Develop Reference

Istio: how do I setup HTTPS traffic between services on Minikube?

I'm currently learning Istio and ran into a problem while trying to setup set up HTTPS traffic between containers on a local Minikube test cluster.
There are some related tasks in the Istio docs. Particularly the https-overlay task. I managed to execute the first subtask (without sidecar on the querying container), but the second one fails with the following error when issuing a request to the nginx deployment from the sleep pod:
$ kubectl exec $(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) -c sleep -- curl https://my-nginx -k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (35) error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert handshake failure
command terminated with exit code 35
I assume my setup is at fault but I can't really tell what's wrong (or how to debug). Can someone have a look and suggest a fix?
Setup steps are given below under Setup. Environment specs are shown below.
Environment
OS
macOS 10.13.6
kubectl version
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.3", GitCommit:"435f92c719f279a3a67808c80521ea17d5715c66", GitTreeState:"clean", BuildDate:"2018-11-27T01:15:02Z", GoVersion:"go1.11.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.0", GitCommit:"fc32d2f3698e36b93322a3465f63a14e9f0eaead", GitTreeState:"clean", BuildDate:"2018-03-26T16:44:10Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
minikube version:
$ minikube version
minikube version: v0.31.0
Setup
$ISTIO_HOME should point to the location of the Istio installation.
1. Run Minikube + Istio Startup Script
Warning: This will stop and delete a running minikube instance.
#! /bin/bash
minikube stop;
minikube delete;
minikube start \
--memory=8192 \
--cpus=4 \
--kubernetes-version=v1.10.0\
--vm-driver=virtualbox;
kubectl apply -f $ISTIO_HOME/install/kubernetes/helm/istio/templates/crds.yaml
kubectl apply -f $ISTIO_HOME/install/kubernetes/istio-demo.yaml
# Set docker registry to minikube registry
eval $(minikube docker-env);
2. Run HTTPS Test Setup Script
Wait until the Istio pods are either running or completed and then
#! /bin/bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/nginx.key -out /tmp/nginx.crt -subj "/CN=my-nginx/O=my-nginx"
kubectl create secret tls nginxsecret --key /tmp/nginx.key --cert /tmp/nginx.crt
kubectl create configmap nginxconfigmap --from-file=$ISTIO_HOME/samples/https/default.conf
kubectl apply -f <(istioctl kube-inject -f $ISTIO_HOME/samples/https/nginx-app.yaml)
kubectl apply -f <(istioctl kube-inject -f $ISTIO_HOME/samples/sleep/sleep.yaml)
3. Issue Request To Nginx From Sleep Pod
Wait for both pods to start running and then run
kubectl exec $(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) -c sleep -- curl https://my-nginx -k
According to the subtask description, we should see the nginx landing page, but instead the error shown above (exit code 35, handshake failure) is returned.

It seems that you are hitting this bug https://github.com/istio/istio/issues/7844 which is still open

Serving web page with Docker using custom /etc/host on host machine

I have added a host/ip to my macbook pro's /etc/hosts file. So something like:
192.168.0.0 example.test
What I would like to do is run a web server with Docker that utilizes the hostname, instead of 'localhost'
I can't figure out how to make this work. I have a laravel project running, and can make it serve to localhost with Docker via:
php artisan serve --host=0.0.0.0
I have tried using the --add-host flag with Docker's run command when I start the container. So something like:
docker container run -it -p 80:80 -v $(pwd)app --add-host example.test:192.168.0.0 my-custom-container bash
Any help would be greatly appreciated. I am pretty stuck.

The --hostname argument provides the hostname of the container itself.
docker container run --hostname example.test -it -p 80:80 -v $(pwd)app --add-host example.test:192.168.0.0 my-custom-container bash
Example:
$ docker run -it debian
root#2843ba8b9de5:/# hostname
2843ba8b9de5
root#2843ba8b9de5:/# exit
$ docker run -it --hostname foo.example.com debian
root#foo:/# hostname
foo.example.com
root#foo:/#

How to connect to SSHD inside a Docker container from Windows?

