docker-nginx-proxy-manager icon indicating copy to clipboard operation
docker-nginx-proxy-manager copied to clipboard

Published 20 hours ago verified publisher icon jlesage

ERROR - (113: Host is unreachable) while connecting to upstream - After deployed MacVlan - Docker - Synology

Open redtripleAAA opened this issue 4 years ago • 4 comments

The current issue started after I deployed MacVlan to the docker container in question

PiHole - Docker - Synology

It started giving me the error:

2020/11/17 01:06:58 [error] 2302#2302: *200758 connect() failed (113: Host is unreachable) while connecting to upstream, client: 172.17.0.1, server: pi.ans.red, request: "GET /favicon.ico HTTP/1.1", upstream: "http://10.0.12.192:80/favicon.ico", host: "pi.hamra.services", referrer: "https://pi.hamra.services/admin"

2020/11/16 23:29:36 [error] 2220#2220: *194168 connect() failed (113: Host is unreachable) while connecting to upstream, client: 172.17.0.1, server: pi.ans.red, request: "GET /favicon.ico HTTP/1.1", upstream: "https://10.0.12.192:443/favicon.ico", host: "pi.hamra.services", referrer: "https://pi.hamra.services/admin" 2020/11/16 23:33:10 [error] 2230#2230: *194657 connect() failed (113: Host is unre upstream: "http://10.0.12.192:80/", host: "pi.hamra.services" achable) while connecting to upstream, client: 172.17.0.1, server: pi.ans.red, request: "GET / HTTP/1.1",

It's a simple proxy setup:

image

and

image

It works internally fine: http://10.0.12.192/admin/

image

Since the last help you provided in # https://github.com/jlesage/docker-nginx-proxy-manager/issues/79 - @jlesage everything was working fine, until I deployed MacVlan and it got it's own IP address for PiHole

Let me know please if you can help.

redtripleAAA avatar Nov 17 '20 01:11 redtripleAAA

It seems that the NginxProxyManager container is not able to reach 10.0.12.192.

Which network type NginxProxyManager is using ? I know that several months ago, there was a limitation where the host couldn't reach a macvlan network.... Can you ping 10.0.12.192 from the host where Docker is running ? Can you ping it from the NginxProxyManager container (docker exec <container name> ping 10.0.12.192)?

jlesage avatar Nov 17 '20 13:11 jlesage

@jlesage I think you are right, it seems to be some kind of a limitation to talk to MacVlan network.

I can't ping the MacVlan hosts

However, I can ping other hosts on the same subnet

root@Synology:~#
root@Synology:~# docker exec da1cd6adad0c ping 10.0.12.192
PING 10.0.12.192 (10.0.12.192): 56 data bytes


root@Synology:~#
root@Synology:~# docker exec da1cd6adad0c ping 10.0.12.1
PING 10.0.12.1 (10.0.12.1): 56 data bytes
64 bytes from 10.0.12.1: seq=0 ttl=63 time=0.941 ms
64 bytes from 10.0.12.1: seq=1 ttl=63 time=0.691 ms
64 bytes from 10.0.12.1: seq=2 ttl=63 time=0.690 ms
64 bytes from 10.0.12.1: seq=3 ttl=63 time=0.713 ms
64 bytes from 10.0.12.1: seq=4 ttl=63 time=0.707 ms

root@Synology:~# docker exec da1cd6adad0c ping 10.0.12.18
PING 10.0.12.18 (10.0.12.18): 56 data bytes
64 bytes from 10.0.12.18: seq=0 ttl=127 time=0.625 ms
64 bytes from 10.0.12.18: seq=1 ttl=127 time=0.460 ms
64 bytes from 10.0.12.18: seq=2 ttl=127 time=0.638 ms
64 bytes from 10.0.12.18: seq=3 ttl=127 time=0.502 ms

Is there any existing workaround for that?

I saw some online article talking about passing_proxy or something like that to get it working, any advise?

Thanks

redtripleAAA avatar Nov 17 '20 17:11 redtripleAAA

@ansred Not sure if this is the same as what I previously faced, but when I set up a macvlan network on my Synology for Docker, I had to put the following in a .sh file and execute it via a Task Schedule at boot-up:

#!/bin/sh
PATH=/usr/local/bin:/usr/bin:/bin
while ! ip link show bond0 | grep -q 'state UP'; do
    sleep 1
done

ip link add macvlan_link link bond0 type macvlan  mode bridge
ip addr add 192.168.1.240/32 dev macvlan_link
ip link set macvlan_link up
ip route add 192.168.1.240/28 dev macvlan_link
iptables -P FORWARD ACCEPT

It links the macvlan to the main network as well as defines the routes. Without the last two lines, I got the same errors as you when reverse proxying to containers using the macvlan network.

/Edit: Below is how I had created the macvlan network:

docker network create -d macvlan -o parent=bond0 \
  --subnet 192.168.1.0/24 \
  --gateway 192.168.1.1 \
  --ip-range 192.168.1.240/28 \
  --aux-address 'host=192.168.1.240' \
  macvlan

hirenshah avatar Jan 06 '21 05:01 hirenshah

@hirenshah thanks for your update.

I think I have the same issue you had.

Here is my networks where created in Portainer

Followed this YouTube video: https://youtu.be/o7nn6Tv-PAw

root@Synology:~# docker network ls
NETWORK ID          NAME                             DRIVER              SCOPE
1e2ebdbc7947        AD_MacVlan_Net                   macvlan             local
9ac20bc0cab8        AG_MacVlan_Config                null                local

And when I do inspect for the two networks related to that docker container

(1)

root@Synology:~# docker network inspect 1e2ebdbc7947
[
    {
        "Name": "AD_MacVlan_Net",
        "Id": "1e2ebdbc79477f523bba7119538354e8cf23dda3a00d6ae90ed7b8e9c25e9070",
        "Created": "2020-11-20T16:15:34.391136218-05:00",
        "Scope": "local",
        "Driver": "macvlan",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "10.0.12.0/24",
                    "IPRange": "10.0.12.122/32",
                    "Gateway": "10.0.12.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "5792a8c55bd05b9ae4cb1e6809245ef4b72e5822243834cf2696acd0f485615b": {
                "Name": "adguardhome",
                "EndpointID": "103820b86273e3fd845101ab8b33a6c584b74e401a892ae2828686d92a6a5ce1",
                "MacAddress": "02:42:0a:00:0c:7a",
                "IPv4Address": "10.0.12.122/24",
                "IPv6Address": ""
            }
        },
        "Options": {
            "parent": "ovs_eth0"
        },
        "Labels": {}
    }
]
root@Synology:~#

(2)

root@Synology:~# docker network inspect 9ac20bc0cab8
[
    {
        "Name": "AG_MacVlan_Config",
        "Id": "9ac20bc0cab8a28a2fae344667b1431826d7cc80a93dbcda32e305c955d7d817",
        "Created": "2020-11-20T16:08:35.313662365-05:00",
        "Scope": "local",
        "Driver": "null",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "10.0.12.0/24",
                    "IPRange": "10.0.12.122/32",
                    "Gateway": "10.0.12.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": true,
        "Containers": {},
        "Options": {
            "parent": "ovs_eth0"
        },
        "Labels": {}
    }
]
root@Synology:~#

And here is my list of scheduled tasks in Synology DSM, mostly to run a VPN docker container.

image

Can you advise what should I change? or if you can share the output of network inspect to your macvlan network + screenshot of the scheduled task?

Per your example. I have created the following file

image

and then created the scheduled task to trigger on Boot from a file script

it has the following

#!/bin/sh


PATH=/usr/local/bin:/usr/bin:/bin
while ! ip link show bond0 | grep -q 'state UP'; do
    sleep 1
done

ip link add macvlan_link link bond0 type macvlan  mode bridge
ip addr add 10.0.12.122/32 dev macvlan_link

ip link set macvlan_link up
ip route add 10.0.12.122/32 dev macvlan_link
iptables -P FORWARD ACCEPT

image

Does it look good?

Thanks

redtripleAAA avatar Feb 14 '21 21:02 redtripleAAA