Docker driver should expose ports when it creates a container

[ghost]

This is related to #201 and #203. Running nomad master as of today on CentOS 7 and docker 1.8.2 the dynamic_ports option seems to be inconsistently working.

To better understand how dynamic ports work I've created a small web service that just outputs the running environment.

Test code and nomad HCL definition can be found here (written in golang with net/http): https://bitbucket.org/howihumanteam/httpenv/src
There is a working docker image named howihuman/httpenv in docker hub that I've been testing with.

I'm finding that I cannot get nomad to run this image and bridge a port through to it. Using the standard nomad init example (with the 'redis' port swapped to '6379' as suggested in #203) works normally using some kind of docker-proxy process I'm not familiar with (edit: it's the docker userland proxy, I disabled it with no change).

I've tested the image by execing into it, running netstat -pan to verify the port binding, and curling the endpoint to verify I get os.Environ() spewed back at me. It is binding to the eth0 interface properly with the port specified by our environment variable, nomad just isn't telling docker to forward traffic to it. edit: I can also run the container manually specifying the environment variables and port options myself and it works, just not in nomad.

It doesn't matter if you bind to all interfaces or specific interfaces, use named dynamic_ports or use numbered dynamic_ports, bind to 8080 and pass NOMAD_PORT_8080 with dynamic_port = ["8080"], nothing. It just will not forward traffic.

I could be missing something really stupid but I doubt it at this point.

I see the following in my nomad logs (nothing really useful)

