Investigating Docker connectivity issue

I am trying to reach host-x.com from docker container running on MacOS but it fails:

$ docker run ubuntu:latest \     /bin/bash -c \    'apt-get update &&      apt-get -y install netcat &&      nc -v -z -w 3 host-x.com 443  &> /dev/null && echo "Online" || echo "Offline"'  Offline 

It works fine when:

• I run a docker container in another machine:

  Online 

• I run it on my Mac, outside of a docker container:

   nc -v -z -w 3 host-x.com 443  &> /dev/null && echo "Online" || echo "Offline"'        Online 

• I run it on my Mac from docker container, for other target hosts:

  $ docker run ubuntu:latest \     /bin/bash -c \    'apt-get update &&     apt-get -y install netcat &&     nc -v -z -w 3 www.google.com 443  &> /dev/null && echo "Online" || echo "Offline"'     Online 

UPDATE #1

1. As suggested I logged in into container and checked DNS. Host name is correctly resolved:

   root@55add56ecc11:/# ping host-x.com PING s1-host-x.com (172.22.187.101) 56(84) bytes of data. 

2. However, ping packages are not delivered. I though this could be caused by the conflict of IP range in internal docker network and corporate network (172.17.X.X). I tried to fix the docker bridge IP address in my daemon configuration and re-check the connectivity but it didn't help:

   "bip" : "10.10.10.1/8" 

3. I checked with 3 other persons in my company (4 in total including me). 50% has access to this host (Online), 50% doesn't (Offline).

4. I tried what @mko suggested, using netcat in interactive mode inside the container. Still timeout.

    root@37c61acc5aa5:/# nc -v -z -w 3 host-x.com 443  s1-host-x.com [172.22.187.101] 443 (?) : Connection timed out   

5. I tried tracing the route but no success:

   traceroute -m 10 -w 1 host-x.com traceroute to host-x.com (172.22.187.101), 10 hops max, 60 byte packets  1  10.10.10.1 (10.10.10.1)  0.444 ms  0.388 ms  0.364 ms  2  * * *  3  * * *  4  * * *  5  * * *  6  * * *  7  * * *  8  * * *  9  * * * 10  * * * 

How can I investigate that?

0 Answers

Read More

Routing in container not working properly

Pinging a system in the internet works:

root@553c9e5ce5ea:/# ping -c 1 8.8.8.8       PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=9.61 ms  --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 9.619/9.619/9.619/0.000 ms 

Pinging a system in the internal (corporate) network, does not work:

root@553c9e5ce5ea:/# ping -c 1 10.97.179.110 PING 10.97.179.110 (10.97.179.110) 56(84) bytes of data.  --- 10.97.179.110 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms 

The routing in the container is straightforward:

root@553c9e5ce5ea:/# route -n Kernel IP routing table Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 0.0.0.0         172.17.0.1      0.0.0.0         UG    0      0        0 eth0 172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0 

Pinging the same system from the docker host is working fine:

host » ping -c 1 10.97.179.110   PING 10.97.179.110 (10.97.179.110) 56(84) bytes of data. 64 bytes from 10.97.179.110: icmp_seq=1 ttl=60 time=4.70 ms  --- 10.97.179.110 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 4.703/4.703/4.703/0.000 ms 

The system is reachable via a vpn interface in the docker host:

host » route -n | grep '^10\.' 10.0.0.0        0.0.0.0         255.248.0.0     U     0      0        0 tunsnx 10.8.0.0        0.0.0.0         255.252.0.0     U     0      0        0 tunsnx 10.12.0.0       0.0.0.0         255.254.0.0     U     0      0        0 tunsnx 10.14.0.0       0.0.0.0         255.255.0.0     U     0      0        0 tunsnx 10.15.0.0       0.0.0.0         255.255.240.0   U     0      0        0 tunsnx 10.15.20.0      0.0.0.0         255.255.252.0   U     0      0        0 tunsnx 10.15.24.0      0.0.0.0         255.255.248.0   U     0      0        0 tunsnx 10.15.32.0      0.0.0.0         255.255.224.0   U     0      0        0 tunsnx 10.15.64.0      0.0.0.0         255.255.192.0   U     0      0        0 tunsnx 10.15.113.108   0.0.0.0         255.255.255.255 UH    0      0        0 tunsnx 10.15.128.0     0.0.0.0         255.255.128.0   U     0      0        0 tunsnx 10.16.0.0       0.0.0.0         255.240.0.0     U     0      0        0 tunsnx 10.32.0.0       0.0.0.0         255.224.0.0     U     0      0        0 tunsnx 10.64.0.0       0.0.0.0         255.192.0.0     U     0      0        0 tunsnx 10.128.0.0      0.0.0.0         255.128.0.0     U     0      0        0 tunsnx 

Why is the host not properly routing the traffic coming from the docker container?

EDIT

I have been checking the IP tables counters, and this is what I see after ping -c 100 (a host on the VPN):

» sudo iptables -x -v --line-numbers -L FORWARD | head Chain FORWARD (policy DROP 0 packets, 0 bytes) num      pkts      bytes target     prot opt in     out     source               destination          1         100     8400 DOCKER-ISOLATION  all  --  any    any     anywhere             anywhere             2           0        0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED 3           0        0 DOCKER     all  --  any    docker0  anywhere             anywhere             4         100     8400 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere             5           0        0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere             6           0        0 ACCEPT     all  --  any    br-ad32be160e27  anywhere             anywhere             ctstate RELATED,ESTABLISHED 7           0        0 DOCKER     all  --  any    br-ad32be160e27  anywhere             anywhere             8           0        0 ACCEPT     all  --  br-ad32be160e27 !br-ad32be160e27  anywhere             anywhere           

Pinging a host on the internet (8.8.8.8) gives this:

» sudo iptables -x -v --line-numbers -L FORWARD | head Chain FORWARD (policy DROP 0 packets, 0 bytes) num      pkts      bytes target     prot opt in     out     source               destination          1         200    16800 DOCKER-ISOLATION  all  --  any    any     anywhere             anywhere             2         100     8400 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED 3           0        0 DOCKER     all  --  any    docker0  anywhere             anywhere             4         100     8400 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere             5           0        0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere             6           0        0 ACCEPT     all  --  any    br-ad32be160e27  anywhere             anywhere             ctstate RELATED,ESTABLISHED 7           0        0 DOCKER     all  --  any    br-ad32be160e27  anywhere             anywhere             8           0        0 ACCEPT     all  --  br-ad32be160e27 !br-ad32be160e27  anywhere             anywhere      

0 Answers

Read More

WinAPI: How to determine when a network is identifying?

When a connect some devices via ethernet I can see the adapter status in the Network Connections panel change to "Identifying Network". I want to query for this status using c++ Windows API.

I'm implementing somewhat of a dynamic ipconfig /all listing in my project. When a network on a network interface is identifying I'll want to display "Identifying Network".

I'm aware of the INetwork interface, but it annoyingly is only accessible through COM. Is there another way? Maybe from the information about the Network Interface itself?

1 Answers

Answers 1

How does INetwork know?

If you would search for the relevant property bag key L"NA_NetworkClass" in system files and you would have some reverse engineering skills and a bit of luck, you could find that the relevant implementation of the INetwork interface apparently lies in C:\Windows\System32\netprofmsvc.dll.

The code implementing IPropertyBag::Read() for NA_NetworkClass seems to determine the state by looking at some other GUID property of the network. Apparently, both the unidentified and identifying states are signaled by one of two hardcoded values there, while any other value means the connection is fully identified.

So far so good. If you could determine this GUID by some other means (e.g. through some "vanilla" Win32 API that you would be comfortable with) and compare it yourself, you should be able to determine the identification state as well. But here comes the catch: the exact GUID values for unidentified and identifying are dynamically generated at a different place in netprofmsvc.dll, so they will be different every time!

At this point you should stop trying. This is one of the techniques that can be deliberately used by OS authors to tell you that messing with system internals in this way is discouraged, error-prone and dangerous.

So just use the intended interface as everybody else. Come on, compared to some of the other horrible things out there, COM is not bad at all!

How was this done before Windows Vista?

The answer is it wasn't done at all.

The GUID I wrote about above actually happens to be a "network profile GUID", calculated from many network parameters like domain authentication state, gateway's MAC address etc., and later associated with one of the access profiles like Domain/Work/Home/Public.

All this got introduced only in Vista, together with the whole new "Network and Sharing Center" and other improvements in firewall and network management. See this document "Exploring The Windows Firewall" from 2007 and search for a chapter called "Network Profiles" for more information.

Are there any alternative solutions?

If you insist on avoiding INetwork, you might never be able to match the Windows network identification state 100%.

As explained in the article above, the Network Location Awareness (NLA) service apparently goes through a lot of work to reliably identify the network, considering many other parameters than just assigned IP addresses or enabled protocols. Replicating all that yourself (to determine when you know everything necessary to say a network is identified) would be challenging, especially because the exact details of the process are undocumented.

That said, checking for a valid received DHCP configuration (valid host and gateway IP addresses) might be a good enough approximation in most cases. Good luck!

Read More

Can't send object via Object Output Stream from one http handler to another

So, in my app, I send the request from http server handler to another server. The thing is the second server is stuck on reading object. I was trying to figure out it myself but I can't see the problem. All streams are closed, maybe the response to the client is in the wrong place? I have no idea why is that..

This is my client:

public class ClientSimulator {      private Random random;     private static int clientCounter = 1;      public static void main(String[] args) throws Exception {         new ClientSimulator();         new ClientSimulator();         new ClientSimulator();     }      private ClientSimulator() {          this.random = new Random();         RuntimeMXBean rmb = ManagementFactory.getRuntimeMXBean();         long arrivalTime = rmb.getUptime();          System.out.println("thread no. " + clientCounter++ + " arrival time: " + arrivalTime);         try {             String myurl= "http://localhost:8080/sender";             String serverResponse = createClient(myurl);             System.out.println(serverResponse);         } catch (Exception e) {             e.printStackTrace();         }     }      private String createClient(String myurl) throws Exception {         URL url;         BufferedReader reader = null;         StringBuilder stringBuilder;          try {             //Standard HTTP connection             url = new URL(schedulerUrl);             HttpURLConnection connection = (HttpURLConnection) url.openConnection();             connection.setDoInput(true);             connection.setDoOutput(true);              int[] arr = {                     random.nextInt(10-1)+1,                     random.nextInt(10-1)+1,                     random.nextInt(10-1)+1,                     random.nextInt(10-1)+1,                     random.nextInt(10-1)+1,             };             Task t = new Task(arr);              ObjectOutputStream oos = new ObjectOutputStream(connection.getOutputStream());             oos.writeObject(t);             oos.close();              // read the output from the server             reader = new BufferedReader(new InputStreamReader(connection.getInputStream()));             stringBuilder = new StringBuilder();             //print the response             String line = reader.readLine();             stringBuilder.append(line);              return stringBuilder.toString();         } catch (Exception e) {             e.printStackTrace();             throw e;         } finally {             if (reader != null) {                 try {                     reader.close();                 } catch (IOException ioe) {                     ioe.printStackTrace();                 }             }         }     }      private boolean getRandBool(){         return this.random.nextBoolean();     } } 

This is how I send the request from the main server to another server:

@Override     public void handle(HttpExchange httpExchange) throws IOException {          String template = "\nClient no. %s connected!";          //Getting task         Task t;         ObjectInputStream ois = new ObjectInputStream(httpExchange.getRequestBody());         try {             System.out.print("Recieved object:");             t = (Task) ois.readObject();             t.setDeadline(deadline);             t.setHard(isHard);             System.out.print(" not sorted array: ");             int[] arr = (int[]) t.getData();             for (int anArr : arr) {                 System.out.print(anArr + " ");             }             ois.close();             String response = "response for client no. " + clientCounter;            httpExchange.sendResponseHeaders(200, response.length());            OutputStream os = httpExchange.getResponseBody();            os.write(response.getBytes());            os.close();            clientCounter++;              HttpURLConnection test = (HttpURLConnection) new URL(fogServ1URL).openConnection();             test.setDoOutput(true);             System.out.println("test__1");             ObjectOutputStream stream = new ObjectOutputStream(test.getOutputStream());             stream.flush();             System.out.println("test__2");             stream.writeObject(t);             System.out.println("test__3");             stream.close();             System.out.println("test__4");             test.getResponseCode();             System.out.println("test__5"); //this doesn't print         } catch (ClassNotFoundException e) {             e.printStackTrace();         }     } } 

This is handler from the second server:

class RootHandler implements HttpHandler{ private static int clientCounter = 1;  @Override public void handle(HttpExchange exchange) throws IOException {        System.out.println("\nRoot handler; \n\tclient no. " + clientCounter++);      Task t;     ObjectInputStream ois = new ObjectInputStream(exchange.getRequestBody());     try {         System.out.println("Recieved object:"); //only this is on the console         t = (Task) ois.readObject();         ois.close();         System.out.println("Array not sorted:");         int[] arr = (int[]) t.getData();         for (int anArr : arr) {             System.out.print(anArr + " ");         }         TaskSolver.solve(t);         System.out.println("\nArray sorted!");         for (int anArr : (int[])t.getData()) {             System.out.print(anArr + " ");         }     } catch (ClassNotFoundException e) {         e.printStackTrace();     }      String response = "Server up!";     exchange.sendResponseHeaders(200, response.getBytes().length);     OutputStream os = exchange.getResponseBody();     os.write(response.getBytes());     os.close(); } } 

I don't get it because I send the Task from client to the main server in the same way and its working. I just can't read the output in the next servers. What am I doing wrong?

Btw. If someone is curious why I'm sending the same object to another server: I plan to create more servers, the main server will be sending requests to them depending on type/containing headers.

2 Answers

Answers 1

In Second server while reading the object there is some IOException occurred, since IOException in handle method of RootHandler class is passed to invoking method instead of handling it. So error like Internal Server Error response status is sent to client ( first server ).

Since there is exception in second server the test.getResponseCode() throws IOException since it is not handled in first server handle method

System.out.println("test__5");

is not invoked.

If you want to know what is happening catch IOException in handle method of the both server and print Stack trace.

Answers 2

Try following below sequence in your first server -

1. Receive object by reading the InputStream
2. Connect with the second server.
3. Send object by writing on OutputStream of second server.
4. Get the response from second server
5. Send response to client by writing on OutputStream of first server.

The reason behind current behavior is related to closing of Exchange. As per the documentation -

Exchanges are terminated when both the request InputStream and response OutputStream are closed.

Currently, in your first server code, you are writing the response on OutputStream and then closing it. After that, your first server start communicating with second server.

When first server sent request to second server and wait for the response, at the time, underlying HttpExchange gets closed, thus connection and associated thread are released. Till this time, second server hasn't read the request.

In this situation, some IOException must occur in second server for indicating the error or second server will keep waiting for reading the InputStream and eventually get timeout.

Closing of Exchange and releasing of associated thread is not immediate step after closing OutputStream, but it can terminate anytime and subsequent code lines are not guaranteed to be executed. In your case, connection terminated while waiting for the response from second server but it can terminate before that also.

Read More

Espressif Wifi not connecting or showing AP

First of all, I won't go into details, cause there are a lot of them, and I dont want to write (a too long) essay. There is TL;DR section at the end, because I have a specific question, but maybe some additional info can help.

I have a device that is made of a GRU (glass room unit) and espressif (esp8266).

GRU and esp8266 communicate via serial, with GRU as master. GRU is programmed with an internal tool, and I can monitor everything on it, including the info it gets from esp8266. There is a test/development device, that has espressif on top of the GRU, so I can easily take it off, reprogram/reconfigure it, and put it on.

Espressif is inside of a GRU, and downloading stuff to flash is a real pain. There is whole process including a OS switch (from Win7 to Linux and back). Console output on espressif cannot be done, or at least not in the time frame I have.

For esp8266 I use non-os SDK V2.0.0_16_08_10.

Espressif can be configured with downloading a configuration to flash, or via UDP (over a network if connected, over its AP if its not connected).

Algorithm for Wifi:

 1. Try to connect to a network from configuration  2. If it succeeds, raise a flag for that  3. If it fails, enter dual (STATION+AP) mode and raise a flag for that 

The reason espressif is not always in dual mode is that it affects multi-cast operations.

Configuration over network is done by a Java aplication I wrote.

Scenario 1

I've configured a wifi router, configured all (x19) of the devices (espressif in devices that is) to connect to its network. When I turned them on, they would connect one by one. The ones that didn't entered dual mode and could be configured via the app.

All well.

Scenario 2 I've wanted to test the system in real world, so I reconfigured them to connect to the our firms network. Additionally when I was already going thru the whole process I've downloaded latest firmare to flash.

I expected that they would connect or enter dual mode and create their own APs. But they did not.

I tested then the code and configuration on espressif whose console output I could monitor, and everything worked.

I tested then the code and configuration on the test device, and it worked again.

I've then redownloaded the code and configuration to one device, and it didn't work.

TL;DR I have two devices, espressif on a GRU and espressif inside of a GRU. Both connected to one network. Esp on a GRU work for another, Esp inside of a GRU doesn't work for that other network. They have identical code and configuration, so it shouldn't be a software issue.

Does having espressif inside of a device jams its signal enough that it can't go trough? Device is not big (5x5x2cm).

UPDATE 1: While I was writing, the espressif inside of a GRU managed to connect to network. I then restarted it so I can check that it can do it again, and it can't connect again. It took me about 10 minutes to write the whole question.

1 Answers

Answers 1

There are two things that seem to have caused the problem.

When I removed gpio_init(), network stuff became faster, much much faster. Everything on it, connecting to AP, creating AP etc...

I've changed my config and wifi code, so that it now stores the ap and station config to flash via API.

I only check if its internal config is the same as mine from flash. If it isn't, it saves it. Now, I only control the current opmode.

Read More

Alamofire: cache large files downloaded to the Documents folder

I use this piece of code to download MP3 files to the documents directory:

let destination = DownloadRequest.suggestedDownloadDestination(for: .documentDirectory) Alamofire.download(theUrl!, to:destination).response { response in     // stuff }.downloadProgress { progress in     // Stuff } 

The file downloads fine, but if i close the app and start it again, the download restarts from 0. What i want is for the file to be cached and fetched immediatly. My understanding of Alamofire is that the file is downloaded to a temporary folder and then moved to the Documents folder, is this what causes the cache to not happend ?

Thanks a lot

1 Answers

Answers 1

Please check the following references in order:
1. https://github.com/Alamofire/Alamofire/issues/1104
2. https://github.com/Alamofire/Alamofire#resuming-a-download
3. https://stackoverflow.com/a/39347461/3549695

In summary:
You need to use the request.cancel() API to generate the resumeData before your app exit.
Then you use the resume API with the resumeData to resume the request when the app restart.
There is no guarantee that it will always work. If it fails then it will still restart from 0.

There was a mentioning of issue with iOS 10 in reference (2) above that prevent this from working properly. But the update on StackOverflow (ref. 3) has a report that it has been fixed in iOS 10.2

Read More

Linux tap interface not forwarding ip fragmentations

I have 4 tap interfaces, tap0 and tap1 is connected and so is tap2 and tap3

vde_switch -d -tap tap0 -tap tap1 click vde_switch -d -tap tap2 -tap tap3 --sock /run/vde.ctl/ctl2 

I then assigned ip for tap1 and tap2

ip addr add 1.1.1.1/24 dev tap1 ip addr add 1.2.1.1/24 dev tap2 

From raw socket application, I sent a udp packet from tap0 with source ip 1.1.1.3 and destination ip 1.2.1.3 and it arrived at tap3 (according to wireshark).

The problem is, if I send fragmented ip/udp packet, Linux doesn't forward it to tap3.

I checked the fragmented ip packet (first segment), its checksum and destination mac addr are all right. The funny thing is, if I remove the "more fragment" bit in ip header (ip checksum will change), then it got forwarded.

By the way, I am using Linux 3.19.0-65 on 64bit laptop.

Any idea why? Thanks a lot!

EDIT1

Here is the output of ip route list

default via 10.0.0.1 dev wlan0  proto static  1.1.1.0/24 dev tap1  proto kernel  scope link  src 1.1.1.1  1.2.1.0/24 dev tap2  proto kernel  scope link  src 1.2.1.1  10.0.0.0/24 dev wlan0  proto kernel  scope link  src 10.0.0.3  metric 9  172.16.83.0/24 dev vmnet1  proto kernel  scope link  src 172.16.83.1  172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1  192.168.181.0/24 dev vmnet8  proto kernel  scope link  src 192.168.181.1 

Edit2

Here is the link to the pcap of the IP fragment packet, captured on tap0 interface.

0 Answers

Read More

docker-compose network creation kicks me out of ssh

I need help understanding my networking logs due to docker-compose networking.

I'm ssh'd into a VM, and I have two projects with docker-compose. The first is launched simply with docker-compose up. When I try to launch the second, my ssh session freezes, and I can no longer ssh into the VM. After lots of trial and error, and after reading this I tried to append to my 2nd project's docker-compose.yml file the following:

networks:   default:     external:       name: ffamfe_default 

where ffamfe_default is the name of the network created by docker-compose up of the 1st project. With this, the docker-compose up on the 2nd project doesn't kick me out of the ssh session.

I tailed the logs in /var/log/*.log, and here's the output with the networks section in the docker-compose.yml file (without the timestamp prefix: Jan 19 09:13:42 hostname kernel: [420096.305357]):

aufs au_opts_verify:1597:dockerd[13813]: dirperm1 breaks the protection by the permission bits on the lower branch device veth6a84537 entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): veth6a84537: link is not ready eth0: renamed from veth2480623 IPv6: ADDRCONF(NETDEV_CHANGE): veth6a84537: link becomes ready br-fe0deb0149df: port 18(veth6a84537) entered forwarding state br-fe0deb0149df: port 18(veth6a84537) entered forwarding state aufs au_opts_verify:1597:dockerd[25317]: dirperm1 breaks the protection by the permission bits on the lower branch device veth1a3c1e3 entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): veth1a3c1e3: link is not ready br-fe0deb0149df: port 22(veth1a3c1e3) entered forwarding state br-fe0deb0149df: port 22(veth1a3c1e3) entered forwarding state eth0: renamed from veth54e576d IPv6: ADDRCONF(NETDEV_CHANGE): veth1a3c1e3: link becomes ready br-fe0deb0149df: port 22(veth1a3c1e3) entered disabled state veth54e576d: renamed from eth0 br-fe0deb0149df: port 22(veth1a3c1e3) entered disabled state device veth1a3c1e3 left promiscuous mode br-fe0deb0149df: port 22(veth1a3c1e3) entered disabled state br-fe0deb0149df: port 18(veth6a84537) entered forwarding state 

and here's the output without the networks section (i.e. when I get kicked out of the ssh session):

IPv6: ADDRCONF(NETDEV_UP): br-55349b03453a: link is not ready aufs au_opts_verify:1597:dockerd[26982]: dirperm1 breaks the protection by the permission bits on the lower branch aufs au_opts_verify:1597:dockerd[26982]: dirperm1 breaks the protection by the permission bits on the lower branch aufs au_opts_verify:1597:dockerd[3051]: dirperm1 breaks the protection by the permission bits on the lower branch device veth7a1bcde entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): veth7a1bcde: link is not ready br-55349b03453a: port 1(veth7a1bcde) entered forwarding state br-55349b03453a: port 1(veth7a1bcde) entered forwarding state br-55349b03453a: port 1(veth7a1bcde) entered disabled state eth0: renamed from veth5d8a2ea IPv6: ADDRCONF(NETDEV_CHANGE): veth7a1bcde: link becomes ready br-55349b03453a: port 1(veth7a1bcde) entered forwarding state br-55349b03453a: port 1(veth7a1bcde) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): br-55349b03453a: link becomes ready aufs au_opts_verify:1597:dockerd[13814]: dirperm1 breaks the protection by the permission bits on the lower branch aufs au_opts_verify:1597:dockerd[13814]: dirperm1 breaks the protection by the permission bits on the lower branch aufs au_opts_verify:1597:dockerd[13922]: dirperm1 breaks the protection by the permission bits on the lower branch device veth3253bd4 entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): veth3253bd4: link is not ready br-55349b03453a: port 2(veth3253bd4) entered forwarding state br-55349b03453a: port 2(veth3253bd4) entered forwarding state br-55349b03453a: port 2(veth3253bd4) entered disabled state eth0: renamed from veth9c8aaa3 IPv6: ADDRCONF(NETDEV_CHANGE): veth3253bd4: link becomes ready br-55349b03453a: port 2(veth3253bd4) entered forwarding state br-55349b03453a: port 2(veth3253bd4) entered forwarding state br-55349b03453a: port 2(veth3253bd4) entered disabled state veth9c8aaa3: renamed from eth0 br-55349b03453a: port 2(veth3253bd4) entered disabled state device veth3253bd4 left promiscuous mode br-55349b03453a: port 2(veth3253bd4) entered disabled state br-55349b03453a: port 1(veth7a1bcde) entered forwarding state br-55349b03453a: port 1(veth7a1bcde) entered disabled state veth5d8a2ea: renamed from eth0 br-55349b03453a: port 1(veth7a1bcde) entered disabled state device veth7a1bcde left promiscuous mode br-55349b03453a: port 1(veth7a1bcde) entered disabled state 

I don't really understand how to read these logs. Here is my ifconfig also. Can someone help me read the logs and figure out what the problem is?

1 Answers

Answers 1

br-xxxxxxx are the bridge interfaces of Docker and vethxxxxxxx are the virtual interfaces of your containers, Docker use those veth interfaces but you do not directly interact on it, they use an IPv6 address and don't have IPv4. Docker can't create NAT interfaces, it can only create bridge and veth with IPv6 for containers. You can link your bridge to any physical or virtual interface of your host.

So it work like that:

eth0 (your interface or v-interface if you want) ↔ brxxxxx(docker bridge) ↔ vethxxxxx (v-interface of your container)

It's all I can say, I'm not sure that someone else will answer, there is not a lot of Docker experts, so I give you all informations I can to help you to understand your logs.

