Bug #23088
closed
When ContainerWebServices.ExternalPortMin and ExternalPortMax are set to the same value, container service becomes inaccessible
Description
I was running the Ansible-based single-node installation with the config file deployed to the cluster containing this section
ContainerWebServices:
# This ExternalURL should match Controller's.
ExternalURL: "https://xtmp2.halley-mirzam.ts.net:8443"
ExternalPortMin: 10000
ExternalPortMax: 10000
(Here "xtmp2.halley-mirzam.ts.net" is my private Tailscale domain for the test cluster. Detailed set-up guide is in the privately shared doc here).
Then, browsing to the target initial_url at https://xtmp2.halley-mirzam.ts.net:10000/, I get the Firefox "Unable to connect" error page (developer tool -> Network shows NS_ERROR_CONNECTION_REFUSED)
During the lifetime of the service container, the stderr output was
2025-08-06T20:57:26.845792686Z 2025/08/06 20:57:26 [notice] 1#1: using the "epoll" event method 2025-08-06T20:57:26.845800751Z 2025/08/06 20:57:26 [notice] 1#1: nginx/1.29.0 2025-08-06T20:57:26.845803456Z 2025/08/06 20:57:26 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14+deb12u1) 2025-08-06T20:57:26.845805781Z 2025/08/06 20:57:26 [notice] 1#1: OS: Linux 6.14.0-27-generic 2025-08-06T20:57:26.845807965Z 2025/08/06 20:57:26 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 10000:10000 2025-08-06T20:57:26.845935728Z 2025/08/06 20:57:26 [notice] 1#1: start worker processes 2025-08-06T20:57:26.846075816Z 2025/08/06 20:57:26 [notice] 1#1: start worker process 29 2025-08-06T20:57:26.846428338Z 2025/08/06 20:57:26 [notice] 1#1: start worker process 30 2025-08-06T20:57:26.846433405Z 2025/08/06 20:57:26 [notice] 1#1: start worker process 31 2025-08-06T20:57:26.846499021Z 2025/08/06 20:57:26 [notice] 1#1: start worker process 32
If I change the ExternalPortMax value to 10001 (one above the min), the container service becomes accessible at the URL. The stderr output in the log is essentially the same except now I can see HTTP requests to the server.
Updated by Brett Smith 6 months ago
- Release set to 82
- Category set to Deployment
I think what needs to happen is when Ansible writes the nginx front-end configuration for this service, it needs to write a listen directive for a single port rather than a range.
Fixing this is admittely low-priority since I would expect even the smallest installs to be able to accommodate more than one service container.
Updated by Tom Clegg 2 months ago
- Target version set to Development 2026-01-21
- Assigned To set to Tom Clegg
- Status changed from New to In Progress
Nginx, at least as far back as 1.18.0 (debian 11), accepts a single-port port range like listen 12345-12345;.
Postgresql generate_sequence(12345,12345) is also fine.
So, I think all we need to do is change our template condition from < to <= like this:
23088-single-container-port @ 09a60c21b4c2d99a36542a1079264f4b27c768f7 -- developer-run-tests: #5006
Updated by Brett Smith 2 months ago
Tom Clegg wrote in #note-2:
23088-single-container-port @ 09a60c21b4c2d99a36542a1079264f4b27c768f7 -- developer-run-tests: #5006
LGTM, thanks.
Updated by Tom Clegg 2 months ago
- Status changed from In Progress to Resolved
Applied in changeset arvados|65a5c6f46318bf2a31b256133aeece7917c885e3.