Oct 04 00:30:56 nomad.example.org nomad[12455]: ==> WARNING: Bootstrap mode enabled! Potentially unsafe operation.
Oct 04 00:30:56 nomad.example.org nomad[12455]: ==> Starting Nomad agent...
Oct 04 00:30:58 nomad.example.org nomad[12455]: 2015/10/04 00:30:58 [ERR] fingerprint.env_aws: Error querying AWS Metadata URL, skipping
Oct 04 00:30:58 nomad.example.org nomad[12455]: ==> Nomad agent configuration:
Oct 04 00:30:58 nomad.example.org nomad[12455]: Atlas: <disabled>
Oct 04 00:30:58 nomad.example.org nomad[12455]: Client: true
Oct 04 00:30:58 nomad.example.org nomad[12455]: Log Level: INFO
Oct 04 00:30:58 nomad.example.org nomad[12455]: Region: global (DC: dc1)
Oct 04 00:30:58 nomad.example.org nomad[12455]: Server: true
Oct 04 00:30:58 nomad.example.org nomad[12455]: ==> Nomad agent started! Log data will stream in below:
Oct 04 00:30:58 nomad.example.org nomad[12455]: 2015/10/04 00:30:56 [INFO] raft: Node at 10.42.0.60:4647 [Follower] entering Follower state
Oct 04 00:30:58 nomad.example.org nomad[12455]: 2015/10/04 00:30:56 [INFO] serf: EventMemberJoin: nomad.example.org.global 10.42.0.60
Oct 04 00:30:58 nomad.example.org nomad[12455]: 2015/10/04 00:30:56 [INFO] nomad: starting 2 scheduling worker(s) for [batch service _core]
Oct 04 00:30:58 nomad.example.org nomad[12455]: 2015/10/04 00:30:56 [INFO] client: using state directory /tmp/nomad/client
Oct 04 00:30:58 nomad.example.org nomad[12455]: 2015/10/04 00:30:56 [INFO] client: using alloc directory /tmp/nomad/alloc
Oct 04 00:30:58 nomad.example.org nomad[12455]: 2015/10/04 00:30:56 [INFO] nomad: adding server nomad.example.org.global (Addr: 10.42.0.60:4647) (DC: dc1)
Oct 04 00:30:58 nomad.example.org nomad[12455]: 2015/10/04 00:30:57 [WARN] raft: Heartbeat timeout reached, starting election
Oct 04 00:30:58 nomad.example.org nomad[12455]: 2015/10/04 00:30:57 [INFO] raft: Node at 10.42.0.60:4647 [Candidate] entering Candidate state
Oct 04 00:30:58 nomad.example.org nomad[12455]: 2015/10/04 00:30:57 [INFO] raft: Election won. Tally: 1
Oct 04 00:30:58 nomad.example.org nomad[12455]: 2015/10/04 00:30:57 [INFO] raft: Node at 10.42.0.60:4647 [Leader] entering Leader state
Oct 04 00:30:58 nomad.example.org nomad[12455]: 2015/10/04 00:30:57 [INFO] nomad: cluster leadership acquired
Oct 04 00:30:58 nomad.example.org nomad[12455]: 2015/10/04 00:30:57 [INFO] raft: Disabling EnableSingleNode (bootstrap)
Oct 04 00:32:53 nomad.example.org nomad[12455]: 2015/10/04 00:32:53 [INFO] driver.docker: identified image redis:latest as 2f2578ff984f013c9a5d6cbb6fe061ed3f73a17380a4c9b53b76d4b8da3eda7d
Oct 04 00:32:53 nomad.example.org nomad[12455]: 2015/10/04 00:32:53 [WARN] driver.docker: no mode specified for networking, defaulting to bridge
Oct 04 00:32:53 nomad.example.org nomad[12455]: 2015/10/04 00:32:53 [INFO] driver.docker: created container c4f53ce4cca15af3041bf7e86a75cb6bf3d14efc23faa8f6e467df7463ebf23d
Oct 04 00:32:53 nomad.example.org nomad[12455]: 2015/10/04 00:32:53 [INFO] driver.docker: started container c4f53ce4cca15af3041bf7e86a75cb6bf3d14efc23faa8f6e467df7463ebf23d
Oct 04 00:35:27 nomad.example.org nomad[12455]: 2015/10/04 00:35:27 [INFO] driver.docker: identified image howihuman/httpenv as 7e508859789e08d1aa06e48ef038a30d2a745a7d5007d1b438c27e37cf81e686
Oct 04 00:35:27 nomad.example.org nomad[12455]: 2015/10/04 00:35:27 [WARN] driver.docker: no mode specified for networking, defaulting to bridge
Oct 04 00:35:27 nomad.example.org nomad[12455]: 2015/10/04 00:35:27 [INFO] driver.docker: created container fc1b2ce5c3338ee37cf672885af5e09901a990b68d9d96e4be6750890567b39b
Oct 04 00:35:27 nomad.example.org nomad[12455]: 2015/10/04 00:35:27 [INFO] driver.docker: started container fc1b2ce5c3338ee37cf672885af5e09901a990b68d9d96e4be6750890567b39b

This is running on a 1 node nomad setup NOT using -dev mode. The service is started by systemd with this service definition:

[Unit]
Description=HashiCorp Nomad
After=network.target

[Service]
ExecStart=/usr/local/bin/nomad agent -client -server -bootstrap-expect 1 -data-dir /tmp/nomad -bind 10.42.0.60
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target

[achanda]

@rvm2015 dynamic_ports was broken for a while. Can you make sure you have latest code?

[ghost]

@achanda I'll pull from master, rebuild, and retry. I'm also wondering if it might be a docker problem, it should be at least detecting my open port but the ports field of docker ps is empty.

[achanda]

I don't believe so. I've been using docker 1.8.2 and it has been doing port bindings fine. You can try docker inspect, If inspect does not show it, it's definitely not port binding. But, in this particular case, nomad was not setting host config correctly for docker to use.

[ghost]

@achanda nada, same result. Pulled master a few minutes ago, replaced my binary, wiped the data dir, and fired everything back up. Using the config and code from my original post I'm still not getting a port binding. Docker inspect claims there's a binding but I don't see one.

docker inspect

[
{
    "Id": "543dcf7f77e774eed03941b79adc45f2df2c8ac666ac669edc7d85640105c629",
    "Created": "2015-10-04T05:33:42.380058564Z",
    "Path": "start",
    "Args": [],
    "State": {
        "Running": true,
        "Paused": false,
        "Restarting": false,
        "OOMKilled": false,
        "Dead": false,
        "Pid": 2452,
        "ExitCode": 0,
        "Error": "",
        "StartedAt": "2015-10-04T05:33:42.673572675Z",
        "FinishedAt": "0001-01-01T00:00:00Z"
    },
    "Image": "7e508859789e08d1aa06e48ef038a30d2a745a7d5007d1b438c27e37cf81e686",
    "NetworkSettings": {
        "Bridge": "",
        "EndpointID": "73d0119993fb70ad3d1139b98f813a67fd8f5600441579949911e70da16e853c",
        "Gateway": "172.17.42.1",
        "GlobalIPv6Address": "",
        "GlobalIPv6PrefixLen": 0,
        "HairpinMode": false,
        "IPAddress": "172.17.0.1",
        "IPPrefixLen": 16,
        "IPv6Gateway": "",
        "LinkLocalIPv6Address": "",
        "LinkLocalIPv6PrefixLen": 0,
        "MacAddress": "02:42:ac:11:00:01",
        "NetworkID": "8d991324a2915d332f89c8415efc85c23943b314eca5870876e06d4cad116fba",
        "PortMapping": null,
        "Ports": {},
        "SandboxKey": "/var/run/docker/netns/543dcf7f77e7",
        "SecondaryIPAddresses": null,
        "SecondaryIPv6Addresses": null
    },
    "ResolvConfPath": "/var/lib/docker/containers/543dcf7f77e774eed03941b79adc45f2df2c8ac666ac669edc7d85640105c629/resolv.conf",
    "HostnamePath": "/var/lib/docker/containers/543dcf7f77e774eed03941b79adc45f2df2c8ac666ac669edc7d85640105c629/hostname",
    "HostsPath": "/var/lib/docker/containers/543dcf7f77e774eed03941b79adc45f2df2c8ac666ac669edc7d85640105c629/hosts",
    "LogPath": "/var/lib/docker/containers/543dcf7f77e774eed03941b79adc45f2df2c8ac666ac669edc7d85640105c629/543dcf7f77e774eed03941b79adc45f2df2c8ac666ac669edc7d85640105c629-json.log",
    "Name": "/jolly_goldstine",
    "RestartCount": 0,
    "Driver": "devicemapper",
    "ExecDriver": "native-0.2",
    "MountLabel": "",
    "ProcessLabel": "",
    "AppArmorProfile": "",
    "ExecIDs": null,
    "HostConfig": {
        "Binds": null,
        "ContainerIDFile": "",
        "LxcConf": null,
        "Memory": 268435456,
        "MemorySwap": -1,
        "CpuShares": 500,
        "CpuPeriod": 0,
        "CpusetCpus": "",
        "CpusetMems": "",
        "CpuQuota": 0,
        "BlkioWeight": 0,
        "OomKillDisable": false,
        "MemorySwappiness": null,
        "Privileged": false,
        "PortBindings": {
            "54527/tcp": [
                {
                    "HostIp": "10.42.0.60",
                    "HostPort": "54527"
                }
            ],
            "54527/udp": [
                {
                    "HostIp": "10.42.0.60",
                    "HostPort": "54527"
                }
            ]
        },
        "Links": null,
        "PublishAllPorts": false,
        "Dns": null,
        "DnsSearch": null,
        "ExtraHosts": null,
        "VolumesFrom": null,
        "Devices": null,
        "NetworkMode": "bridge",
        "IpcMode": "",
        "PidMode": "",
        "UTSMode": "",
        "CapAdd": null,
        "CapDrop": null,
        "GroupAdd": null,
        "RestartPolicy": {
            "Name": "",
            "MaximumRetryCount": 0
        },
        "SecurityOpt": null,
        "ReadonlyRootfs": false,
        "Ulimits": null,
        "LogConfig": {
            "Type": "json-file",
            "Config": {}
        },
        "CgroupParent": "",
        "ConsoleSize": [
            0,
            0
        ]
    },
    "GraphDriver": {
        "Name": "devicemapper",
        "Data": {
            "DeviceId": "178",
            "DeviceName": "docker-253:0-202258463-543dcf7f77e774eed03941b79adc45f2df2c8ac666ac669edc7d85640105c629",
            "DeviceSize": "107374182400"
        }
    },
    "Mounts": [],
    "Config": {
        "Hostname": "543dcf7f77e7",
        "Domainname": "",
        "User": "",
        "AttachStdin": false,
        "AttachStdout": false,
        "AttachStderr": false,
        "ExposedPorts": null,
        "PublishService": "",
        "Tty": false,
        "OpenStdin": false,
        "StdinOnce": false,
        "Env": [
            "NOMAD_ALLOC_DIR=/tmp/nomad/alloc/e7a88cd6-7eed-5826-9f06-5c1f6c1d29f4",
            "NOMAD_MEMORY_LIMIT=256",
            "NOMAD_CPU_LIMIT=500",
            "NOMAD_IP=10.42.0.60",
            "NOMAD_PORT_http=54527"
        ],
        "Cmd": [
            "start"
        ],
        "Image": "howihuman/httpenv",
        "Volumes": null,
        "VolumeDriver": "",
        "WorkingDir": "",
        "Entrypoint": null,
        "NetworkDisabled": false,
        "MacAddress": "",
        "OnBuild": null,
        "Labels": null
    }
}
]

docker ps and netstat output

[root@nomad ~]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
543dcf7f77e7        howihuman/httpenv   "start"             4 minutes ago       Up 4 minutes                            jolly_goldstine
[root@nomad ~]# netstat -pan | grep 54527
[root@nomad ~]# netstat -pan | grep " LISTEN "
tcp        0      0 10.42.0.60:4646         0.0.0.0:*               LISTEN      834/nomad
tcp        0      0 10.42.0.60:4647         0.0.0.0:*               LISTEN      834/nomad
tcp        0      0 10.42.0.60:4648         0.0.0.0:*               LISTEN      834/nomad
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      832/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1964/master
tcp6       0      0 :::22                   :::*                    LISTEN      832/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      1964/master

inside the actual container

[root@nomad ~]# docker exec -ti jolly_goldstine bash
[root@543dcf7f77e7 /]# netstat -pan | grep " LISTEN "
tcp        0      0 172.17.0.1:54527        0.0.0.0:*               LISTEN      1/start
[root@543dcf7f77e7 /]# curl 172.17.0.1:54527
([]string) (len=8 cap=8) {
 (string) (len=65) "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 (string) (len=21) "HOSTNAME=543dcf7f77e7",
 (string) (len=69) "NOMAD_ALLOC_DIR=/tmp/nomad/alloc/e7a88cd6-7eed-5826-9f06-5c1f6c1d29f4",
 (string) (len=22) "NOMAD_MEMORY_LIMIT=256",
 (string) (len=19) "NOMAD_CPU_LIMIT=500",
 (string) (len=19) "NOMAD_IP=10.42.0.60",
 (string) (len=21) "NOMAD_PORT_http=54527",
 (string) (len=10) "HOME=/root"
}

[achanda]

@rvm2015 that's weird. Can you see if you can set a network_mode in task config? You can use this task https://gist.github.com/achanda/62b001601af76bd7d3e5 Please check if docker sees all the options by doing a docker inspect

[ghost]

@achanda No change, the redis example works with the network mode set (it worked before as well using a 6379 port) however if I set network_mode = "net" for httpenv it doesn't forward through.