Read More

docker-compose network creation kicks me out of ssh

I need help understanding my networking logs due to docker-compose networking.

I'm ssh'd into a VM, and I have two projects with docker-compose. The first is launched simply with docker-compose up. When I try to launch the second, my ssh session freezes, and I can no longer ssh into the VM. After lots of trial and error, and after reading this I tried to append to my 2nd project's docker-compose.yml file the following: networks: default: external: name: ffamfe_default where ffamfe_default is the name of the network created by docker-compose up of the 1st project. With this, the docker-compose up on the 2nd project doesn't kick me out of the ssh session.

I tailed the logs in /var/log/*.log, and here's the output with the networks section in the docker-compose.yml file (without the timestamp prefix: Jan 19 09:13:42 hostname kernel: [420096.305357]):

aufs au_opts_verify:1597:dockerd[13813]: dirperm1 breaks the protection by the permission bits on the lower branch device veth6a84537 entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): veth6a84537: link is not ready eth0: renamed from veth2480623 IPv6: ADDRCONF(NETDEV_CHANGE): veth6a84537: link becomes ready br-fe0deb0149df: port 18(veth6a84537) entered forwarding state br-fe0deb0149df: port 18(veth6a84537) entered forwarding state aufs au_opts_verify:1597:dockerd[25317]: dirperm1 breaks the protection by the permission bits on the lower branch device veth1a3c1e3 entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): veth1a3c1e3: link is not ready br-fe0deb0149df: port 22(veth1a3c1e3) entered forwarding state br-fe0deb0149df: port 22(veth1a3c1e3) entered forwarding state eth0: renamed from veth54e576d IPv6: ADDRCONF(NETDEV_CHANGE): veth1a3c1e3: link becomes ready br-fe0deb0149df: port 22(veth1a3c1e3) entered disabled state veth54e576d: renamed from eth0 br-fe0deb0149df: port 22(veth1a3c1e3) entered disabled state device veth1a3c1e3 left promiscuous mode br-fe0deb0149df: port 22(veth1a3c1e3) entered disabled state br-fe0deb0149df: port 18(veth6a84537) entered forwarding state

and here's the output without the networks section (i.e. when I get kicked out of the ssh session):

IPv6: ADDRCONF(NETDEV_UP): br-55349b03453a: link is not ready aufs au_opts_verify:1597:dockerd[26982]: dirperm1 breaks the protection by the permission bits on the lower branch aufs au_opts_verify:1597:dockerd[26982]: dirperm1 breaks the protection by the permission bits on the lower branch aufs au_opts_verify:1597:dockerd[3051]: dirperm1 breaks the protection by the permission bits on the lower branch device veth7a1bcde entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): veth7a1bcde: link is not ready br-55349b03453a: port 1(veth7a1bcde) entered forwarding state br-55349b03453a: port 1(veth7a1bcde) entered forwarding state br-55349b03453a: port 1(veth7a1bcde) entered disabled state eth0: renamed from veth5d8a2ea IPv6: ADDRCONF(NETDEV_CHANGE): veth7a1bcde: link becomes ready br-55349b03453a: port 1(veth7a1bcde) entered forwarding state br-55349b03453a: port 1(veth7a1bcde) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): br-55349b03453a: link becomes ready aufs au_opts_verify:1597:dockerd[13814]: dirperm1 breaks the protection by the permission bits on the lower branch aufs au_opts_verify:1597:dockerd[13814]: dirperm1 breaks the protection by the permission bits on the lower branch aufs au_opts_verify:1597:dockerd[13922]: dirperm1 breaks the protection by the permission bits on the lower branch device veth3253bd4 entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): veth3253bd4: link is not ready br-55349b03453a: port 2(veth3253bd4) entered forwarding state br-55349b03453a: port 2(veth3253bd4) entered forwarding state br-55349b03453a: port 2(veth3253bd4) entered disabled state eth0: renamed from veth9c8aaa3 IPv6: ADDRCONF(NETDEV_CHANGE): veth3253bd4: link becomes ready br-55349b03453a: port 2(veth3253bd4) entered forwarding state br-55349b03453a: port 2(veth3253bd4) entered forwarding state br-55349b03453a: port 2(veth3253bd4) entered disabled state veth9c8aaa3: renamed from eth0 br-55349b03453a: port 2(veth3253bd4) entered disabled state device veth3253bd4 left promiscuous mode br-55349b03453a: port 2(veth3253bd4) entered disabled state br-55349b03453a: port 1(veth7a1bcde) entered forwarding state br-55349b03453a: port 1(veth7a1bcde) entered disabled state veth5d8a2ea: renamed from eth0 br-55349b03453a: port 1(veth7a1bcde) entered disabled state device veth7a1bcde left promiscuous mode br-55349b03453a: port 1(veth7a1bcde) entered disabled state

I don't really understand how to read these logs. Here is my ifconfig also. Can someone help me read the logs and figure out what the problem is?

Edit: bump

0 Answers

Read More

go: http server does not work on osx

The example http server doesn't work for me. Source code:

package main  import (     "fmt"     "net/http" )  func handler(w http.ResponseWriter, r *http.Request) {     fmt.Fprintf(w, "Hi there, I love %s!", r.URL.Path[1:]) }  func main() {     http.HandleFunc("/", handler)     http.ListenAndServe("127.0.0.1:8080", nil) } 

When I try to connect all I get is:

$ curl 127.0.0.1:8080 curl: (7) Failed to connect to 127.0.0.1 port 8080: Operation timed out $ nc -v -G 5 127.0.0.1 8080 nc: connectx to 127.0.0.1 port 8080 (tcp) failed: Operation timed out 

While nc tries to connect tcpdump shows only SYN packets:

$ tcpdump -i lo0 port 8080 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes 18:21:30.906638 IP localhost.52799 > localhost.http-alt: Flags [S], seq 3375761924, win 65535, options [mss 16344,nop,wscale 5,nop,nop,TS val 118569352 ecr 0,sackOK,eol], length 0 18:21:31.006824 IP localhost.52799 > localhost.http-alt: Flags [S], seq 3375761924, win 65535, options [mss 16344,nop,wscale 5,nop,nop,TS val 118569452 ecr 0,sackOK,eol], length 0 18:21:31.106989 IP localhost.52799 > localhost.http-alt: Flags [S], seq 3375761924, win 65535, options [mss 16344,nop,wscale 5,nop,nop,TS val 118569552 ecr 0,sackOK,eol], length 0 18:21:31.208141 IP localhost.52799 > localhost.http-alt: Flags [S], seq 3375761924, win 65535, options [mss 16344,nop,wscale 5,nop,nop,TS val 118569653 ecr 0,sackOK,eol], length 0 18:21:31.308288 IP localhost.52799 > localhost.http-alt: Flags [S], seq 3375761924, win 65535, options [mss 16344,nop,wscale 5,nop,nop,TS val 118569753 ecr 0,sackOK,eol], length 0 18:21:31.408336 IP localhost.52799 > localhost.http-alt: Flags [S], seq 3375761924, win 65535, options [mss 16344,nop,wscale 5,nop,nop,TS val 118569853 ecr 0,sackOK,eol], length 0 18:21:31.609143 IP localhost.52799 > localhost.http-alt: Flags [S], seq 3375761924, win 65535, options [mss 16344,nop,wscale 5,nop,nop,TS val 118570053 ecr 0,sackOK,eol], length 0 18:21:32.011215 IP localhost.52799 > localhost.http-alt: Flags [S], seq 3375761924, win 65535, options [mss 16344,nop,wscale 5,nop,nop,TS val 118570453 ecr 0,sackOK,eol], length 0 18:21:32.812512 IP localhost.52799 > localhost.http-alt: Flags [S], seq 3375761924, win 65535, options [mss 16344,nop,wscale 5,nop,nop,TS val 118571253 ecr 0,sackOK,eol], length 0 18:21:34.414686 IP localhost.52799 > localhost.http-alt: Flags [S], seq 3375761924, win 65535, options [mss 16344,nop,wscale 5,nop,nop,TS val 118572853 ecr 0,sackOK,eol], length 0 

And here's the last part of dtruss output of the server-side (starting from socket call):

socket(0x2, 0x1, 0x0)            = 3 0 fcntl(0x3, 0x2, 0x1)             = 0 0 fcntl(0x3, 0x3, 0x0)             = 2 0 fcntl(0x3, 0x4, 0x6)             = 0 0 setsockopt(0x3, 0xFFFF, 0x20)            = 0 0 setsockopt(0x3, 0xFFFF, 0x4)             = 0 0 bind(0x3, 0xC8200BA6AC, 0x10)            = 0 0 listen(0x3, 0xFDE8, 0x10)                = 0 0 kqueue(0x3, 0xFDE8, 0x10)                = 4 0 fcntl(0x4, 0x2, 0x1)             = 0 0 kevent(0x4, 0xC8200558C0, 0x2)           = 0 0 getsockname(0x3, 0xC82005592C, 0xC820055928)             = 0 0 accept(0x3, 0xC820055AA4, 0xC820055A94)          = -1 Err#35 kevent(0x4, 0x0, 0x0)            = 0 0 select(0x0, 0x0, 0x0, 0x0, 0x700000080DE8)               = 0 0 

Nothing more appears when I run nc, so it does not even notice connection attempts.

I don't have firewall enabled, everything else works, only Go programs have this issue (in particular I can't use docker-machine)

How do I fix it?

Edit: I assume that #Err35 is:

#define EDEADLK     35  /* Resource deadlock would occur */ 

...wat?

Edit2:

• go: version go1.6 darwin/amd64
• OSX: 10.11.4

The server is not exiting, it listens indefinitely.

Edit3:

I tried both "go build" and "go run - no difference

Using localhost instead of 127.0.0.1 - no difference

Using w.Write([]byte(fmt.Sprintf("Hi there, I love %s!", r.URL.Path[1:])) instead - no difference. Btw - it says nc: connectx to 127.0.0.1 port 8080 (tcp) failed: Operation timed out, so the connection attempt times out, not the read

ifconfig -a and netstat -r output: https://gist.github.com/mabn/ed171f180725b563d32bb86d5ec61988

3 Answers

Answers 1

I'd like to see the output of 'ifconfig -a'.

This smells like a local configuration issue; I can't reproduced this on OS X 10.11.4, Go 1.6

My W.A.G is that a tunnel device is actually using 127.0.0.1 not the loop back device.

Answers 2

Do you have Cisco Anyconnect installed? If so find websecurity_uninstall.sh and uninstall websecurity

sudo /opt/cisco/anyconnect/bin/websecurity_uninstall.sh 

It forwards port 8080 to port 5001 and you cannot use netstat, lsof or any of the normal tools to see why nothing can use port 8080.

Answers 3

I'm sure you checked this, but by any chance do you have packet filtering (pfctl) or some other firewall turned on? See http://superuser.com/questions/505128/deny-access-to-a-port-from-localhost-on-osx

Read More

Algorithms: Using maximum flow to calculate correct matrix values

I am given an matrix A with size N x M with N,M <= 100. Matrix A consists of integer values A(i,j) where i and j are 0 < i < M and 0 < j < N. I am also given the "correct" column sums and row sums of the matrix. The given values A(i,j) are "incorrect" (they do not match the "correct" sums) and therefore we are provided with corresponding "incorrectness" values B(i,j), where B(i,j) ranges from 0 to A(i,j).

The goal is to calculate the "correct" values C(i,j) in the matrix, where A(i,j) - C(i,j) =< B(i,j), the C(i,j) values must also match the given row and column sums. I think I have to use maximum flow, but my attempts have not worked. How can I achieve this?

1 Answers

Answers 1

I'll just give you an example here.

matrix A:  10 10 10  10 10 10  10 10 10  matrix B:   2  3  4   5  6  4   3  2  1  matrix A-B:   8  7  6   5  4  6   7  8  9 

So you have the formula A[i,j] - C[i,j] <= B[i,j]. You can transform it into A[i,j] - B[i,j] <= C[i,j] which means that B[i,j] is the smallest thing that you need to subtract from A[i,j] to get something smaller or equal to C[i,j]. From here you know that you need to add something to the entries in matrix A-B.

Let's now find what and where to add.

Let's assume you are given the following row and column sizes:

c1 = 20/20 c2 = 19/21 c3 = 21/24  r1 = 21/21 r2 = 15/17 r3 = 24/27 

Above I wrote things in the form of:

(current flow through column or row) / (goal flow through column or row). 

Now let's build a network:

Now note that the total sum of rows = total sum of columns. So you try to push 'given sum of entries' - 'current sum of entries' from 's' to 't'.

Now, let's assume that the nodes are enumerated from left to right by natural numbers. Now, when you push something from a second level node to a third level node, say, you push something from node i, to node j, you also add whatever you pushed to NewMatrix[i,j], where NewMatrix is the matrix A-B and you get the matrix you want.

Also note that in the beginning, in the matrix A-B, you had the smallest C[i,j] that you had to subtract from A[i,j] to get something smaller or equal to B[i,j], and now that you added something to that C[i,j] the inequality A[i,j]-C[i,j]<=B[i,j] still holds.

Read More

Android runtime exec with NetworkRequest

I am running a command line argument in my Android application like:

ProcessBuilder pb = new ProcessBuilder(cmds); Process process = pb.start(); process.waitFor(); 

Where cmds are a list of arguments to run. My commands probe a remote URL over a http connection. My device is connected to a WiFi network that does not have access to the internet, but does host the URL I want to probe. My device also has a cellular connection that does have access to the internet, but not the URL. My device is running Android 6.0 Marshmallow.

Normally in Lollipop or above, Android defaults to the network with a connection to the internet. To access WiFi networks without internet you need to use NetworkRequest, e.g: http://stackoverflow.com/a/27958106/1847734.

How can I pass an obtained Network to the above Process, so that the connection goes over my WiFi network, not my cellular network?

Do I instead need to use ConnectivityManager#bindProcessToNetwork? How do I join the process to set the network using this method? There doesn't seem to be an option to give the process.

1 Answers

Answers 1

Starting from Lollipop Network is Parcelable so you can write it to a byte array and then read back. Let's start from the writing part.

final Parcel parcel = Parcel.obtain(); try {   // Create a byte array from Network.   parcel.writeParcelable(network, 0);   final byte[] data = parcel.marshall();    // Start a process.   ProcessBuilder pb = new ProcessBuilder(cmds);   Process process = pb.start();    // Send serialized Network to the process.   final DataOutputStream out = new DataOutputStream(process.getOutputStream());   out.write(data.length);   out.write(data);    // Wait until the process terminates.   process.waitFor(); } finally {   parcel.recycle(); } 

And the reading part.

// Read data from the input stream. final DataInputStream in = new DataInputStream(System.in); final int length = in.readInt(); final byte[] data = new byte[length]; in.readFully(data);  final Parcel parcel = Parcel.obtain(); try {   // Restore Network from a byte array.   parcel.unmarshall(data, 0, data.length);   final Network network = parcel.readParcelable(null);    // Use the Network object to bind the process to it.   connectivityManager.bindProcessToNetwork(network); } finally {   parcel.recycle(); } 

This code will work on Android 6.0 only. If you want it to work on Lollipop you should use ConnectivityManager.setProcessDefaultNetwork(Network) instead of ConnectivityManager.bindProcessToNetwork(Network). And this code is not going to work on devices before Android 5.0.

Read More

OSX: Check if the default interface is physical or virtual

Is there way on OSX to see if the default interface is an actual physical interface or if it is a virtual interface like when it is connected to a VPN?

Essentially, I am trying to figure out an interface property that can tell if the default interface is virtual or physical. We can read interface properties from scutil system configuration utility framework.

0 Answers

Read More