[2.2.2] private-address relation setting is not based on a default space binding
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Fix Released
|
High
|
Witold Krecicki |
Bug Description
Original title: "unable to establish a tcp connection to memcached running in a lxd container due to ufw blocking traffic"
See #5 to get to the result of this investigation.
ubuntu@maas:~$ juju controllers
Use --refresh flag with this command to see the latest information.
Controller Model User Access Cloud/Region Models Machines HA Version
samaas* default admin superuser samaas 2 1 none 2.2.2
Unable to establish a tcp connection to a container with ufw enabled. Packets get to the veth interface but do not hit memcached running in a container.
There is no 'connection refused' so this is not a problem with the memcached process not having a socket bound to a correct address:port. I also reconfigured it to explicitly bind a socket to IPv4:12111 instead of IPADDR_ANY:11211 (0.0.0.0) although it does not make any difference.
# container host
# before reconfiguring not to listen on 0.0.0.0:11211
# telnet 11211 launched inside a container results in an established connection
ubuntu@
Tracing TCP established connections. Ctrl-C to end.
T PID COMM IP SADDR DADDR SPORT DPORT
A 171184 memcached 4 127.0.0.1 127.0.0.1 11211 42392
ubuntu@kachina:~$ uname -r
4.10.0-28-generic
ubuntu@kachina:~$ apt policy lxd
lxd:
Installed: 2.0.10-
Candidate: 2.0.10-
Version table:
2.
100 http://
*** 2.0.10-
500 http://
100 /var/lib/
2.
500 http://
2.0.0-0ubuntu4 500
500 http://
capabilities:
ubuntu@
Current: = cap_chown,
Bounding set =cap_chown,
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-
secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root)
ubuntu@
1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever
46: eth0 inet 10.232.4.118/21 brd 10.232.7.255 scope global eth0\ valid_lft forever preferred_lft forever
ubuntu@
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 10.232.4.118:11211 *:*
tcp LISTEN 0 128 10.232.4.118:11211 *:*
ubuntu@
4821 bash /var/lib/
4825 /var/lib/
27146 /usr/bin/memcached -m 768 -p 11211 -u memcache -l 10.232.4.118 -c 1024 -f 1.25
# the correct rules are present
ubuntu@
Status: active
To Action From
-- ------ ----
11211/tcp ALLOW 10.232.24.21
11211/tcp ALLOW 10.232.24.19
11211/tcp ALLOW 10.232.24.13
11211/tcp ALLOW 10.232.4.94
11211/tcp ALLOW 10.232.4.127
22 ALLOW Anywhere
11211/tcp DENY Anywhere
22 (v6) ALLOW Anywhere (v6)
11211/tcp (v6) DENY Anywhere (v6)
ubuntu@
Firewall stopped and disabled on system startup
# from a different host and container although it is reproducible from the same host 'outside' of the container
# able to connect. ERROR is fine after sending newlines since memcached expects something meaningful instead
ubuntu@
Trying 10.232.4.118...
Connected to 10.232.4.118.
Escape character is '^]'.
ERROR
ERROR
^]
telnet> ^CConnection closed.
ubuntu@
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
# cannot connect anymore
ubuntu@
Trying 10.232.4.118...
ubuntu@kachina:~$ sudo lxc exec juju-51cde3-6-lxd-4 -- tcpdump -n -i eth0 src port 11211 or dst port 11211
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C17:23:07.218430 IP 10.232.4.91.50930 > 10.232.4.118.11211: Flags [S], seq 1066636968, win 29200, options [mss 1460,sackOK,TS val 1965982543 ecr 0,nop,wscale 7], length 0
17:23:08.224381 IP 10.232.4.91.50930 > 10.232.4.118.11211: Flags [S], seq 1066636968, win 29200, options [mss 1460,sackOK,TS val 1965982795 ecr 0,nop,wscale 7], length 0
17:23:10.240390 IP 10.232.4.91.50930 > 10.232.4.118.11211: Flags [S], seq 1066636968, win 29200, options [mss 1460,sackOK,TS val 1965983299 ecr 0,nop,wscale 7], length 0
ubuntu@
http://
# container config:
sudo lxc config show juju-51cde3-6-lxd-4
http://
ubuntu@kachina:~$ sudo lxc profile show default
config: {}
description: Default LXD profile
devices:
eth0:
name: eth0
nictype: bridged
parent: lxdbr0
type: nic
name: default
---
ubuntu@kachina:~$ sudo lxc info juju-51cde3-6-lxd-4
description: | updated |
description: | updated |
affects: | memcached (Juju Charms Collection) → juju |
tags: | added: cpec |
description: | updated |
Changed in juju: | |
milestone: | none → 2.2.3 |
Looks like ALLOW rules somehow get lower priority or are not applied while DENY rules do:
To Action From
-- ------ ----
11211/tcp ALLOW 10.232.24.21
11211/tcp ALLOW 10.232.24.19
11211/tcp ALLOW 10.232.24.13
11211/tcp ALLOW 10.232.4.94
11211/tcp ALLOW 10.232.4.127
11211/tcp DENY Anywhere # <---------------- that
11211/tcp (v6) DENY Anywhere (v6)
ubuntu@ juju-51cde3- 6-lxd-4: ~$ sudo ufw allow 11211/tcp
Rule updated
Rule updated (v6)
# Able to connect now
ubuntu@ juju-51cde3- 5-lxd-3: ~$ telnet 10.232.4.118 11211
Trying 10.232.4.118...
Connected to 10.232.4.118.
Escape character is '^]'.
^]
telnet> Connection closed.
# enable DENY again
ubuntu@ juju-51cde3- 6-lxd-4: ~$ sudo ufw deny 11211/tcp juju-51cde3- 6-lxd-4: ~$ sudo ufw status
Rule updated
Rule updated (v6)
ubuntu@
Status: active
To Action From
-- ------ ----
11211/tcp ALLOW 10.232.24.21
11211/tcp ALLOW 10.232.24.19
11211/tcp ALLOW 10.232.24.13
11211/tcp ALLOW 10.232.4.94
11211/tcp ALLOW 10.232.4.127
22 ALLOW Anywhere
11211/tcp DENY Anywhere
22 (v6) ALLOW Anywhere (v6)
11211/tcp (v6) DENY Anywhere (v6)
# no luck again juju-51cde3- 5-lxd-3: ~$ telnet 10.232.4.118 11211
ubuntu@
Trying 10.232.4.118...
^C