Why might my web requests to a Docker-in-Docker container be refused?


I’ve got a bit of a puzzler here. I am playing around with continuous deployment, and to learn some related technologies, I have this Dockerfile:

# Docker build script for continuous deployment demo container

FROM alpine:3.8

# Install software
RUN apk update
RUN apk add php

# Add dumb init to improve sig handling (stop time in CircleCI of 10sec is too slow)
RUN wget -O /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64
RUN chmod +x /usr/local/bin/dumb-init

# Copy a hello world webpage
COPY web/index.php /root/index.php


# Start the web server
ENTRYPOINT ["/usr/local/bin/dumb-init", "--"]
CMD ["php", "-S", "", "-t", "/root"]

If I build that locally (docker build --tag cd-demo-container .) and run it locally (docker run -p 9090:80 cd-demo-container) then I can do an HTTP fetch from outside of the container:

$ wget localhost:9090
--2018-08-22 20:27:10--  http://localhost:9090/
Resolving localhost (localhost)...
Connecting to localhost (localhost)||:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                                                      [ <=>                                                                                                                                      ]     147  --.-KB/s    in 0s      

2018-08-22 20:27:10 (4.42 MB/s) - ‘index.html’ saved [147]

OK, so that works. If I build it in CircleCI, and then run it in CircleCI using this command:

    docker run \
        --publish 8080:80 \
        --detach \
        --name ${CIRCLE_PROJECT_REPONAME} \

then it runs, but it does not appear to produce a listening port with netstat -a. I can exec into the container using sh and then do a wget internally, but that feels like cheating - the external port should work (that might be my temporary fix, but I’d like to do this properly).

I’ve also tried --publish and that doesn’t seem to produce any listening ports either. Is CircleCI’s networking rules (i.e. setup_remote_docker) interfering with my port publishing?

Is 'setup-docker-engine' still a current command?
Alternatives to iptables on CircleCI 2.0

Aha. I think this is the reason - the Docker executor would need to run in privileged mode into order to allow external port binding, and that would not be possible for security reasons.

docker exec it is then!

closed #3

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.