Webservices not accessible using Payara on Docker

Technical Discussion
1

Hello

I have a problem with payara 5.2021.7 in a docker container (I am a beginner in using payara on docker. )

My architecture:

  • payara is composed of two instance groups: group-production and group-recette
  • group-production contains 4 instances: instance-production-1 (21081), instance-production-2 (22081), instance-production-3 (23081) and instance-production-4 (24081)
  • group-recette contains 2 instances: instance-recette-1 (31081) and instance-recette-2 (32081)

The ports are open between the container and the host (docker run -it --rm -h sicpa-interop-recette.cati.inrae. fr -p 4848:4848 -p 21081:21801 -p 22081:22081 -p 23081:23081 -p 24081:24081 -p 31081:31801 -p 32081:32081 -v /etc/letsencrypt:/etc/letsencrypt: ro -v /data/apps/payara/autodeploy:/data/apps/payara/autodeploy -v /data/apps/payara/deployOnBoot:/data/apps/payara/deployOnBoot sicpa-interop)
The ports are open in the company’s firewall. There is no firewall (firewalld, ufw) on the machine.
The ports are listening on the host

[theirman@sicpa-interop-recette ~]$ sudo netstat -plunt
Active Internet connections (servers only)
Proto Recv-Q Send-Q Local address Remote address Status PID/Program name
tcp 0 0 0.0.0.0:4848 0.0.0.0:* LISTEN 7894/docker-proxy
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1386/nginx: master
tcp 0 0 0.0.0.0:24081 0.0.0.0:* LISTEN 7813/docker-proxy
tcp 0 0 0.0.0.0:32081 0.0.0.0:* LISTEN 7772/docker-proxy
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1108/sshd
tcp 0 0 0.0.0.0:21081 0.0.0.0:* LISTEN 7874/docker-proxy
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1386/nginx: master
tcp 0 0 0.0.0.0:22081 0.0.0.0:* LISTEN 7855/docker-proxy
tcp 0 0 0.0.0.0:23081 0.0.0.0:* LISTEN 7833/docker-proxy
tcp 0 0 0.0.0.0:31081 0.0.0.0:* LISTEN 7792/docker-proxy
tcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN 1170/php-fpm: maste
tcp6 0 0 :::4848 :::* LISTEN 7901/docker-proxy
tcp6 0 0 :::80 :::* LISTEN 1386/nginx: master
tcp6 0 0 :::24081 :::* LISTEN 7820/docker-proxy
tcp6 0 0 :::32081 :::* LISTEN 7779/docker-proxy
tcp6 0 0 :::22 :::* LISTEN 1108/sshd
tcp6 0 0 :::21081 :::* LISTEN 7881/docker-proxy
tcp6 0 0 :::443 :::* LISTEN 1386/nginx: master
tcp6 0 0 :::22081 :::* LISTEN 7861/docker-proxy
tcp6 0 0 :::23081 :::* LISTEN 7840/docker-proxy
tcp6 0 0 :::31081 :::* LISTEN 7798/docker-proxy

In spite of this, I can reach the management console on port 4848 and deploy a web application (WAR), but I cannot access the wsdl file deployed on the instances
ex : https://mon-serveur.fr:31081/MargauPorcinsWs/MargauPService?wsdl

Cause:

[theirman@sicpa-interop-recette ~]$ curl https://sicpa-interop-recette.cati.inrae.fr:30081/MargauPorcinsWs/MargauPService?wsdl -v
* About to connect() to sicpa-interop-recette.cati.inrae.fr port 30081 (#0)
* Trying 138.102.164.199...
* Connection refused
* Failed connect to sicpa-interop-recette.cati.inrae.fr:30081; Connection refused
* Closing connection 0
curl: (7) Failed connect to sicpa-interop-recette.cati.inrae.fr:30081; Connection refused

I don’t see where the problem comes from. Could someone help me please ?
Thanks in advance
Thierry

2

Hi,

I’m not sure if it is a port number 31081 or 30081.

Anyhow, I use the netcat as a basic trouble shooting to ensure that my machine is able to access to the server side as the following example: -

nc -zv <hostname> <port>

# e.g.
nc -zv my.some.domain 443
3

Hello @charlee_ch
Thank you for your answer.

