000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:19888
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:18080
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:16030
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:16010
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:15000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:11000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:10500
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:10001
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:webmin
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:9996
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:9995
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:9090
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:9000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8993
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8983
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8889
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8888
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8886
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8765
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8744
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8443
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8188
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8091
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8090
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:omniorb
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8086
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8082
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:http-alt
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8050
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8042
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8040
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8020
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8005
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:6188
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:6080
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:6008
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:x11-3
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:x11-1
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:5011
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:5007
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:4200
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:4040
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:2181
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:2100
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:1988
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:1220
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:1100
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:1000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:ssh

Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhere
cloudusr@dev:~$

Ubuntu itself is up to date - current kernel is
cloudusr@dev:~$ uname -a
Linux dev 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux