How to make outgoing network connections to external hosts when running Boulder in Docker?


#1

The operating system my web server runs on is (include version):

Ubuntu 18.04 LTS

My hosting provider, if applicable, is:

Amazon AWS

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes.

I am running Boulder in Docker on an AWS instance.

I am able to make incoming network connections from external addresses. For example, from a different AWS instance, I can connect to Boulder and the OCSP Responder on the appropriate ports.

However, I am NOT able to make outgoing connections from Boulder to an external address, … in particular to an AWS RDS instance running MariaDB.

I am not a Docker expert, so I don’t know what changes are required.

Can anyone suggest how to allow processes running inside Docker to access external IP addresses?

Any help would be appreciated,

Thanks,
David Jones


#2

I think on most Linux platforms, Docker will use bridge networking and have forwarding enabled on the host. So whatever the Docker host can access, the container should be able to access as well: https://docs.docker.com/network/bridge/#enable-forwarding-from-docker-containers-to-the-outside-world

Can your Docker host communicate with the RDS instance?

Can your Docker container talk to the internet in general, e.g. ping 1.1.1.1?


#3

I haven’t yet tried the sysctl + iptables commands to enable IP Forwarding. I’ll try that Monday.

Yes, the AWS instance running Docker (and Boulder) can access the RDS instance, at least outside Docker.

I don’t think any network connections from inside the Docker container can reach external machines. That is what I am trying to enable.


#4

I think that should do the trick.

For reference, on Ubuntu 18.10 and using boulder master/bd4c25494

$ sysctl net.ipv4.conf.all.forwarding
net.ipv4.conf.all.forwarding = 1

$ sudo docker-compose up

$ sudo docker exec boulder_boulder_1 /bin/ping -c 1 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=54 time=21.4 ms

--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 21.406/21.406/21.406/0.000 ms

#5

This doesn’t work for me, and I am puzzled why it worked for you. Any thoughts on why our experiences are different?

I used both the sysctl and iptables commands to enable IP Forwarding.

The ping command works inside the bhsm_1 container (in fact, it already worked before enabling IP Forwarding).

… but ping to an external address still does not work inside the boulder_1 container, with this error:

`ping: example.com: Temporary failure in name resolution`

One of the key differences from the bhsm_1 and boulder_1 containers is this section of the docker-compose.yml:

    # Use sd-test-srv as a backup to Docker's embedded DNS server
    # (https://docs.docker.com/config/containers/container-networking/#dns-services).
    # If there's a name Docker's DNS server doesn't know about, it will
    # forward the query to this IP (running sd-test-srv). We have
    # special logic there that will return multiple IP addresses for
    # service names.
    dns: 10.77.77.77

When I comment out the line with dns, I can ping an external address, but the Boulder components are no longer able to talk to each other.

Any other ideas?


#6

I think that’s totally normal. Boulder uses custom resolvers for its validation & registration components (e.g. test/config/{ra,va}.json -> dnsResolvers[].

Does the ping -c 1 1.1.1.1 work … ?


#7

duh! … Yes, using 1.1.1.1 works, but the domain name doesn’t.

This should be enough for me to externalize the database. I’ll just use the IP address.

Thanks!