Docker: no port bindings for HA/Supervisor (solved)

perryodk · May 29, 2017, 6:56pm

So I installed CentOS 7, added the requirements and afterwards installed HassIO with the command curl -sL https://raw.githubusercontent.com/home-assistant/hassio-build/master/install/hassio_install | bash - however Docker ps shows no port bindings:

CONTAINER ID        IMAGE                                    COMMAND                  CREATED             STATUS              PORTS                   NAMES
8a7fcba9daab        homeassistant/qemux86-64-homeassistant   "/usr/bin/entry.sh py"   2 days ago          Up 2 days                                   homeassistant
bddfecf359f7        homeassistant/amd64-hassio-supervisor    "/usr/bin/entry.sh py"   2 days ago          Up 2 days                                   hassio_supervisor

Then I added a Nginx container like this docker run --name mynginx1 -P -d nginx and it immediately works and has an port binding.

# docker ps
CONTAINER ID        IMAGE                                    COMMAND                  CREATED             STATUS              PORTS                   NAMES
8a7fcba9daab        homeassistant/qemux86-64-homeassistant   "/usr/bin/entry.sh py"   2 days ago          Up 2 days                                   homeassistant
bddfecf359f7        homeassistant/amd64-hassio-supervisor    "/usr/bin/entry.sh py"   2 days ago          Up 2 days                                   hassio_supervisor
11c9fcfb188f        nginx                                    "nginx -g 'daemon off"   4 seconds ago       Up 2 seconds        0.0.0.0:32768->80/tcp   mynginx1

When I add an additional HA container like this:
# docker run -d --name="home-assistant-test" -p 80:8123 homeassistant/qemux86-64-homeassistant

It works and a port mapping is created:

CONTAINER ID        IMAGE                                    COMMAND                  CREATED             STATUS              PORTS                  NAMES
3d580a122bf6        homeassistant/qemux86-64-homeassistant   "/usr/bin/entry.sh py"   17 seconds ago      Up 16 seconds       0.0.0.0:80->8123/tcp   home-assistant-test
972fd127e4a0        homeassistant/qemux86-64-homeassistant   "/usr/bin/entry.sh py"   19 minutes ago      Up 19 minutes                              homeassistant
bddfecf359f7        homeassistant/amd64-hassio-supervisor    "/usr/bin/entry.sh py"   2 days ago          Up 2 days                                  hassio_supervisor```

Netstat shows the port is listening:

```# netstat -nat | grep LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:8123            0.0.0.0:*               LISTEN```

Did I do something wrong or am I missing something?

pvizeli · May 29, 2017, 8:14pm

Everting work perfect. Supervisor need no port bindings and homeassistant run on host network…

perryodk · May 29, 2017, 8:33pm

Thanks for your confirmation but how come it’s not working then…?
I get an “refused to connect” warning when using Chrome to connect to the server.

Maybe IPtables is causing the problem?

# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
PREROUTING_direct  all  --  0.0.0.0/0            0.0.0.0/0           
PREROUTING_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
PREROUTING_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           
POSTROUTING_direct  all  --  0.0.0.0/0            0.0.0.0/0           
POSTROUTING_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
POSTROUTING_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT_direct (1 references)
target     prot opt source               destination         

Chain POSTROUTING_ZONES (1 references)
target     prot opt source               destination         
POST_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
POST_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain POSTROUTING_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain POSTROUTING_direct (1 references)
target     prot opt source               destination         

Chain POST_public (2 references)
target     prot opt source               destination         
POST_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
POST_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
POST_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           

Chain POST_public_allow (1 references)
target     prot opt source               destination         

Chain POST_public_deny (1 references)
target     prot opt source               destination         

Chain POST_public_log (1 references)
target     prot opt source               destination         

Chain PREROUTING_ZONES (1 references)
target     prot opt source               destination         
PRE_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
PRE_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain PREROUTING_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain PREROUTING_direct (1 references)
target     prot opt source               destination         

Chain PRE_public (2 references)
target     prot opt source               destination         
PRE_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
PRE_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
PRE_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           

Chain PRE_public_allow (1 references)
target     prot opt source               destination         

Chain PRE_public_deny (1 references)
target     prot opt source               destination         

Chain PRE_public_log (1 references)
target     prot opt source               destination

perryodk · May 29, 2017, 9:06pm

Found the issue

1 systemctl status firewalld gave a lot of errors in it’s logging like:

May 29 22:50:33 %hostname% firewalld[651]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE' failed:
May 29 22:50:33 %hostname% firewalld[651]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN' failed:
May 29 22:50:33 %hostname% firewalld[651]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed:
May 29 22:50:33 %hostname% firewalld[651]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT' failed:
May 29 22:50:33 %hostname% firewalld[651]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT' failed:
May 29 22:50:33 %hostname% firewalld[651]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed:
May 29 22:50:33 %hostname% firewalld[651]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed:```

2 I disabled IPtables with ```systemctl disable firewalld``` and rebooted the Docker host (virtual machine).

3 Problem solved; port 8123 is accessible and HA webinterface works.