[root@nomad ~]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS              PORTS                        NAMES
bd17a86a9fe4        redis:latest        "/entrypoint.sh redis"   8 seconds ago        Up 7 seconds        10.42.0.60:29755->6379/tcp   cranky_mclean
0a614ab3e942        howihuman/httpenv   "start"                  About a minute ago   Up About a minute                                silly_albattani

docker inspect on httpenv

[
{
    "Id": "0a614ab3e942b2039f91f85cee4153421fb12348c7e61a0e93a41455166241d6",
    "Created": "2015-10-04T05:44:26.491213699Z",
    "Path": "start",
    "Args": [],
    "State": {
        "Running": true,
        "Paused": false,
        "Restarting": false,
        "OOMKilled": false,
        "Dead": false,
        "Pid": 2950,
        "ExitCode": 0,
        "Error": "",
        "StartedAt": "2015-10-04T05:44:26.750716329Z",
        "FinishedAt": "0001-01-01T00:00:00Z"
    },
    "Image": "7e508859789e08d1aa06e48ef038a30d2a745a7d5007d1b438c27e37cf81e686",
    "NetworkSettings": {
        "Bridge": "",
        "EndpointID": "3e8a5b90fd9107934be14aac2271fd94d82153d6adb96eb2f13ad09338e1fd81",
        "Gateway": "172.17.42.1",
        "GlobalIPv6Address": "",
        "GlobalIPv6PrefixLen": 0,
        "HairpinMode": false,
        "IPAddress": "172.17.0.2",
        "IPPrefixLen": 16,
        "IPv6Gateway": "",
        "LinkLocalIPv6Address": "",
        "LinkLocalIPv6PrefixLen": 0,
        "MacAddress": "02:42:ac:11:00:02",
        "NetworkID": "8d991324a2915d332f89c8415efc85c23943b314eca5870876e06d4cad116fba",
        "PortMapping": null,
        "Ports": {},
        "SandboxKey": "/var/run/docker/netns/0a614ab3e942",
        "SecondaryIPAddresses": null,
        "SecondaryIPv6Addresses": null
    },
    "ResolvConfPath": "/var/lib/docker/containers/0a614ab3e942b2039f91f85cee4153421fb12348c7e61a0e93a41455166241d6/resolv.conf",
    "HostnamePath": "/var/lib/docker/containers/0a614ab3e942b2039f91f85cee4153421fb12348c7e61a0e93a41455166241d6/hostname",
    "HostsPath": "/var/lib/docker/containers/0a614ab3e942b2039f91f85cee4153421fb12348c7e61a0e93a41455166241d6/hosts",
    "LogPath": "/var/lib/docker/containers/0a614ab3e942b2039f91f85cee4153421fb12348c7e61a0e93a41455166241d6/0a614ab3e942b2039f91f85cee4153421fb12348c7e61a0e93a41455166241d6-json.log",
    "Name": "/silly_albattani",
    "RestartCount": 0,
    "Driver": "devicemapper",
    "ExecDriver": "native-0.2",
    "MountLabel": "",
    "ProcessLabel": "",
    "AppArmorProfile": "",
    "ExecIDs": null,
    "HostConfig": {
        "Binds": null,
        "ContainerIDFile": "",
        "LxcConf": null,
        "Memory": 268435456,
        "MemorySwap": -1,
        "CpuShares": 500,
        "CpuPeriod": 0,
        "CpusetCpus": "",
        "CpusetMems": "",
        "CpuQuota": 0,
        "BlkioWeight": 0,
        "OomKillDisable": false,
        "MemorySwappiness": null,
        "Privileged": false,
        "PortBindings": {
            "26644/tcp": [
                {
                    "HostIp": "10.42.0.60",
                    "HostPort": "26644"
                }
            ],
            "26644/udp": [
                {
                    "HostIp": "10.42.0.60",
                    "HostPort": "26644"
                }
            ]
        },
        "Links": null,
        "PublishAllPorts": false,
        "Dns": null,
        "DnsSearch": null,
        "ExtraHosts": null,
        "VolumesFrom": null,
        "Devices": null,
        "NetworkMode": "bridge",
        "IpcMode": "",
        "PidMode": "",
        "UTSMode": "",
        "CapAdd": null,
        "CapDrop": null,
        "GroupAdd": null,
        "RestartPolicy": {
            "Name": "",
            "MaximumRetryCount": 0
        },
        "SecurityOpt": null,
        "ReadonlyRootfs": false,
        "Ulimits": null,
        "LogConfig": {
            "Type": "json-file",
            "Config": {}
        },
        "CgroupParent": "",
        "ConsoleSize": [
            0,
            0
        ]
    },
    "GraphDriver": {
        "Name": "devicemapper",
        "Data": {
            "DeviceId": "192",
            "DeviceName": "docker-253:0-202258463-0a614ab3e942b2039f91f85cee4153421fb12348c7e61a0e93a41455166241d6",
            "DeviceSize": "107374182400"
        }
    },
    "Mounts": [],
    "Config": {
        "Hostname": "0a614ab3e942",
        "Domainname": "",
        "User": "",
        "AttachStdin": false,
        "AttachStdout": false,
        "AttachStderr": false,
        "ExposedPorts": null,
        "PublishService": "",
        "Tty": false,
        "OpenStdin": false,
        "StdinOnce": false,
        "Env": [
            "NOMAD_IP=10.42.0.60",
            "NOMAD_PORT_http=26644",
            "NOMAD_ALLOC_DIR=/tmp/nomad/alloc/c2c9094c-8836-9cf7-e8df-4c011171f283",
            "NOMAD_MEMORY_LIMIT=256",
            "NOMAD_CPU_LIMIT=500"
        ],
        "Cmd": [
            "start"
        ],
        "Image": "howihuman/httpenv",
        "Volumes": null,
        "VolumeDriver": "",
        "WorkingDir": "",
        "Entrypoint": null,
        "NetworkDisabled": false,
        "MacAddress": "",
        "OnBuild": null,
        "Labels": null
    }
}
]

