Create tunnel for container?
Sir-Will opened this issue · 16 comments
Hello,
I'm looking for a way to create a tunnel for a redash container. Is it possible to use this docker container to create an autossh tunnel and allow the redash container to use it?
This is the command I'm currently using which I would like to turn into an autossh container:
autossh -M 20017 -f -N -L 3304:127.0.0.1:3304 -p 22 -i /tunnel/key ssh-tunnel@000.000.000.000
Yes, it's possible to use this container for this purpose. You could also use an ambassador container.
Closing because this is not an issue to be solved.
How would the configuration for that look like?
I added the following to docker-compose but redash doesn't seem to be able to connect:
autossh:
image: jnovack/autossh
environment:
- SSH_HOSTUSER=ssh-tunnel
- SSH_HOSTNAME=000.000.000.000
- SSH_KEY_FILE=/tunnel/key
- SSH_TUNNEL_REMOTE=*:3304
- SSH_TUNNEL_HOST=127.0.0.1
- SSH_TUNNEL_LOCAL=3304
- SSH_MODE=-L
restart: always
volumes:
- /srv/docker/redash:/tunnelView your docker logs for this container, it should be printing out exactly which command it is running for SSH for debugging.
I looked at that and it doesn't have the -i /tunnel/key in the command.
Can the redash container even access the tunnel because autossh is in its own container?
Lines 4 through 10 of entrypoint.sh copy in and load the SSH_KEY_FILE.
It doesn't show that error, so I suppose that is working. Is there anything else which needs to be done that the redash container can use the autossh container?
mym_new_autossh_1 | Agent pid 8
mym_new_autossh_1 | Identity added: (stdin) ((stdin))
mym_new_autossh_1 | [INFO] Using autossh 1.4g
mym_new_autossh_1 | [INFO] Tunneling ssh-tunnel@000.000.000.000:*:3304 to 127.0.0.1:3304
mym_new_autossh_1 | > autossh -M 0 -N -o StrictHostKeyChecking=no -o ServerAliveInterval=10 -o ServerAliveCountMax=3 -o ExitOnForwardFailure=yes -t -t -L *:3304:127.0.0.1:3304 -p 22 ssh-tunnel@000.000.000.000
mym_new_autossh_1 | Warning: Permanently added '000.000.000.000' (ECDSA) to the list of known hosts.
(000.000.000.000 = IP of the server)
This is the command it is running:
autossh -M 0 -N -o StrictHostKeyChecking=no -o ServerAliveInterval=10 -o ServerAliveCountMax=3 -o ExitOnForwardFailure=yes -t -t -L *:3304:127.0.0.1:3304 -p 22 ssh-tunnel@000.000.000.000
does this command work to satisfy your requirements if it were NOT run in a docker container?
Yes, it's working outside a container.
When you run the command on your desktop, 127.0.0.1 is your desktop. When you run the command in a container, 127.0.0.1 is the container.
I'm aware, that's why I wonder how I can provide the tunnel to the other container and not only to the autossh container itself.
This is what I have now but I'm unable to connect to 173.20.5.1:3304
autossh:
image: jnovack/autossh
expose:
- "3304"
environment:
- SSH_HOSTUSER=ssh-tunnel
- SSH_HOSTNAME=000.000.000.000
- SSH_KEY_FILE=/tunnel/key
- SSH_TUNNEL_REMOTE=*:3304
- SSH_TUNNEL_HOST=127.0.0.1
- SSH_TUNNEL_LOCAL=3304
- SSH_MODE=-L
restart: always
volumes:
- /srv/docker/redash:/tunnel
networks:
redash_static_network:
ipv4_address: 173.20.5.1
networks:
redash_static_network:
ipam:
config:
- subnet: 173.20.0.0/16
#docker-compose v3+ do not use ip_range
ip_range: 173.28.5.0/24You said you wanted to expose it to the other container. expose does not make it accessible to the host machine.
https://docs.docker.com/compose/compose-file/compose-file-v2/#expose
expose
Expose ports without publishing them to the host machine - they’ll only be accessible
to linked services. Only the internal port can be specified.
If you want the host machine to access it, try ports.
https://docs.docker.com/compose/compose-file/compose-file-v2/#ports
ports
Expose ports. Either specify both ports (HOST:CONTAINER), or just the container port
(an ephemeral host port is chosen).
Note
When mapping ports in the HOST:CONTAINER format, you may experience erroneous
results when using a container port lower than 60, because YAML parses numbers in
the format xx:yy as a base-60 value. For this reason, we recommend always explicitly
specifying your port mappings as strings.
ports:
- "3000"
- "3000-3005"
- "8000:8000"
I feel like you've chosen an intermediate project for your beginner docker quest.
I'm not trying to access it from the host machine, I'm trying to access it from the redash container.
I appreciate the help.
I just installed mysql in the container to see if I can connect like that and it's working, so the issue seems to be in redash.
Thanks for the help.
When everything is on machine, you tell yourself to open 3304, and you tell yourself to connect to 3304, easy.
When you split the client, server, and tunnel to three separate machines (or containers), you have to know which 3304 connects to who and which open port refers to which container. I have a feeling you were opening the 3304 on the wrong machine somewhere in the chain.
Each machine has it's own 127.0.0.1, and 127.0.0.1 cannot be connected to from OUTSIDE that machine.
Respectfully, I think you did not fully understand the autossh variables and where and how it opens ports and creates a tunnel.
Adding the container level of abstraction is a complicated maneuver. Some variables are wrong for autossh, you should not need to add mysql to the autossh container, they can be all separate.
Either way, I'm glad it's working. But to level yourself up more, it can be done with separate container.