Hi there. I’m new to Discourse and new to Docker.
I’ve got a Linode running Ubuntu 14.04 LTS. It functions as a basic webserver with Apache listening on port 80 and serving a handful of PHP+MySQL websites.
Unfortunately when I point my browser at subdomain.host.com:8080 it produces a “connection refused” error.
DNS isn’t an issue, subdomain.host.com:80 delivers Apache’s default webpage.
Installation and config
To install Docker then Discourse I followed the installation instructions on GitHub.
I edited the file
containers/app.yml thusly so traffic incoming on host port 8080 is redirected to container port 80:
templates: - "templates/cron.template.yml" - "templates/postgres.template.yml" - "templates/redis.template.yml" - "templates/sshd.template.yml" - "templates/web.template.yml" - "templates/web.ratelimited.template.yml" - "templates/web.socketed.template.yml" ## which TCP/IP ports should this container expose? expose: - "8080:80" # Removed: - "2222:22" # fwd host port 2222 to container port 22 (ssh) # Removed: - "80:80" # fwd host port 80 to container port 80 (http)
./launcher bootstrap app or
./launcher rebuild app plus
./launcher start app complete without errors, and I confirm all looks okay with docker ps (trimmed):
root@www:/var/discourse# docker ps CONTAINER ID IMAGE COMMAND ... PORTS NAMES ab********00 local_discourse/app "/sbin/boot" ... 0.0.0.0:8080->80/tcp app
However, when I point Chrome at subdomain.host.com:8080 it gives me ERR_CONNECTION_REFUSED.
telnet subdomain.host.com 8080 from my Windows desktop:
C:\dir\dir>telnet subdomain.host.com 8080 Connecting To subdomain.host.com...Could not open connection to the host, on port 8080: Connect failed
Discourse is failing to listen on port 80, but succeeds on port 22 after I re-enabled in app.yml and rebuild:
me@my-linode:/$ ./launcher enter app root@www-app:/# apt-get-install telnet ... root@www-app:/# telnet localhost 80 Trying ::1... Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused root@www-app:/# telnet localhost 22 Trying ::1... Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 ^] telnet>
docker logs app there are a few warnings, and some port numbers that don’t look right to me:
Started runsvdir, PID is 29 ok: run: redis: (pid 41) 0s 41:M 30 Jun 12:16:57.444 * Redis 3.0.1 (00000000/0) 64 bit, standalone mode, port 6379, pid 41 ready to start. 41:M 30 Jun 12:16:57.445 # Server started, Redis version 3.0.1 41:M 30 Jun 12:16:57.445 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect. 41:M 30 Jun 12:16:57.446 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128. ok: run: postgres: (pid 40) 0s 41:M 30 Jun 12:16:57.452 * DB loaded from disk: 0.006 seconds 41:M 30 Jun 12:16:57.453 * The server is now ready to accept connections on port 6379 Server listening on 0.0.0.0 port 22. Server listening on :: port 22. rsyslogd: invalid or yet-unknown config file command 'KLogPermitNonKernelFacility' - have you forgotten to load a module? [try http://www.rsyslog.com/e/3003 ] rsyslogd: warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ] rsyslogd: Could no open output pipe '/dev/xconsole': No such file or directory [try http://www.rsyslog.com/e/2039 ] 2015-06-30 12:16:57 UTC [61-1] LOG: database system was shut down at 2015-06-30 12:16:35 UTC 2015-06-30 12:16:57 UTC [40-1] LOG: database system is ready to accept connections 2015-06-30 12:16:57 UTC [65-1] LOG: autovacuum launcher started supervisor pid: 43 unicorn pid: 67 41:M 30 Jun 12:21:58.015 * 10 changes in 300 seconds. Saving... 41:M 30 Jun 12:21:58.017 * Background saving started by pid 460 460:C 30 Jun 12:21:58.023 * DB saved on disk 460:C 30 Jun 12:21:58.024 * RDB: 0 MB of memory used by copy-on-write 41:M 30 Jun 12:21:58.117 * Background saving terminated with success 41:M 30 Jun 12:26:59.016 * 10 changes in 300 seconds. Saving... 41:M 30 Jun 12:26:59.018 * Background saving started by pid 786 786:C 30 Jun 12:26:59.026 * DB saved on disk
/bin/ps Docker appears to be proxying host port 8080 to container port 80:
root@www:/var/discourse# ps ax | grep -i dock 10647 ? Sl 0:00 docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8080 -container-ip 172.17.0.79 -container-port 80
I confess ignorance of iptables, but hunting through similar threads I’ve seen clues emerge from there, so here is output from iptables -L
root@www:/var/discourse# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh ACCEPT all -- anywhere anywhere REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:3000 LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere Chain DOCKER (1 references) target prot opt source destination ACCEPT tcp -- anywhere 172.17.0.79 tcp dpt:http Chain fail2ban-ssh (1 references) target prot opt source destination REJECT all -- 220.127.116.11 anywhere reject-with icmp-port-unreachable REJECT all -- 18.104.22.168 anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere
…and iptables -L -t nat
root@www:/var/discourse# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 172.17.0.0/16 anywhere MASQUERADE tcp -- 172.17.0.79 172.17.0.79 tcp dpt:http Chain DOCKER (2 references) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:http-alt to:172.17.0.79:80
Should I really be running Nginx or HAProxy as suggested in other threads? I have a feeling this should be working without that sort of thing.
Many thanks in advance.