You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I cannot get Portainer using a remote nfs docker volume to complete "boot" unless I also open up port 922 in the firewall (see details below on the setup).
There's not a lot of details but could be stalled on chisel service not starting? Some attempt to verify no MITM condition?
Setup/recreation details:
truenas core server running on 192.168.0.40
proxmox 8.3.2 running a ubuntu server vm isolated in a vlan tag=1000 at 10.10.10.82
docker installed, nfs-common installed
firewall rule to allow traffic from 10.10.10.82 to 192.168.0.40 (ports 111, 2049, 712 allowed, all other inter-vlan traffic dropped, internet accessible)
(successfully) created a volume for portainer on a remote (192.168.0.40) truenas core nfs share
(I can mount any nfs share from that truenas server to the filesystem through the firewall without issue - so it doesn't seem to be nfs port related).
Inspection of the truenas nfs share shows portainer created files etc on the volume.
I tshark captured with "drop inter-vlan traffic" enabled (meaning only ports 111,2049,712 allowed) where the boot stall occurs and noticed a request for port 922.
Adding 922 to the allowable list enabled a successful portainer "boot"completion with the interface coming up.
However, analysis of a tshark capture when "922 enabled" did not show any instances of port 922 actually being used.
I suspect that the issue has to do with Chisel checking for a MITM. But that's just a guess.
As a side experiment I repeated the build on the same subnet as the truenas server (i.e. doesn't have to go through the firewall) and things worked as expected.
I also tried a version where the docker volume was "local" and that did not have the issue (which would be expected since the firewall is not in play and all ports would be accessible to localhost).
Seems the issue only presents itself when using a docker volume nfs mounted across a firewall and the undocumented port 922 is blocked.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Portainer.io
-
Ask a Question!
I cannot get Portainer using a remote nfs docker volume to complete "boot" unless I also open up port 922 in the firewall (see details below on the setup).
never gets past this unless I open up port 922
If I do open port 922 (which I cannot find documented anywhere or related to nfs or docker anything), the "boot" completes and the interface comes up:
There's not a lot of details but could be stalled on chisel service not starting? Some attempt to verify no MITM condition?
Setup/recreation details:
truenas core server running on 192.168.0.40
proxmox 8.3.2 running a ubuntu server vm isolated in a vlan tag=1000 at 10.10.10.82
docker installed, nfs-common installed
firewall rule to allow traffic from 10.10.10.82 to 192.168.0.40 (ports 111, 2049, 712 allowed, all other inter-vlan traffic dropped, internet accessible)
(successfully) created a volume for portainer on a remote (192.168.0.40) truenas core nfs share
(I can mount any nfs share from that truenas server to the filesystem through the firewall without issue - so it doesn't seem to be nfs port related).
Inspection of the truenas nfs share shows portainer created files etc on the volume.
I tshark captured with "drop inter-vlan traffic" enabled (meaning only ports 111,2049,712 allowed) where the boot stall occurs and noticed a request for port 922.
Adding 922 to the allowable list enabled a successful portainer "boot"completion with the interface coming up.
However, analysis of a tshark capture when "922 enabled" did not show any instances of port 922 actually being used.
I suspect that the issue has to do with Chisel checking for a MITM. But that's just a guess.
As a side experiment I repeated the build on the same subnet as the truenas server (i.e. doesn't have to go through the firewall) and things worked as expected.
I also tried a version where the docker volume was "local" and that did not have the issue (which would be expected since the firewall is not in play and all ports would be accessible to localhost).
Seems the issue only presents itself when using a docker volume nfs mounted across a firewall and the undocumented port 922 is blocked.
Beta Was this translation helpful? Give feedback.
All reactions