Indeed, I made a mistake in the port. I just redid the test and got the same result

[theirman@sicpa-interop-recette ~]$ curl https://sicpa-interop-recette.cati.inrae.fr:31081/MargauPorcinsWs/MargauPService?wsdl -v

I just tested the command you gave me, here is the result:
[theirman@sicpa-interop-recette ~]$ nc -zv sicpa-interop-recette.cati.inrae.fr 31081
Ncat: Version 7.50 ( Ncat - Netcat for the 21st Century )
Ncat: Connection refused.

Now, the question is “why is this connection refused?”

  • payara is launched and listens on this port in the container
  • the port is mapped from the container to the host
  • there is no firewall on the host
  • the ports are open in the firewall of the IT department
4

And here are the contents of the Data Grid!
DAS|690x286

5

Shall we try to go to that container and try to test with netcat?

# at the host mahine
docker exec -i -t -u root <container-name> /bin/sh

# inside the container
nc -zv localhost 31081

# if the nc or curl is not existed just try to install it, 
# since we use `-u root` to execute to the container 
# as a  user `root`.

# -v is verbose
# -k is insecure which bypass SSL/TLS check
curl -v -k https://localhost:31081/.../....

If the inside container works, it may be some issues at the host machine and/or other network environment which we need to consult the system engineer. :cry:

6

Sorry for the delay in my answer, I spent my day in meetings.
Thanks for your help, I understand how to get into a container that is already running, that’s already a big step forward.

Indeed, the error is not in docker but elsewhere.I’ll have to find it because I’m not going to get any support from the IT team who already told me that everything was OK on the firewall side

Thanks again :slight_smile:

PS: Below, the answers to the commands you gave me :wink:

# nc -zv localhost 31081
Connection to localhost 31081 port [tcp/*] succeeded!

# curl https://localhost:31081/MargauPorcinsWs/MargauPService?wsdl -v -k
*   Trying 127.0.0.1:31081...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 31081 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=sicpa-interop-recette.cati.inrae.fr
*  start date: Sep  9 11:52:31 2021 GMT
*  expire date: Dec  8 11:52:30 2021 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5596f926be10)
> GET /MargauPorcinsWs/MargauPService?wsdl HTTP/2
> Host: localhost:31081
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 4294967295)!
< HTTP/2 200
< content-type: text/xml;charset=utf-8
< content-length: 15360
<
<?xml version='1.0' encoding='UTF-8'?><!-- Published by JAX-WS RI (http://jax-ws.java.net). RI's version is Metro/2.4.3.payara-p5 (2.4.3.payara-maintenance-5307578; 2021-04-22T12:36:46+0100) JAXWS-RI/2.3.2.payara-p4 JAXWS-API/2.3.2 JAXB-RI/2.3.2 JAXB-API/2.3.2 git-revision#unknown. --><!-- Generated by JAX-WS RI (https://github.com/eclipse-ee4j/metro-jax-ws). RI's version is Metro/2.4.3.payara-p5 (2.4.3.payara-maintenance-5307578; 2021-04-22T12:36:46+0100) JAXWS-RI/2.3.2.payara-p4 JAXWS-API/2.3.2 JAXB-RI/2.3.2 JAXB-API/2.3.2 git-revision#unknown. --><definitions xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsp1_2="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://ws/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.xmlsoap.org/wsdl/" targetNamespace="http://ws/" name="MargauPService">
<types>
<xsd:schema>
<xsd:import namespace="http://ws/" schemaLocation="https://localhost:31081/MargauPorcinsWs/MargauPService?xsd=1"/>
</xsd:schema>
</types>
<message name="getVersion">
<part name="parameters" element="tns:getVersion"/>
</message>
...
...
...
...
* Connection #0 to host localhost left intact
#
7

happy evening
thierry

8

Hello
I just understood the problem thanks to you @charlee_ch
I was querying sicpa-interop-recette.cati.inrae.fr which is the literal address of the host. If I query on the ip (172.17.0.2) of the docker container, it works!

[theirman@sicpa-interop-recette ~]$ curl https://sicpa-interop-recette.cati.inrae.fr:31081/MargauPorcinsWs/MargauPService?wsdl -k
curl: (7) Failed connect to sicpa-interop-recette.cati.inrae.fr:31081; Connexion refusée

[theirman@sicpa-interop-recette ~]$ curl https://172.17.0.2:31081/MargauPorcinsWs/MargauPService?wsdl -k
<?xml version='1.0' encoding='UTF-8'?><!-- Published by JAX-WS RI (http://jax-ws.java.net). RI's version is Metro/2.4.3.payara-p5 (2.4.3.payara-maintenance-5307578; 2021-04-22T12:36:46+0100) JAXWS-RI/2.3.2.payara-p4 JAXWS-API/2.3.2 JAXB-RI/2.3.2 JAXB-API/2.3.2 git-revision#unknown. --><!-- Generated by JAX-WS RI (https://github.com/eclipse-ee4j/metro-jax-ws). RI's version is Metro/2.4.3.payara-p5 (2.4.3.payara-maintenance-5307578; 2021-04-22T12:36:46+0100) JAXWS-RI/2.3.2.payara-p4 JAXWS-API/2.3.2 JAXB-RI/2.3.2 JAXB-API/2.3.2 git-revision#unknown. --><definitions xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsp1_2="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://ws/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.xmlsoap.org/wsdl/" targetNamespace="http://ws/" name="MargauPService">
<types>
<xsd:schema>
<xsd:import namespace="http://ws/" schemaLocation="https://172.17.0.2:31081/MargauPorcinsWs/MargauPService?xsd=1"/>
</xsd:schema>
...
...
...

Now I “just” have to understand how to automatically transform a call to the webservice https://sicpa-interop-recette.cati.inrae.fr:31081/MargauPorcinsWs/MargauPService?wsdl into https://172.17.0.2:31081/MargauPorcinsWs/MargauPService?wsdl

It’s unintuitive :

  • host:4848 → container:4848 is done without having to specify anything
  • But, for example, host:31081 → container:31081 is not done automatically

Is there a syntax to indicate the correspondence of the ports such as :
sicpa-interop-recette.cati.inrae.fr:31081 → 172.17.0.2:31081

9

For information, the nmap command shows that the ports on the container are open and not filtered:

[theirman@sicpa-interop-recette ~]$ sudo nmap -p4848,21081,22081,23081,24081,31081,32081 -PO -vv 172.17.0.2

Starting Nmap 6.40 ( http://nmap.org ) at 2021-10-20 09:30 CEST
Initiating ARP Ping Scan at 09:30
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 09:30, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:30
Completed Parallel DNS resolution of 1 host. at 09:30, 0.07s elapsed
Initiating SYN Stealth Scan at 09:30
Scanning 172.17.0.2 [7 ports]
Discovered open port 32081/tcp on 172.17.0.2
Discovered open port 22081/tcp on 172.17.0.2
Discovered open port 21081/tcp on 172.17.0.2
Discovered open port 23081/tcp on 172.17.0.2
Discovered open port 4848/tcp on 172.17.0.2
Discovered open port 24081/tcp on 172.17.0.2
Discovered open port 31081/tcp on 172.17.0.2
Completed SYN Stealth Scan at 09:30, 0.20s elapsed (7 total ports)
Nmap scan report for 172.17.0.2
Host is up (0.000017s latency).
Scanned at 2021-10-20 09:30:41 CEST for 1s
PORT      STATE SERVICE
4848/tcp  open  appserv-http
21081/tcp open  unknown
22081/tcp open  unknown
23081/tcp open  unknown
24081/tcp open  unknown
31081/tcp open  unknown
32081/tcp open  unknown
MAC Address: 02:42:AC:11:00:02 (Unknown)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds
           Raw packets sent: 8 (336B) | Rcvd: 8 (336B)
10

Basically, it may be about DNS resolving.

Firstly I’m not sure if the 172.17.0.2 is a host IP address or the Docker network IP address. But I guess it is a Docker network IP address.

Secondly, please try using the host IP address as the following: -

$ ip a

# The example output of my host IP address. 
# For you may be vary based on the configuration.
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu ....
    link/ether ....
    inet 172.17.x.yyyy/24 brd 172.17.x.zzz scope global ...
    inet6 ..../64 scope link
       valid_lft forever preferred_lft forever

When we get the host IP address, we may try to test as the following to ensure that our port has been listened on our host machine properly.

nc -zv 172.17.x.yyy 31081

curl -v -k https://172.17.x.yyy:31081/MargauPorcinsWs/MargauPService?wsdl

Last but not least. If everything works fine, there may be a DNS resolving issue.

# At the host machine

nslookup forum.payara.fish

# Example output
Server:         172.17.x.z
Address:        172.17.x.z#53

Non-authoritative answer:
forum.payara.fish       canonical name = payara....
Name:   payara.....
Address: 184.xxx.yyy.zzz
....

nslookup sicpa-interop-recette.cati.inrae.fr
# Here may be some clue about the resolving IP address.
# We have to ensure that the  sicpa-interop-recette.cati.inrae.fr
# should be resolved to the proper IP address which is our host.

# Note the `curl -v` may print the resolving IP address as well.
curl -v -k  https://sicpa-interop-recette.cati.inrae.fr:31081/MargauPorcinsWs/MargauPService?wsdl
11

yes, it’s the container ip address

Here is the result of ip a :

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

Here is the result of nc :

# nc -zv 172.17.0.2 31081
Connection to 172.17.0.2 31081 port [tcp/*] succeeded!

Here is the result of curl :

# curl -v -k https://172.17.0.2:31081/MargauPorcinsWs/MargauPService?wsdl
*   Trying 172.17.0.2:31081...
* TCP_NODELAY set
* Connected to 172.17.0.2 (172.17.0.2) port 31081 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=sicpa-interop-recette.cati.inrae.fr
*  start date: Sep  9 11:52:31 2021 GMT
*  expire date: Dec  8 11:52:30 2021 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55ee2f0d5e10)
> GET /MargauPorcinsWs/MargauPService?wsdl HTTP/2
> Host: 172.17.0.2:31081
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 4294967295)!
< HTTP/2 200
< content-type: text/xml;charset=utf-8
< content-length: 15362
<
<?xml version='1.0' encoding='UTF-8'?><!-- Published by JAX-WS RI (http://jax-ws.java.net). RI's version is Metro/2.4.3.payara-p5 (2.4.3.payara-maintenance-5307578; 2021-04-22T12:36:46+0100) JAXWS-RI/2.3.2.payara-p4 JAXWS-API/2.3.2 JAXB-RI/2.3.2 JAXB-API/2.3.2 git-revision#unknown. --><!-- Generated by JAX-WS RI (https://github.com/eclipse-ee4j/metro-jax-ws). RI's version is Metro/2.4.3.payara-p5 (2.4.3.payara-maintenance-5307578; 2021-04-22T12:36:46+0100) JAXWS-RI/2.3.2.payara-p4 JAXWS-API/2.3.2 JAXB-RI/2.3.2 JAXB-API/2.3.2 git-revision#unknown. --><definitions xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsp1_2="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://ws/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.xmlsoap.org/wsdl/" targetNamespace="http://ws/" name="MargauPService">
<types>
<xsd:schema>
<xsd:import namespace="http://ws/" schemaLocation="https://172.17.0.2:31081/MargauPorcinsWs/MargauPService?xsd=1"/>
</xsd:schema>
...
...
...

Here is the result of nslookup :

# nslookup forum.payara.fish
Server:         138.102.162.42
Address:        138.102.162.42#53

Non-authoritative answer:
forum.payara.fish       canonical name = payara.hosted-by-discourse.com.
Name:   payara.hosted-by-discourse.com
Address: 184.104.202.143
Name:   payara.hosted-by-discourse.com
Address: 2001:470:1:9a5::143

on my side, I went a little further, I documented myself on docker and I found the docker inspect command which gave me the following result:

[theirman@sicpa-interop-recette ~]$ docker inspect sicpa-interop
[
    {
        "Id": "90f9bc918462c6f3b015bd6ad3fadbb472e5923dc716bf8b658e695fc0838ecd",
        "Created": "2021-10-20T07:37:26.619551487Z",
        "Path": "/tini",
        "Args": [
            "--",
            "scripts/entrypoint.sh"
        ],
        "State": {
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 2873,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2021-10-20T08:36:23.458986306Z",
            "FinishedAt": "2021-10-20T08:36:16.056052027Z"
        },
        "Image": "sha256:a8080cc0005b5c25a7da1c19cfbb7dc48d49f9ccda80b134802429c7fae56af0",
        "ResolvConfPath": "/var/lib/docker/containers/90f9bc918462c6f3b015bd6ad3fadbb472e5923dc716bf8b658e695fc0838ecd/resolv.conf",
        "HostnamePath": "/var/lib/docker/containers/90f9bc918462c6f3b015bd6ad3fadbb472e5923dc716bf8b658e695fc0838ecd/hostname",
        "HostsPath": "/var/lib/docker/containers/90f9bc918462c6f3b015bd6ad3fadbb472e5923dc716bf8b658e695fc0838ecd/hosts",
        "LogPath": "/var/lib/docker/containers/90f9bc918462c6f3b015bd6ad3fadbb472e5923dc716bf8b658e695fc0838ecd/90f9bc918462c6f3b015bd6ad3fadbb472e5923dc716bf8b658e695fc0838ecd-json.log",
        "Name": "/sicpa-interop",
        "RestartCount": 0,
        "Driver": "overlay2",
        "Platform": "linux",
        "MountLabel": "",
        "ProcessLabel": "",
        "AppArmorProfile": "",
        "ExecIDs": null,
        "HostConfig": {
            "Binds": [
                "/data/apps/payara/autodeploy:/data/apps/payara/autodeploy",
                "/data/apps/payara/deployOnBoot:/data/apps/payara/deployOnBoot",
                "/etc/letsencrypt:/etc/letsencrypt:ro"
            ],
            "ContainerIDFile": "",
            "LogConfig": {
                "Type": "json-file",
                "Config": {}
            },
            "NetworkMode": "default",
            "PortBindings": {
                "21801/tcp": [
                    {
                        "HostIp": "",
                        "HostPort": "21081"
                    }
                ],
                "22081/tcp": [
                    {
                        "HostIp": "",
                        "HostPort": "22081"
                    }
                ],
                "23081/tcp": [
                    {
                        "HostIp": "",
                        "HostPort": "23081"
                    }
                ],
                "24081/tcp": [
                    {
                        "HostIp": "",
                        "HostPort": "24081"
                    }
                ],
                "31801/tcp": [
                    {
                        "HostIp": "",
                        "HostPort": "31081"
                    }
                ],
                "32081/tcp": [
                    {
                        "HostIp": "",
                        "HostPort": "32081"
                    }
                ],
                "4848/tcp": [
                    {
                        "HostIp": "",
                        "HostPort": "4848"
                    }
                ]
            },
            "RestartPolicy": {
                "Name": "no",
                "MaximumRetryCount": 0
            },
            "AutoRemove": false,
            "VolumeDriver": "",
            "VolumesFrom": null,
            "CapAdd": null,
            "CapDrop": null,
            "CgroupnsMode": "host",
            "Dns": [],
            "DnsOptions": [],
            "DnsSearch": [],
            "ExtraHosts": null,
            "GroupAdd": null,
            "IpcMode": "private",
            "Cgroup": "",
            "Links": null,
            "OomScoreAdj": 0,
            "PidMode": "",
            "Privileged": false,
            "PublishAllPorts": false,
            "ReadonlyRootfs": false,
            "SecurityOpt": null,
            "UTSMode": "",
            "UsernsMode": "",
            "ShmSize": 67108864,
            "Runtime": "runc",
            "ConsoleSize": [
                0,
                0
            ],
            "Isolation": "",
            "CpuShares": 0,
            "Memory": 0,
            "NanoCpus": 0,
            "CgroupParent": "",
            "BlkioWeight": 0,
            "BlkioWeightDevice": [],
            "BlkioDeviceReadBps": null,
            "BlkioDeviceWriteBps": null,
            "BlkioDeviceReadIOps": null,
            "BlkioDeviceWriteIOps": null,
            "CpuPeriod": 0,
            "CpuQuota": 0,