Irritatingly I can hit the container from the docker host it's just not forwarding through for httpenv, only redis using docker-proxy which seems odd to me. The documentation for docker seems to imply docker-proxy is a legacy option and that newer versions like 1.8.2 should be using hairpin nat in the docker application:

[root@nomad ~]# curl 172.17.0.2:26644
([]string) (len=8 cap=8) {
 (string) (len=65) "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 (string) (len=21) "HOSTNAME=0a614ab3e942",
 (string) (len=19) "NOMAD_IP=10.42.0.60",
 (string) (len=21) "NOMAD_PORT_http=26644",
 (string) (len=69) "NOMAD_ALLOC_DIR=/tmp/nomad/alloc/c2c9094c-8836-9cf7-e8df-4c011171f283",
 (string) (len=22) "NOMAD_MEMORY_LIMIT=256",
 (string) (len=19) "NOMAD_CPU_LIMIT=500",
 (string) (len=10) "HOME=/root"
}
[root@nomad ~]# netstat -pan | grep 26644
[root@nomad ~]# netstat -pan | grep " LISTEN "
tcp        0      0 10.42.0.60:4646         0.0.0.0:*               LISTEN      834/nomad
tcp        0      0 10.42.0.60:4647         0.0.0.0:*               LISTEN      834/nomad
tcp        0      0 10.42.0.60:4648         0.0.0.0:*               LISTEN      834/nomad
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      832/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1964/master
tcp        0      0 10.42.0.60:29755        0.0.0.0:*               LISTEN      3303/docker-proxy
tcp6       0      0 :::22                   :::*                    LISTEN      832/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      1964/master

Is nomad assuming any kind of specific docker configuration that you are aware of? I'm using the curl | bash setup from docker's website for CentOS 7. Service definitions are as follows:

[root@nomad system]# cat docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network.target docker.socket
Requires=docker.socket

[Service]
Type=notify
ExecStart=/usr/bin/docker daemon -H fd://
MountFlags=slave
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity

[Install]
WantedBy=multi-user.target
[root@nomad system]# man docker
[root@nomad system]# cat docker.socket
[Unit]
Description=Docker Socket for the API
PartOf=docker.service

[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker

[Install]
WantedBy=sockets.target

edit: I tried disabling the userland proxy in docker and restarted the jobs, no change. I'm crashing for the night but I'll check this tomorrow.

