Ubuntu – Exposed Docker port is listening but closed on Ubuntu 14.04


I have a reasonably fresh install of Ubuntu 14,04 and I have installed Docker. I have done a few things to resolve this issue already so First let me show you some of the config.

First I have disabled IPv6. I have also made a number of changes to the Docker Opts command

-H tcp://intnode1:2376
-H unix:///var/run/docker.sock
--storage-driver aufs
--tlscacert /etc/certs/ca.pem
--tlscert /etc/certs/cert.pem
--tlskey /etc/certs/key.pem

As you can see I have specified an IP for docker to listen on.

Now, I am trying to run a swarm manager on port 3376. Here is the command I use to start the swarm manager.

sudo docker run -d -p 3376:3376 -v /etc/certs:/certs:ro --name=SwarmManager --restart=always swarm:1.1.0 manage --replication --advertise --tlsverify --tlscacert=/certs/ca.pem --tlscert=/certs/cert.pem --tlskey=/certs/key.pem --discovery-opt kv.cacertfile=/certs/ca.pem --discovery-opt kv.certfile=/certs/cert.pem --discovery-opt kv.keyfile=/certs/key.pem --host= nodes://192.168.120.[11:20]:2376

I have not specified the host portion of the -p argument (though I have tried working with that), and the –host flat is set to listen on all IPs

here is the output of netstat

administrator@IntNode1:~$ netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:4524                  *:*                     LISTEN
tcp        0      0     *:*                     LISTEN
tcp        0      0 *:ssh                   *:*                     LISTEN
tcp        0      0     *:*                     LISTEN
tcp        0      0 *:4523                  *:*                     LISTEN
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     313807   /var/run/docker.sock
unix  2      [ ACC ]     STREAM     LISTENING     313813   /var/run/docker/libcontainerd/docker-containerd.sock
unix  2      [ ACC ]     STREAM     LISTENING     10415    /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     8473     @/com/ubuntu/upstart
unix  2      [ ACC ]     STREAM     LISTENING     9757     /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     312956   /var/lib/docker/network/files/fa183e7b40f875024aba092e3c47cfa9c8d58fb6f58399aca747b1b84750d74b.sock
unix  2      [ ACC ]     SEQPACKET  LISTENING     9680     /run/udev/control

So port 3376 is listening on the correct IP, but now if I run nmap to check that the port is open I see this

administrator@IntNode1:~$ nmap -p 3376

Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-23 13:12 BST
Nmap scan report for
Host is up (0.000086s latency).
3376/tcp closed cdbroker

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

I can't work out what is going on. ufw status is inactive. Docker is version 1.11.2, build b9f10c9.

I don't know much about IP tables but here is the output if it helps

administrator@IntNode1:~$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-ISOLATION  all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere            tcp dpt:3376

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

I'm really stuck with this now. What am I missing?

Best Answer

So it turns out the service in the container was failing, and that is why I could not connect to the port, despite the host saying it was listening.