Сервер. Докер последней версии. iptables. Поднят Nextcloud Hub 24.0.5 (проблему наблюдаю и на более ранних версиях). Обновления контейнера пулятся нормально. curl из контейнера
curl eth0.me
*мой ip*
apt из контейнера
apt update
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Err:1 http://deb.debian.org/debian bullseye InRelease
Connection timed out [IP: 199.232.150.132 80]
Err:2 http://deb.debian.org/debian-security bullseye-security InRelease
Connection failed [IP: 146.75.118.132 80]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Err:3 http://deb.debian.org/debian bullseye-updates InRelease
Connection timed out [IP: 199.232.150.132 80]
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: Failed to fetch http://deb.debian.org/debian/dists/bullseye/InRelease Connection timed out [IP: 199.232.150.132 80]
W: Failed to fetch http://deb.debian.org/debian-security/dists/bullseye-security/InRelease Connection failed [IP: 146.75.118.132 80]
W: Failed to fetch http://deb.debian.org/debian/dists/bullseye-updates/InRelease Connection timed out [IP: 199.232.150.132 80]
W: Some index files failed to download. They have been ignored, or old ones used instead.
iptables сервера (полностью автоматические, формируются докером)
Chain INPUT (policy ACCEPT 567K packets, 586M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 2286 packets, 174K bytes)
pkts bytes target prot opt in out source destination
7949K 4078M DOCKER-USER all -- any any anywhere anywhere
7949K 4078M DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere
476 72644 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
8 512 DOCKER all -- any docker0 anywhere anywhere
338 962K ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
63M 35G ACCEPT all -- any dockerpub0 anywhere anywhere ctstate RELATED,ESTABLISHED
1228K 74M DOCKER all -- any dockerpub0 anywhere anywhere
861K 119M ACCEPT all -- dockerpub0 !dockerpub0 anywhere anywhere
1151K 69M ACCEPT all -- dockerpub0 dockerpub0 anywhere anywhere
0 0 ACCEPT all -- wg0 dockerpub0 anywhere anywhere
0 0 ACCEPT all -- dockerpub0 wg0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 394K packets, 46M bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !dockerpub0 dockerpub0 anywhere 172.32.0.11 tcp dpt:http
0 0 ACCEPT tcp -- !dockerpub0 dockerpub0 anywhere 172.32.0.12 tcp dpt:8080
2 128 ACCEPT tcp -- !dockerpub0 dockerpub0 anywhere 172.32.0.14 tcp dpt:3000
0 0 ACCEPT udp -- !dockerpub0 dockerpub0 anywhere 172.32.0.14 udp dpt:3000
0 0 ACCEPT tcp -- !dockerpub0 dockerpub0 anywhere 172.32.0.14 tcp dpt:https
106 6584 ACCEPT tcp -- !dockerpub0 dockerpub0 anywhere 172.32.0.14 tcp dpt:http
0 0 ACCEPT tcp -- !dockerpub0 dockerpub0 anywhere 172.32.0.14 tcp dpt:domain
76951 5208K ACCEPT udp -- !dockerpub0 dockerpub0 anywhere 172.32.0.14 udp dpt:domain
0 0 ACCEPT tcp -- !dockerpub0 dockerpub0 anywhere 172.32.0.2 tcp dpt:8080
0 0 ACCEPT tcp -- !dockerpub0 dockerpub0 anywhere 172.32.0.2 tcp dpt:3012
0 0 ACCEPT tcp -- !dockerpub0 dockerpub0 anywhere 172.32.0.13 tcp dpt:3000
0 0 ACCEPT tcp -- !dockerpub0 dockerpub0 anywhere 172.32.0.13 tcp dpt:ssh
0 0 ACCEPT tcp -- !dockerpub0 dockerpub0 anywhere 172.32.0.3 tcp dpt:postgresql