[dadgar]

Hey @rvm2015 it looks like the port forwarding is working looking at docker inspect output. Further you said you can access the port on the host? It sounds like there is just a port forwarding issue on the host if you are trying to access it externally�? Let me know if I am reading this wrong�.

[ghost]

@dadgar I can access the service at the private ip address assigned to the container (ie 172.17.whatever, my request is being routed through the docker0 bridge). I cannot access it by connecting to the forwarded port on the docker host. netstat -pan on the docker host shows the port is not actually opened by docker using my example, with the redis example it seems to work.

This only happens if I start the task through nomad, if I start it manually with docker run using the -p option it works perfectly. The test command for that would be something like what I have below. You can see the port forward for the container show up in docker ps and netstat -pan should show port 10000 in LISTEN mode:

docker run -d -e NOMAD_PORT_http=10000 -p 10000:10000 --name httpenv howihuman/httpenv start

The httpenv.nomad file I'm using is available below. The docker ps ports field will be blank. Running docker log httpenv will tell you what port it's bound to but doing a netstat -pan on the docker host will show that not open. Inexplicably though docker inspect will think it's been forwarded however:

https://bitbucket.org/howihumanteam/httpenv/src

[cbednarski]

This worked for me when I developed the feature. Here are the demo app and job file I used.

I developed on Ubuntu 15.04. I'm curious if the demo app works on Cent 7. There may be some OS-specific networking things we need to look for to make sure this works.

I am not looking directly at this right now but I will include a Cent 7 build in the test matrix.

[cbednarski]

The other bit of info that may be interesting is that go-dockerclient exposes two types of configuration which we use to start the container. One is configuration for the image (this typically includes EXPOSE info and such) and the other is for the container (which should include configuration that you want to customize if you launch multiple instances of the same image).

The redis image has an EXPOSE configured by default at port 6379. The demo app also exposes port 5000 when the image is built, and we subsequently map to that port. I don't recall the details but the code indicates that the port should be exposed already.

If EXPOSE is the root issue then we probably need to fix via docs or by passing additional config to createHostConfig

I did test with high ports where we create a 1:1 mapping instead of a high:local mapping, but I think that is a different scenario than the one described above that is causing problems.

[cbednarski]

@rvm2015 Can you try adding EXPOSE in your Dockerfile for the relevant port when you build your docker image?

[ghost]

This image wasn't built with a dockerfile, it was built manually off CentOS:7. I can recreate it using a Dockerfile this evening however and test.

[ghost]

Sorry for the delay. I updated my code to take a PORT option and just set it to 8080 by default. I then created a docker file and had this port set to EXPOSE. I then set dynamic_ports=["8080"] in httpenv.nomad. Examples of all of these can be found in the repo above under tag alpha2.

That works so somewhere in the port discovery process nomad is specifically looking for the EXPOSE option to do the binding. It doesn't work if EXPOSE isn't there even if the port is actually open (though docker inspect seems to think it's doing it).

I also can't seem to get this to work with dynamic_ports["http"]. My understanding is that option sets a variable NOMAD_PORT_http to an ephemeral port on the docker host forwarding to the same port on the container, then passes this variable through to the container expecting your code to bind base off that port.

The issue is you don't have this information at the time you're creating the docker file so there's no way to know what to set EXPOSE to (if I'm understanding all this properly).

I'm working off of master as of about 30 minutes ago. Single node on CentOS 7, docker 1.8.2.

[cbednarski]

Thanks for testing and following up!