I have a Ruby on Rails environment, and I'm converting it to run in Docker. This is largely because the development machine is a Windows laptop and the server is not. I have the Docker container mainly up and running, and now I want to connect the RubyMine debugger. To accomplish this the recommendation is to setup an SSH server in the container.
https://intellij-support.jetbrains.com/hc/en-us/community/posts/207649545-Use-RubyMine-and-Docker-for-development-run-and-debug-before-deployment-for-testing-
I successfully added SSHD to the container using the dockerfile lines from https://docs.docker.com/engine/examples/running_ssh_service/#build-an-egsshd-image minus the EXPOSE 22 (because it wasn't working with the port mapping in the docker-compose.yml). But the port is not accessible on the local machine
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6652389d248c civilservice_web "bundle exec rails..." 16 minutes ago Up 16 minutes 0.0.0.0:3000->3000/tcp, 0.0.0.0:3022->22/tcp civilservice_web_1
When I try to point PUTTY at localhost and 3022, it says that the server unexpectedly closed the connection.
What am I missing here?
This is my dockerfile
FROM ruby:2.2
RUN apt-get update && apt-get install -y \
build-essential \
libpq-dev \
nodejs \
openssh-server
RUN mkdir /var/run/sshd
RUN echo 'root:screencast' | chpasswd
RUN sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
# SSH login fix. Otherwise user is kicked off after login
RUN sed 's#session\s*required\s*pam_loginuid.so#session optional pam_loginuid.so#g' -i /etc/pam.d/sshd
ENV NOTVISIBLE "in users profile"
RUN echo "export VISIBLE=now" >> /etc/profile
CMD ["/usr/sbin/sshd", "-D"]
RUN mkdir /MyApp
WORKDIR /MyApp
ADD Gemfile /MyApp/Gemfile
ADD Gemfile.lock /MyApp/Gemfile.lock
RUN bundle install
ADD . /MyApp
and this is my docker-compose.yml
version: '2'
services:
web:
build: .
command: bundle exec rails s -p 3000 -b '0.0.0.0'
volumes:
- .:/CivilService
ports:
- "3000:3000"
- "3022:22"
DOCKER_HOST doesn't appear to be an environment variable
docker version outputs the following
Client:
Version: 17.03.0-ce
API version: 1.26
Go version: go1.7.5
Git commit: 60ccb22
Built: Thu Feb 23 10:40:59 2017
OS/Arch: windows/amd64
Server:
Version: 17.03.0-ce
API version: 1.26 (minimum version 1.12)
Go version: go1.7.5
Git commit: 3a232c8
Built: Tue Feb 28 07:52:04 2017
OS/Arch: linux/amd64
Experimental: true
docker run -it --rm --net container:civilservice_web_1 busybox netstat -lnt outputs
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.11:35455 0.0.0.0:* LISTEN
SSHD is now running along side the Rails app, but the recipe that I was working from for setting up the service is not correct for the flavor of Linux that came with my base image https://docs.docker.com/engine/examples/running_ssh_service/#build-an-egsshd-image
The image I'm using is based on Debian 8. Could someone point me at where the example breaks down?

Your sshd process isn't running. That's visible in the netstat output:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.11:35455 0.0.0.0:* LISTEN
But as user2105103 points out, I should have realized that if I compared your docker-compose.yml with the Dockerfile. You define the sshd command in the image with a Dockerfile line:
CMD ["/usr/sbin/sshd", "-D"]
But then you override your image setting when running the container with the docker-compose command:
command: bundle exec rails s -p 3000 -b '0.0.0.0'
So, the only thing run, as you can see in the netstat, is the rails app listening on 3000. If you need multiple commands to run, then you can docker exec to kick off the second command (not recommended for a second service like this), use a command that launches sshd in the background and rails in the foreground (fairly ugly), or you can consider something like supervisord.
Personally, I'd skip sshd and just use docker exec -it civilservice_web_1 /bin/bash to get a prompt inside the container when you need it.

Docker - Can't push on my registry when using S3 configuration

I'm trying to set up my own docker registry on a amazon ec2.
If I launch it such as:
docker run -p 5000:5000 registry
it's working without any problem.
However when I try to launch it with s3 using my credential such as:
docker run -p 5000:5000 -e SETTINGS_FLAVOR=s3 -e AWS_REGION=eu-west-1 -e AWS_BUCKET=$BUCKET -e STORAGE_PATH=/registry -e AWS_KEY=$AWS_KEY -e AWS_SECRET=$AWS_SECRET registry
I get
alexis#ubuntu:/home/web$ sudo docker push amazon.ip:5000/web
2014/10/07 00:57:38 Error: Invalid Registry endpoint: Get http://amazon.ip:5000/v1/_ping: dial tcp amazon.ip:5000: connection refused
Thanks for your help

Running docker with boot2docker on mac os x?

Trying to run docker on my mac os x with boot2docker.
Everything seems fine, but i cannot run docker images. I must be missing something obvious.
Guides i've used:
NodeJs Web App
Docker on Mac OS X
My docker file:
FROM ubuntu:12.04
# Build dependencies
RUN apt-get -y update
RUN apt-get install build-essential -y
RUN apt-get install curl -y
# Install NodeJS
RUN curl -L http://nodejs.org/dist/v0.10.22/node-v0.10.22.tar.gz | tar -xz
RUN cd /node-v0.10.22 && ./configure
RUN cd /node-v0.10.22 && make && make install && make clean
# Global NPM installs
RUN npm install --silent -g express lodash ejs forever
RUN mkdir /app
ADD server.js /app/server.js
ADD dist /app/dist
ADD lib /app/lib
Add test.js /app/test.js
CMD ["node", "/app/test.js"]
EXPOSE 8080
Docker build output:
#xp (master) ~/work/front-portal: docker build -t front-portal .
Uploading context 118.7 MB
Uploading context
Step 0 : FROM ubuntu:12.04
---> 9cd978db300e
Step 1 : RUN apt-get -y update
---> Using cache
---> ee9a4b864ffb
Step 2 : RUN apt-get install build-essential -y
---> Using cache
---> e7dd304d6f92
Step 3 : RUN apt-get install curl -y
---> Using cache
---> ded30df6d5c2
Step 4 : RUN curl -L http://nodejs.org/dist/v0.10.22/node-v0.10.22.tar.gz | tar -xz
---> Using cache
---> d132c9cdd09c
Step 5 : RUN cd /node-v0.10.22 && ./configure
---> Using cache
---> 9036f0ce77d2
Step 6 : RUN cd /node-v0.10.22 && make && make install && make clean
---> Using cache
---> c29bcfa1d058
Step 7 : RUN npm install --silent -g express lodash ejs forever
---> Using cache
---> d389052f5e49
Step 8 : RUN mkdir /app
---> Using cache
---> 33576951eb9b
Step 9 : ADD server.js /app/server.js
---> Using cache
---> 2a4aa2230170
Step 10 : ADD dist /app/dist
---> Using cache
---> 4350b786481c
Step 11 : ADD lib /app/lib
---> Using cache
---> 58b0a3850c01
Step 12 : Add test.js /app/test.js
---> Using cache
---> 441d63b47297
Step 13 : CMD ["node", "/app/test.js"]
---> Using cache
---> 013aaa78b0a5
Step 14 : EXPOSE 8080
---> Running in 8962747dd91a
---> 7410cc1bdbed
Successfully built 7410cc1bdbed
Contents of test.js:
var express = require('express');
// Constants
var PORT = 8080;
// App
var app = express();
app.get('/', function (req, res) {
res.send('Hello World\n');
});
app.listen(PORT)
console.log('Running on http://localhost:' + PORT);
Boot2docker is running:
g#xp (master) ~/work/front-portal: ./boot2docker status
[2014-02-12 18:32:50] boot2docker-vm is running.
g#xp (master) ~/work/front-portal:
But i cannot launch docker:
g#xp (master) ~/work/front-portal: DEBUG=1 docker run front-portal
[debug] commands.go:2484 [hijack] End of stdout
[debug] commands.go:2079 End of CmdRun(), Waiting for hijack to finish.
g#xp (master) ~/work/front-portal:
Though simple echo works:
g#xp (master) ~/work/front-portal: DEBUG=1 docker run front-portal echo "test"
test
[debug] commands.go:2484 [hijack] End of stdout
[debug] commands.go:2079 End of CmdRun(), Waiting for hijack to finish.
g#xp (master) ~/work/front-portal:
And my node test.js file is ok:
g#xp (master) ~/work/front-portal: node test.js
Running on http://localhost:8080
g#xp (master) ~/work/front-portal: DEBUG=1 docker run front-portal ls -al /app/test.js
-rw-r--r-- 1 501 dialout 232 Feb 12 2014 /app/test.js
[debug] commands.go:2484 [hijack] End of stdout
[debug] commands.go:2079 End of CmdRun(), Waiting for hijack to finish.
g#xp (master) ~/work/front-portal:

You need to explicitly enable the ports for NAT pass-through.
The "docker" port is already configured this way, as is SSH. But application-specific ports still need to be enabled.
You can use something like
VBoxManage modifyvm "boot2docker-vm" --natpf1 "tcp-port4000,tcp,,4000,,4000"
to add a new forwarding rule via the commandline. That example adds port 4000. Or you could use the VirtualBox GUI to do the same thing.
See also http://www.virtualbox.org/manual/ch06.html#natforward

I don't think you are passing the correct arguments to the run command.
Add a "-d" option for detached to run it in the background. And if that does not work, you can start bash on your container by running the following (note, your container can be overridden b/c you use CMD instead of ENTRYPOINT in your dockerfile. If someone has ENTRYPOINT, you won't be able to override it and start bash with the container).
docker run -i -t image_id /bin/bash
Also, you will need to do some port forwarding if you want to be able to hit the port that your service will be listening on. The expose command in your docker file will allow other containers running on your docker host to be able to hit the port, but it doesn't allow your host or the boot2docker vm to see it. I think you might be able to do a docker inspect $container_id and find the correct ip and port to hit, but I found it easier to just setup port forwarding. You will need to forward the port from the container to the vm and from the vm to your host. For the forwarding from the container to the host, use the -p option:
docker run -p :80:8080 image_name
This will forward 8080 on the container to 0.0.0.0:80 on your boot2docker-vm. To setup forwarding from the vm to your host, open up virtualbox and enter in a rule like:
open_80 0.0.0.0 :80 _blank_ :80
That rule is forwarding from the vm's port 80 to your local computer's port 80. The port forwarding can be setup from the command line (like what Andy pointed out above), but you would need to stop boot2docker.