            "CpuRealtimePeriod": 0,
            "CpuRealtimeRuntime": 0,
            "CpusetCpus": "",
            "CpusetMems": "",
            "Devices": [],
            "DeviceCgroupRules": null,
            "DeviceRequests": null,
            "KernelMemory": 0,
            "KernelMemoryTCP": 0,
            "MemoryReservation": 0,
            "MemorySwap": 0,
            "MemorySwappiness": null,
            "OomKillDisable": false,
            "PidsLimit": null,
            "Ulimits": null,
            "CpuCount": 0,
            "CpuPercent": 0,
            "IOMaximumIOps": 0,
            "IOMaximumBandwidth": 0,
            "MaskedPaths": [
                "/proc/asound",
                "/proc/acpi",
                "/proc/kcore",
                "/proc/keys",
                "/proc/latency_stats",
                "/proc/timer_list",
                "/proc/timer_stats",
                "/proc/sched_debug",
                "/proc/scsi",
                "/sys/firmware"
            ],
            "ReadonlyPaths": [
                "/proc/bus",
                "/proc/fs",
                "/proc/irq",
                "/proc/sys",
                "/proc/sysrq-trigger"
            ]
        },
        "GraphDriver": {
            "Data": {
                "LowerDir": "/var/lib/docker/overlay2/5362fa76fa867665c4bf8e2366945ebf92a70452261d65fb12901f1081a238e4-init/diff:/var/lib/docker/overlay2/491998dcabb24d2c800144202c6a7f298bab4453ace0f69129922923e6399404/diff:/var/lib/docker/overlay2/f71cfae2dd31d94c848f1d22d41bbb87af6d952b2fa0f3bc4629f7b563159cb4/diff:/var/lib/docker/overlay2/6680d19d1af6ec15ddb43a9d45d93e096395658877359fa674bf6f97ad7c7e42/diff:/var/lib/docker/overlay2/c636507e0a1ad73adaed5c6bd29750a9d9a6382225abbf2c22a58226f6cb035c/diff:/var/lib/docker/overlay2/d5d746ca0ee7cb0dc8ecf93227f50be80167b0d086eb7114d951d776d51331e5/diff",
                "MergedDir": "/var/lib/docker/overlay2/5362fa76fa867665c4bf8e2366945ebf92a70452261d65fb12901f1081a238e4/merged",
                "UpperDir": "/var/lib/docker/overlay2/5362fa76fa867665c4bf8e2366945ebf92a70452261d65fb12901f1081a238e4/diff",
                "WorkDir": "/var/lib/docker/overlay2/5362fa76fa867665c4bf8e2366945ebf92a70452261d65fb12901f1081a238e4/work"
            },
            "Name": "overlay2"
        },
        "Mounts": [
            {
                "Type": "bind",
                "Source": "/data/apps/payara/autodeploy",
                "Destination": "/data/apps/payara/autodeploy",
                "Mode": "",
                "RW": true,
                "Propagation": "rprivate"
            },
            {
                "Type": "bind",
                "Source": "/data/apps/payara/deployOnBoot",
                "Destination": "/data/apps/payara/deployOnBoot",
                "Mode": "",
                "RW": true,
                "Propagation": "rprivate"
            },
            {
                "Type": "bind",
                "Source": "/etc/letsencrypt",
                "Destination": "/etc/letsencrypt",
                "Mode": "ro",
                "RW": false,
                "Propagation": "rprivate"
            }
        ],
        "Config": {
            "Hostname": "sirec",
            "Domainname": "",
            "User": "payara",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "21081/tcp": {},
                "21801/tcp": {},
                "22081/tcp": {},
                "23081/tcp": {},
                "24081/tcp": {},
                "31081/tcp": {},
                "31801/tcp": {},
                "32081/tcp": {},
                "4848/tcp": {}
            },
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/bin",
                "LANG=en_US.UTF-8",
                "LANGUAGE=en_US:en",
                "LC_ALL=en_US.UTF-8",
                "JAVA_HOME=/usr/lib/jvm/zulu11-ca-amd64",
                "AS_JAVA=/usr/lib/jvm/zulu11",
                "AUTODEPLOY_DIR=/data/apps/payara/autodeploy",
                "CONFIG_DIR=/data/apps/payara/config",
                "DEPLOY_DIR=/data/apps/payara/deployOnBoot",
                "HOME_DIR=/data/apps/payara",
                "LOGS_DIR=/data/apps/payara/logs",
                "PASSWORD_FILE=/data/apps/payara/passwordFile",
                "PAYARA_DIR=/data/apps/payara/appserver",
                "SCRIPT_DIR=/data/apps/payara/scripts",
                "DOMAIN_NAME=production",
                "ADMIN_USER=admin",
                "ADMIN_PASSWORD=admin",
                "HOSTNAME=sicpa-interop-recette.cati.inrae.fr",
