How can I access to consul UI externally?
I want to access consul UI writing
<ANY_MASTER_OR_SLAVE_NODE_IP>:8500
I have try doing a ssh tunnel to acces:
ssh -N -f -L 8500:localhost:8500 root#172.16.8.194
Then if I access http://localhost:8500
It works, but it is not what I want. I need to access externally, without ssh tunnel.
My config.json file is the next:
{
"bind_addr":"172.16.8.216",
"server": false,
"datacenter": "nyc2",
"data_dir": "/var/consul",
"ui_dir": "/home/ikerlan/dist",
"log_level": "INFO",
"enable_syslog": true,
"start_join": ["172.16.8.211","172.16.8.212","172.16.8.213"]
}
Any help?
Thanks
Add
{
"client_addr": "0.0.0.0"
}
to your configuration or add the option -client 0.0.0.0 to the command line of consul to make your Web UI accessible from the outside (see the docs for more information).
Please note that this will also make your Consul REST API accessible from the outside. Depending on your environment you might want to activate Consul's ACLs to restrict access.
You can use socat in this case.
socat -d -d TCP-L:8500,bind=172.16.93.128,fork TCP:localhost:8500 &
where 172.16.93.12 is my IP.
I run it as a docker image, i gave
docker pull consul
docker run -p 8500:8500 consul
and i am able to access the consul ui at http://<hostname>:8500/ui
Finally I find the solution.
Add to the config file with the bind addr that is the IP of the machine, and the client_addr that is the hosts he listen to. So I use 0.0.0.0 to listen to all the IPs.
"bind_addr":"<machine-ip>",
"client_addr":"0.0.0.0",
I don't have hands-on experience with Consul yet, but here are a few tips:
Run sudo netstat -peanut | grep :8500 and check if Consul is bound to 0.0.0.0 or an explicit ip. Should check docs if this is configurable.
On each node install Squid, Nginx or any other software which can act as a HTTP proxy
No way to get User Interface if ther no user interface )
Classic UI its some stack of Desktop Environment(x-term....), so before get, you need install it on node
Related
So I did the following:
minikube dashboard
kubectl proxy
And it says Starting to serve on 127.0.0.1:8001, however this port is not open on my VM (not included in my firewall rules)
then how am I able to access it via ssh tunneling?
Basically I did this:
ssh -L 12345:localhost:8001 myLogin#myRemoteServer
And then accessed it as:
http://localhost:12345/api/v1/namespaces/kubernetes-dashboard/services/http:kubernetes-dashboard:/proxy/#/pod?namespace=default
I find this helpful kubectl proxy --address='0.0.0.0' --disable-filter=true
For testing purposes, I want to set up the kubernetes master to be only accessible from the local machine and not the outside. Ultimately I am going to run a proxy server docker container on the machine that is opened up to the outside. This is all inside a minikube VM.
I figure configuring kube-proxy is the way to go. I did the following
kubeadm config view > ~/cluster.yaml
# edit proxy bind address
vi ~/cluster.yaml
kubeadm reset
rm -rf /data/minikube
kubeadm init --config cluster.yaml
Upon doing netstat -ln | grep 8443 i see tcp 0 0 :::8443 :::* LISTEN which means it didn't take the IP.
I have also tried kubeadm init --apiserver-advertise-address 127.0.0.1 but that only changes the advertised address to 10.x.x.x in the kubeadm config view. I feel that is probably the wrong thing anyways. I don't want the API server to be inaccessible to the other docker containers that need to access it or something.
I have also tried doing this kubeadm config upload from-file --config ~/cluster.yaml and then attempting to manually restart the docker running kube-proxy.
Also tried to restart the machine/cluster after kubeadm config change but couldn't figure that out. When you reboot a minikube VM by hand kubeadm command disappears and not even docker is running. Various online methods of restarting things dont seem to work either (could be just doing this wrong).
Also tried editing the kube-proxy docker's config file (bound to a local dir) but that gets overwritten when i restart the docker. I dont get it.
There's nothing in the kubernetes dashboard that allows me to edit the config file of the kube-proxy either (since its a daemonset).
Ultimately, I wish to use an authenticated proxy server sitting infront of the k8s master (apiserver specifically). Direct access to the k8s master from outside the VM will not work.
Thanks
you could limit it via the local network configuration. (Firewall, Routes)
As far as I know, the API needs to be accessible, at least via the local network where the other nodes reside in. Except you want to have a single node "cluster".
So, when you do not have a different network card, where you could advertise or bind the address to, you need to limit it then by the above mentioned Firewall or Route rules.
To your initial question topic, did you look into this issue? https://github.com/kubernetes/kubernetes/issues/39586
I want to start an Elasticsearch container in Docker. By default I see nearly everywhere something like:
docker run -d -p 9200:9200 docker.elastic.co/elasticsearch/elasticsearch:5.5.1
Now is my question: Why are we mapping the port on our host network? I understand port mapping but I don't see the big advantage of it.
In my opinion I would always do something like this:
$ docker network create logging
20aa4c7bf2d8289d8cbd485c3e384f9371eed87204625998687c61e4bad27f14
$ docker run -d --name es --net logging docker.elastic.co/elasticsearch/elasticsearch:5.5.1
And connect to the ES by using it's name (es in this case) and deploying containers in the same network. I would think my ES is more secure in its private docker network.