That works so somewhere in the port discovery process nomad is specifically looking for the EXPOSE option to do the binding. It doesn't work if EXPOSE isn't there even if the port is actually open (though docker inspect seems to think it's doing it).

I also can't seem to get this to work with dynamic_ports["http"]. My understanding is that option sets a variable NOMAD_PORT_http to an ephemeral port on the docker host forwarding to the same port on the container, then passes this variable through to the container expecting your code to bind base off that port.

Expose and port forwarding are two different configs in docker. In your example you used -e and -p on the CLI, respectively. The docker driver currently only uses -p. It sounds like we will need to expand it to also use -e.

[ghost]

Sure thing, I'll watch this for a branch or PR and test it with the original configuration.

[maguec]

+1 since docker containers built with packer do not expose any ports:

How Docker sees Packer built containers

DEBU[1056] H({"architecture":"amd64","comment":"Imported from -","config":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":null,"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"container_config":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":null,"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"created":"2015-11-11T19:13:16.49572186Z","docker_version":"1.7.1","layer_id":"sha256:56e208894142afac256d59a36d968d1ea978ccc8ba2677d2c343506c7f493c05","os":"linux"}) = sha256:9b1b50d311868057414fead6ed8c52e42e32523ea4e6be6ac712a6b6cb14d17a 

vs Dockerfile built containers

H({"architecture":"amd64","config":{"Hostname":"9c05d483673a","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"At
tachStderr":false,"ExposedPorts":{"6379/tcp":{}},"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/
bin:/sbin:/bin","REDIS_VERSION=3.0.5","REDIS_DOWNLOAD_URL=http://download.redis.io/releases/redis-3.0.5.tar.gz","REDIS_DOWNLOAD_SHA1=ad3ee178c42bfcfd310c72b
bddffbbe35db9b4a6"],"Cmd":["redis-server"],"Image":"8d05e3af52b01957ee12b7ca3481ac5a5a5b00e3907064f49f89cc66ae8b74a9","Volumes":{"/data":{}},"WorkingDir":"/
data","Entrypoint":["/entrypoint.sh"],"OnBuild":[],"Labels":null},"container":"41e15b4711ed3981ebdd4cd0fa0219f84d1385ce9352e7fa6508d66955392376","container_
config":{"Hostname":"9c05d483673a","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":{"6379/tcp":{}},"T
ty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","REDIS_VERSION=3.0.5","REDIS_DOWNLO
AD_URL=http://download.redis.io/releases/redis-3.0.5.tar.gz","REDIS_DOWNLOAD_SHA1=ad3ee178c42bfcfd310c72bbddffbbe35db9b4a6"],"Cmd":["/bin/sh","-c","#(nop) C
MD [\"redis-server\"]"],"Image":"8d05e3af52b01957ee12b7ca3481ac5a5a5b00e3907064f49f89cc66ae8b74a9","Volumes":{"/data":{}},"WorkingDir":"/data","Entrypoint":
["/entrypoint.sh"],"OnBuild":[],"Labels":null},"created":"2015-10-23T22:51:15.794944729Z","docker_version":"1.8.2","layer_id":"sha256:a3ed95caeb02ffe68cdd9f
d84406680ae93d633cb16422d00e8a7c22955b46d4","os":"linux","parent_id":"sha256:79a035ecf3003e223f5cd47dfca17156aea840c94dd644e31fe529145030a99c"}) = sha256:a1
93103919bc39022a7ea4b33f1655f8e49ff68366bc74d02532408153710071

In the docker logs I do not see the allocate_port task run without an exposed port

INFO[0114] +job allocate_port(7bcbcb146eb7e6d61e612846a80e529fff8037e23a83b084d2fd047959b58cf0) 
INFO[0114] -job allocate_port(7bcbcb146eb7e6d61e612846a80e529fff8037e23a83b084d2fd047959b58cf0) = OK (0`

By wrapping a packer buillt container in a Dockerfile and setting and EXPORT the new container was successfully recognized by Nomdad+Docker

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.