                "LE_LIVE=/etc/letsencrypt/live",
                "LE_CERT=le_sicpa-interop-recette.cati.inrae.fr",
                "JVM_ARGS=",
                "DEPLOY_PROPS=",
                "POSTBOOT_COMMANDS=/data/apps/payara/config/postboot-commands.asadmin",
                "PREBOOT_COMMANDS=/data/apps/payara/config/preboot-commands.asadmin"
            ],
            "Cmd": [
                "scripts/entrypoint.sh"
            ],
            "Image": "sicpa-interop",
            "Volumes": null,
            "WorkingDir": "/data/apps/payara",
            "Entrypoint": [
                "/tini",
                "--"
            ],
            "OnBuild": null,
            "Labels": {}
        },
        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "a688eff9c03e1e3753c83c282430080e0ecb5292ce045d47d82dd07c0edfb3af",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": {
                "21081/tcp": null,
                "21801/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "21081"
                    },
                    {
                        "HostIp": "::",
                        "HostPort": "21081"
                    }
                ],
                "22081/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "22081"
                    },
                    {
                        "HostIp": "::",
                        "HostPort": "22081"
                    }
                ],
                "23081/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "23081"
                    },
                    {
                        "HostIp": "::",
                        "HostPort": "23081"
                    }
                ],
                "24081/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "24081"
                    },
                    {
                        "HostIp": "::",
                        "HostPort": "24081"
                    }
                ],
                "31081/tcp": null,
                "31801/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "31081"
                    },
                    {
                        "HostIp": "::",
                        "HostPort": "31081"
                    }
                ],
                "32081/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "32081"
                    },
                    {
                        "HostIp": "::",
                        "HostPort": "32081"
                    }
                ],
                "4848/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "4848"
                    },
                    {
                        "HostIp": "::",
                        "HostPort": "4848"
                    }
                ]
            },
            "SandboxKey": "/var/run/docker/netns/a688eff9c03e",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "7a80ab6b20737ec362e5969832c3f83ba33d7c31507ca1a348bcd80a2e066de0",
            "Gateway": "172.17.0.1",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "172.17.0.2",
            "IPPrefixLen": 16,
            "IPv6Gateway": "",
            "MacAddress": "02:42:ac:11:00:02",
            "Networks": {
                "bridge": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": null,
                    "NetworkID": "d5d79bfc0793d4305ea419aa4205ba3f9e084a946d0df42a65fe4f998e516059",
                    "EndpointID": "7a80ab6b20737ec362e5969832c3f83ba33d7c31507ca1a348bcd80a2e066de0",
                    "Gateway": "172.17.0.1",
                    "IPAddress": "172.17.0.2",
                    "IPPrefixLen": 16,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "02:42:ac:11:00:02",
                    "DriverOpts": null
                }
            }
        }
    }
]

we can see in this trace that port 21081 and 31081 seem to appear twice in the list of NetworkSettings ports, first at null, then with the right values. In fact, if we look closely, these are ports 21081/21801 and 31081/31801. Hence the rejected port!

This is how I used to create my container until now:

docker run -d --name sicpa-interop --hostname sirec -p 4848:4848 -p 21081:21801 -p 22081:22081 -p 23081:23081 -p 24081:24081 -p 31081:31801 -p 32081:32081 -v /etc/letsencrypt:/etc/letsencrypt:ro -v /data/apps/payara/autodeploy:/data/apps/payara/autodeploy -v /data/apps/payara/deployOnBoot:/data/apps/payara/deployOnBoot sicpa-interop

Now I corrected it and everything works perfectly :slight_smile:
Thank you @charlee_ch

12

You’re welcome. I’m glad to hear that. :wink: