You are not logged in.
Hi all,
I'm building some Arch Linux Docker images to run distcc with various cross-compilation toolchains, but I can't seem to publish the port from the Docker container to the host's localhost port. I'm not sure if this is a Docker configure issue or an Arch configuration issue.
I currently run this on a relatively vanilla Arch Linux box:
sudo docker run -d a10g/archlinux-x86_64-distcc-armv7h -p 127.0.0.1:3632:3632
Container is running, port is exposed and presumably published:
[andrew@artigo archlinux-docker]$ sudo docker container list
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7bda6e1e492f a10g/archlinux-x86_64-distcc-armv7h "/usr/bin/distcc-ini…" 17 hours ago Up 17 hours 3632/tcp adoring_chatterjee
I can access the container's port on the Docker bridged network, but not on localhost:
[andrew@artigo archlinux-docker]$ netcat -v 172.17.0.2 3632
172.17.0.2 3632 (distcc) open
^CExiting.
[andrew@artigo archlinux-docker]$ netcat -v 127.0.0.1 3632
localhost [127.0.0.1] 3632 (distcc): Connection refused
I found a reference to adding "IPForward=yes" to my systemd-networkd static IP assignment, and also tried it with "IPForward=1". Restarting docker and systemd-networkd services and even rebooting didn't seem to yield any results.
Steps:
I started by cloning the Arch Linux Docker base image repo and building a new one using the same Dockerfile.
I then created a new Docker image (archlinux-x86_64-distcc) with this Docker file:
FROM a10g/archlinux-x86_64-base
ENV LANG=en_US.UTF-8
RUN pacman -Syu --noconfirm && pacman -S distcc gcc make --noconfirm
ENTRYPOINT ["/usr/bin/bash"]
Then, I added the pre-built armv7 toolchain with this Dockerfile:
FROM a10g/archlinux-x86_64-distcc
ENV LANG=en_US.UTF-8
RUN ["/usr/bin/mkdir", "/var/distcc"]
ADD ["distcc-init/distcc-init-armv7h.sh", "/usr/bin/"]
ADD ["https://archlinuxarm.org/builder/xtools/x-tools7h.tar.xz", "/tmp/"]
RUN ["/usr/bin/tar", "-vxJf", "/tmp/x-tools7h.tar.xz", "-C", "/var/distcc"]
EXPOSE 3632/tcp
ENTRYPOINT ["/usr/bin/distcc-init-armv7h.sh"]
The distcc-init-armv7h.sh script that runs is:
#!/usr/bin/env bash
PATH=/var/distcc/x-tools7h/aarch64-unknown-linux-gnu/bin:/usr/bin
/usr/bin/distccd --user nobody --allow-private --no-detach --daemon --log-stderr --listen 0.0.0.0 --port 3632 --stats-port 3633
Since I can reach distcc on the Docker network port, but not on localhost, I'm guessing that something isn't setting up iptables correctly:
[andrew@artigo archlinux-docker]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere t
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
My firewall-fu is a bit weak, but I don't see any rules to indicate it's forwarding packets to localhost onward to the Docker port. I think this is where the problem is, but I'm not sure how to resolve it.
Suggestions?
Last edited by andrewboring (2020-07-22 19:23:08)
Offline
Well, I'm guessing its something with my image or the way I'm running the container. I just fired up an Ubuntu Bionic VM and get the same results:
vagrant@ubuntu-bionic:~$ sudo docker container list
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
86bd285f14a0 a10g/archlinux-x86_64-distcc-armv7h "/usr/bin/distcc-ini…" 3 minutes ago Up 3 minutes 3632/tcp optimistic_greider
vagrant@ubuntu-bionic:~$ nc -v 172.17.0.2 3632
Connection to 172.17.0.2 3632 port [tcp/distcc] succeeded!
^C
vagrant@ubuntu-bionic:~$ nc -v 127.0.0.1 3632
nc: connect to 127.0.0.1 port 3632 (tcp) failed: Connection refused
The iptables rules look the same, too.
Still open to any suggestions from the knowledgable, but it looks like it's not an Arch-related problem.
Offline
Funny. I was banging my head against this for a week before posting here.
Apparently, order matters. Run the -p bits before the image bits, and notice the change in the PORTS column indicating a functional mapping.
[andrew@artigo ~]$ sudo docker run -d -p 127.0.0.1:3632:3632 a10g/archlinux-x86_64-distcc-armv7h
[andrew@artigo archlinux-docker]$ sudo docker container list
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
befa3d11a000 a10g/archlinux-x86_64-distcc-armv7h "/usr/bin/distcc-ini…" 4 minutes ago Up 4 minutes 127.0.0.1:3632->3632/tcp beautiful_neumann
[andrew@artigo archlinux-docker]$ netcat -v 127.0.0.1 3632
localhost [127.0.0.1] 3632 (distcc) open
^CExiting.
Last edited by andrewboring (2020-07-22 19:15:26)
Offline