I see there is an advantage for port mapping when your containers which need to connect to elasticsearch aren't in the same network. But are there other advantages or why is this always shown with port mapping?
So host access is more about accessibility. If you are running docker on local machine and you want to access the app only on that machine, then host mapping is not need.
Now if you need to access this app on a external computer other than your docker host then you need to do that port mapping.
docker run -d -p 9200:9200 docker.elastic.co/elasticsearch/elasticsearch:5.5.1
This maps the host port 9200 (left side) to 9200 inside the docker (right side). The listening interface is 0.0.0.0 which means all interfaces. And hence it is accessible to to anyone how has access to this machine.
If you want to make it more secure then you do it like below
docker run -d -p 127.0.0.1:9200:9200 docker.elastic.co/elasticsearch/elasticsearch:5.5.1
This would listen on local host only. So only you can access it on the machine. But if you need to access it from some place else then you would use a SSH tunnel
ssh -L 9200:127.0.0.1:9200 <user>#<HOSTIP>
And on that machine you can access it on 127.0.0.1:9200
Next level of security is added when you use a firewall like ufw, firewalld etc.
What you did with network command
docker network create logging
Basically creates new network and isolates other docker containers from accessing it on the host. But as long as external accessibility is concerned, you still need to map it to the host port
Hope this answers your question
I installed the docker-beata (https://beta.docker.com/) for osx.
Next, I created a folder with this file docker-compose.yml :
web:
image: nginx:latest
ports:
- "8080:80"
After, I used this command : docker-compose up.
Container start with success.
But the problem is to access in my container. I don't know what ip use.
I try to find ip with docker ps and docker inspect ...:
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "6342cefc977f260f0ac65cab01c223985c6a3e5d68184e98f0c2ba546cc602f9",
"EndpointID": "8bc7334eff91d159f595b7a7966a2b0659b0fe512c36ee9271b9d5a1ad39c251",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:02"
}
}
So I try to use http://172.17.0.2:8080/ to access, but I have a ERR_CONNECTION_TIMED_OUT error.
But, if I usehttp://localhost:8080/, I can access to my container !
(But my localhost is already use by my native config on my mac, so if I want use localhost I must stop my native apache).
Why it's doesn't work with the ip ?
As #Javier-Segura mentioned, on with native Docker on Linux you should be able to hit the container via it's IP and port, so in your case http://172.17.0.2:80 - the 8080 port would be on the host IP.
With Docker for Mac Beta it does not appear to work the same way for the container. It changes a bit with every release but right now it appears you can not reach a container by ip via conventional means.
Unfortunately, due to limtations in OSX, we’re unable to route traffic
to containers, and from containers back to the host.
Your best bet is to use a different non-conflicting port as mentioned. You can use different Compose config files for different environments, so as in the example above, use 8081 for development and 8080 for production, if that is the desire. You would start Compose in production via something like docker-compose -f docker-compose.yml -f production.yml up -d where production.yml has the overrides for that environment.
When you map a port (like done with "8080:80") you are basically saying that "Forward the port 8080 on my localhost to the 80 port on the container".
Then you can access your nginx via:
http://localhost:8080
http://172.17.0.2:80/ (depending on the network configuration)
If the port 8080 is already used by apache on your mac, you can change your configuration to "8081:80" and nginx will be available on 8081
Here is one more tip to add to the good ones already provided. You can use the -p option to include IP mapping in addition to your port mapping. If you include no IP (something like -p 8080:80), then your telling docker to route traffic entering all interfaces on port 8080 to your docker internal network (172.17.0.2 in your case). This includes, but is not limited to, localhost. If you'd like this mapping to apply to only a certain IP, for example an IP dynamically assigned to your workstation through DHCP, you can specify the IP in the option as -p 10.11.12.13:8080:80 (where 10.11.12.13 is a fictional IP). Then localhost or any other interface would not be routed.
Likewise, you could use the option to restrict to localhost with -p 127.0.0.1:8080:80 so that other interface traffic is not routed to your docker container's 172.17.0.2 interface.
#pglezen is right. Providing full IP within compose file is solving the issue.
Image IP addresses that were generated by docker-compose dose not work (now) on MAC OSX.
Providing specific ip within compose file allowed to access container image:
nginx:
image: nginx:latest
ports:
- "127.0.0.1:80:80"
links:
- php-fpm
docker-compose still assigned generic 172.* IP address to image that was not accessable. But real hardcoded 127.0.0.1 was working and returns correct container response.
I just started experiment with EC2 tonight, and got a server running locally. I know it works locally because when I curl http://localhost:8080/hello it outputs hello.
I want to access this from the outside world. I modified my permissions in my security group to allow 8080 access, and then typed in "curl http://ec2-123-45-67-891.compute-1.amazonaws.com:8080/hello" into my local terminal. I got the response "curl: (7) couldn't connect to host".
Do I need to do something differently? (Obviously yes, but what?)
Have you bound your server only to localhost? If so, you'll only be able to connect from localhost.
Check the netstat output for your process with something like:
sudo netstat -ltnp | grep your_server_process
Look for whether your server process is bound to 127.0.0.1:8080 or 0.0.0.0:8080. If the former, then you're only bound to localhost and you need to reconfigure it.
I met the same issue. Try use 0.0.0.0 instead of 127.0.0.1.
You allowed access on 8080, but in your localhost example, it's running on port 80.