Почему не видны снаружи порты докера в Ubuntu?

Question

[Вячеслав]

Я запускаю контейнеры докера с помощью docker-compose, контейнеры запускаются успешно. Docker-compose ps дает

db_1       docker-entrypoint.sh postgres    Up (healthy)   0.0.0.0:2054->5432/tcp,:::2054->5432/tcp
db_2     docker-entrypoint.sh postgres    Up (healthy)   0.0.0.0:2154->5432/tcp,:::2154->5432/tcp
nginx_1        /docker-entrypoint.sh ngin ...   Up             0.0.0.0:443->443/tcp,:::443->443/tcp, 0.0.0.0:2081->80/tcp,:::2081->80/tcp, 0.0.0.0:2181->8080/tcp,:::2181->8080/tcp
php_1          docker-php-entrypoint php-fpm    Up             0.0.0.0:9903->9000/tcp,:::9903->9000/tcp
supervisor_1   docker-php-entrypoint /usr ...   Up             0.0.0.0:2347->2346/tcp,:::2347->2346/tcp, 9000/tcp

sudo iptables -L

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Порты докера доступны на машине с убунту - telnet 192.168.1.35 2081 -подключается

Но не видны с другой машины. В чем может быть дело?

Comments

[Valentin Barbolin]

Покажи iptables-save

[Вячеслав]

# Generated by iptables-save v1.8.4 on Sun Nov 17 14:50:31 2024
*nat
:PREROUTING ACCEPT [6:1142]
:INPUT ACCEPT [6:1142]
:OUTPUT ACCEPT [5:308]
:POSTROUTING ACCEPT [5:308]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sun Nov 17 14:50:31 2024
# Generated by iptables-save v1.8.4 on Sun Nov 17 14:50:31 2024
*filter
:INPUT ACCEPT [139:10244]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [105:28132]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sun Nov 17 14:50:31 2024

[Вячеслав]

Вроде докер сам должен добавлять правила в iptables

[vreitech]

Вячеслав, те правила, которые обеспечивают сетевую доступность внутри машины - да. те правила, которые обеспечивают сетевую доступность с других машин - забота оператора/администратора машины.

[Вадим]

Дай свой compose yaml

[Valentin Barbolin]

@MuramidazaЧто-то докер не добавил нужные правила, такое может быть если контейнер использует режим работы хост.

[Вячеслав]

Вадим,

version: '3.3'

services:
php:
restart: always
build: ./
# platform: linux/arm64/v8
depends_on:
- db_mpv
- db_sppvr
ports:
- 9903:9000
volumes:
- ./:/var/www/html
- ./docker/nginx/ssl:/etc/ssl
networks:
- backend
- default

nginx:
restart: always
image: nginx:latest
# platform: linux/arm64/v8
depends_on:
- db_mpv
- db_sppvr
ports:
- "${NGINX_EXPOSE_PORT}:${NGINX_PORT}"
- "${NGINX_EXPOSE_PORT_2}:${NGINX_PORT_2}"
- "443:443"
volumes:
- ./:/var/www/html
- ${NGINX_CONF}:/etc/nginx/conf.d
- ./docker/nginx/ssl:/etc/ssl
- ./docker/nginx/logs:/var/log/nginx

db_mpv:
restart: always
image: postgres:15.0
healthcheck:
test: [ "CMD", "pg_isready", "-q", "-d", "postgres", "-U", "postgres" ]
timeout: 45s
interval: 10s
retries: 10
ports:
- ${DB_MPV_EXPOSE_PORT}:${DB_MPV_PORT}
volumes:
- ./docker/db_mpv/data:/var/lib/postgresql/data
environment:
- POSTGRES_DB=$DB_MPV_NAME
- POSTGRES_USER=$DB_MPV_USERNAME
- POSTGRES_PASSWORD=$DB_MPV_PASSWORD

db_sppvr:
restart: always
image: postgres:15.0
healthcheck:
test: [ "CMD", "pg_isready", "-q", "-d", "postgres", "-U", "postgres" ]
timeout: 45s
interval: 10s
retries: 10
ports:
- ${DB_SPPVR_EXPOSE_PORT}:${DB_SPPVR_PORT}
volumes:
- ./docker/db_sppvr/data:/var/lib/postgresql/data
environment:
- POSTGRES_DB=$DB_SPPVR_NAME
- POSTGRES_USER=$DB_SPPVR_USERNAME
- POSTGRES_PASSWORD=$DB_SPPVR_PASSWORD

supervisor:
command: [ "/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf" ]
build: ./
restart: always
depends_on:
- php
ports:
- 2347:2346
volumes:
- ./:/var/www/html
- ./docker/crontab/log:/var/log/
- ./docker/nginx/ssl:/etc/ssl
networks:
- backend
- default

networks:
backend:
driver: bridge

Answer 1

[Вячеслав]

apparmor блокировал внешние соединения

Answer 2

[Вадим]

Пример из моего compose - использую 2 сети для внутр и наружных подключений

version: '3.8'

services:
  frontend:
    image: xxxxxxx/frontend:latest
    restart: unless-stopped
    pull_policy: always
    container_name: react-frontend      
    ports:
      - "80:8008" # Expose the frontend on port 80 of the host - for outside communication
    depends_on:
      - app      
    networks:
      - appnetwork  # Connect frontend to the internal appnetwork
    environment:
      - REACT_APP_API_SERVER=backender      ## http://app:8080
      - REMOTE_SERVER=http://app:8080

  app:
    image: 'ZZZZZ/backend:latest'
    restart: unless-stopped
    pull_policy: always
    container_name: app
    ports:
      - '8080' # accessible on appnetwork only
    depends_on:
      - postgres
    environment:
      - SPRING_DATASOURCE_URL=jdbc:postgresql://db:5432/postgres
      - SPRING_DATASOURCE_USERNAME=root
      - SPRING_DATASOURCE_PASSWORD=fdsgdsfgdsfgdshfsdfjg
      - SPRING_JPA_HIBERNATE_DDL_AUTO=update
      - TOMCAT_PORT=8080
    networks:
      - appnetwork  # Use appnetwork for backend communications

если порт по прежнему не виден, установи себе на ufw и регулируй доступ к портам из него. Imho легче

Answer 3

[Drno]

sudo ufw disable