Alternatives to iptables on CircleCI 2.0

Hi there,

I am migrating a script from circleci 1.0 to circleci 2.0.

Our tests currently redirect traffic from port 80 to the application port of 3060. This allows a WD.js browser instance to launch. On CircleCI 1.0 this was achieved using iptables. However when we executed the current iptables command on CircleCI 2.0 (iptables -t nat -I OUTPUT -p tcp -o lo --dport 80 -j REDIRECT --to-ports 3060) an error of Permission denied (you must be root) is raised.

What is the suggested approach to allow the ports to correctly bind?

The following comment (Building a Docker image on 2.0) was made about setup-docker-engine. However I thought this didn’t cover ports.


Ah yes, I just bumped into something similar!

A couple of suggestions:

  • Swap the a machine executor, where you have root access. This is free for the time being, and has been for a year or so, but the price may change in the future
  • Still on the Docker executor, use Docker Compose with three containers: one system that publishes on port X, one system that consumes on port Y, and a proxy to do the translation. There are no networking restrictions between containers, so this should work.
1 Like

@halfer so as I understand it, if I use machine as my executor, I can’t use a custom image which means my builds will also need to run any custom installations in addition to bundle or package installations. Is that correct? I’m a noob with docker-compose but in theory, I should be able to run this locally to verify that the configuration works, which would be useful.

I’ll try these out. THANKS!

You can do either. In general, it would be normal with the machine executor to do custom installations in that actual machine, yes.

However, if you wanted to, you could install Docker or Docker Compose here and run an image of your choosing. The latter might be useful if your build tools take such a long time to compile/install that pulling and starting an image would be quicker.

In general, I would probably advise sticking on the Docker executor and going down the Compose route, since CircleCI seem to be encouraging folks to use their Docker infra. However, it is worth being practical, and since picking up Docker expertise is not something that comes overnight, the VM (machine) approach might be a good workaround in that situation.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.