0 0 ACCEPT tcp -- !dockerpub0 dockerpub0 anywhere 172.32.0.4 tcp dpt:22300
0 0 ACCEPT tcp -- !dockerpub0 dockerpub0 anywhere 172.32.0.10 tcp dpt:8080
0 0 ACCEPT tcp -- !dockerpub0 dockerpub0 anywhere 172.32.0.8 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
338 962K DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere
566K 94M DOCKER-ISOLATION-STAGE-2 all -- dockerpub0 !dockerpub0 anywhere anywhere
25M 14G RETURN all -- any any anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any docker0 anywhere anywhere
0 0 DROP all -- any dockerpub0 anywhere anywhere
567K 95M RETURN all -- any any anywhere anywhere
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
69M 35G RETURN all -- any any anywhere anywhere
NAT
Chain PREROUTING (policy ACCEPT 4066 packets, 334K bytes)
pkts bytes target prot opt in out source destination
158K 13M DOCKER all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
27998 2643K DOCKER all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
27998 2643K DOCKER all -- any any anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 187 packets, 45050 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1534 packets, 191K bytes)
pkts bytes target prot opt in out source destination
155K 9322K DOCKER all -- any any anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 2108 packets, 197K bytes)
pkts bytes target prot opt in out source destination
15 1875 MASQUERADE all -- any !docker0 172.17.0.0/16 anywhere
88676 5816K MASQUERADE all -- any !dockerpub0 172.32.0.0/24 anywhere
1259K 116M MASQUERADE all -- any wg0 anywhere anywhere
0 0 MASQUERADE tcp -- any any 172.32.0.11 172.32.0.11 tcp dpt:http
0 0 MASQUERADE tcp -- any any 172.32.0.12 172.32.0.12 tcp dpt:8080
0 0 MASQUERADE tcp -- any any 172.32.0.14 172.32.0.14 tcp dpt:3000
0 0 MASQUERADE udp -- any any 172.32.0.14 172.32.0.14 udp dpt:3000
0 0 MASQUERADE tcp -- any any 172.32.0.14 172.32.0.14 tcp dpt:https
0 0 MASQUERADE tcp -- any any 172.32.0.14 172.32.0.14 tcp dpt:http
0 0 MASQUERADE tcp -- any any 172.32.0.14 172.32.0.14 tcp dpt:domain
0 0 MASQUERADE udp -- any any 172.32.0.14 172.32.0.14 udp dpt:domain
0 0 MASQUERADE tcp -- any any 172.32.0.2 172.32.0.2 tcp dpt:8080
0 0 MASQUERADE tcp -- any any 172.32.0.2 172.32.0.2 tcp dpt:3012
0 0 MASQUERADE tcp -- any any 172.32.0.13 172.32.0.13 tcp dpt:3000
0 0 MASQUERADE tcp -- any any 172.32.0.13 172.32.0.13 tcp dpt:ssh
0 0 MASQUERADE tcp -- any any 172.32.0.3 172.32.0.3 tcp dpt:postgresql
0 0 MASQUERADE tcp -- any any 172.32.0.4 172.32.0.4 tcp dpt:22300
0 0 MASQUERADE tcp -- any any 172.32.0.10 172.32.0.10 tcp dpt:8080
0 0 MASQUERADE tcp -- any any 172.32.0.8 172.32.0.8 tcp dpt:http
Chain DOCKER (4 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 any anywhere anywhere
6 360 RETURN all -- dockerpub0 any anywhere anywhere
62 3720 DNAT tcp -- !dockerpub0 any anywhere anywhere tcp dpt:51006 to:172.32.0.11:80
0 0 DNAT tcp -- !dockerpub0 any anywhere anywhere tcp dpt:51010 to:172.32.0.12:8080
2 128 DNAT tcp -- !dockerpub0 any anywhere anywhere tcp dpt:51013 to:172.32.0.14:3000
0 0 DNAT udp -- !dockerpub0 any anywhere anywhere udp dpt:3000 to:172.32.0.14:3000
0 0 DNAT tcp -- !dockerpub0 any anywhere anywhere tcp dpt:51011 to:172.32.0.14:443
106 6584 DNAT tcp -- !dockerpub0 any anywhere anywhere tcp dpt:51012 to:172.32.0.14:80
0 0 DNAT tcp -- !dockerpub0 any anywhere anywhere tcp dpt:domain to:172.32.0.14:53
59676 4058K DNAT udp -- !dockerpub0 any anywhere anywhere udp dpt:domain to:172.32.0.14:53
21 1260 DNAT tcp -- !dockerpub0 any anywhere anywhere tcp dpt:51001 to:172.32.0.2:8080
2 120 DNAT tcp -- !dockerpub0 any anywhere anywhere tcp dpt:51002 to:172.32.0.2:3012
0 0 DNAT tcp -- !dockerpub0 any anywhere anywhere tcp dpt:51003 to:172.32.0.13:3000
0 0 DNAT tcp -- !dockerpub0 any anywhere anywhere tcp dpt:51004 to:172.32.0.13:22
0 0 DNAT tcp -- !dockerpub0 any anywhere anywhere tcp dpt:51009 to:172.32.0.3:5432
24 1440 DNAT tcp -- !dockerpub0 any anywhere anywhere tcp dpt:51008 to:172.32.0.4:22300
0 0 DNAT tcp -- !dockerpub0 any anywhere anywhere tcp dpt:51007 to:172.32.0.10:8080
526 31560 DNAT tcp -- !dockerpub0 any anywhere anywhere tcp dpt:51005 to:172.32.0.8:80
Маршруты сервера
default via 192.168.77.1 dev eth0
10.70.71.0/24 dev wg0 proto kernel scope link src 10.70.71.4
127.0.0.0/8 dev lo scope link
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.32.0.0/24 dev dockerpub0 proto kernel scope link src 172.32.0.1
192.168.7.0/24 via 192.168.77.1 dev eth0 src 192.168.77.30
192.168.66.0/24 via 192.168.77.1 dev eth0 src 192.168.77.30
192.168.77.0/24 dev eth0 proto kernel scope link src 192.168.77.30
Обновление любых приложений Nextcloud не работает. Ошибка
[no app in context] Error: GuzzleHttp\Exception\ConnectException: cURL error 28: Operation timed out after 120001 milliseconds with 0 out of 0 bytes received (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://objects.githubusercontent.com/github-production-release-asset-2e65be/377448625/940ffb54-81cc-4bdf-a3a3-28fd393682ae?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230309%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230309T120745Z&X-Amz-Expires=300&X-Amz-Signature=38412c03a2489c3f732986dad99a2acb3781ab35b9877cf2d3b9e2a0d9b699b5&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=377448625&response-content-disposition=attachment%3B%20filename%3Dspreed-v15.0.4.tar.gz&response-content-type=application%2Foctet-stream at <<closure>>
0. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php line 158
GuzzleHttp\Handler\CurlFactory::createRejection(["GuzzleHttp\\Ha ... l], [28,"Operation t ... "])
1. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php line 110
GuzzleHttp\Handler\CurlFactory::finishError(["GuzzleHttp\\Handler\\CurlHandler"], ["GuzzleHttp\\Ha ... l], ["GuzzleHttp\\Handler\\CurlFactory"])
2. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlHandler.php line 47
GuzzleHttp\Handler\CurlFactory::finish(["GuzzleHttp\\Handler\\CurlHandler"], ["GuzzleHttp\\Ha ... l], ["GuzzleHttp\\Handler\\CurlFactory"])
3. /var/www/html/lib/private/Http/Client/DnsPinMiddleware.php line 146
GuzzleHttp\Handler\CurlHandler->__invoke("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
4. /var/www/html/3rdparty/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php line 35
OC\Http\Client\DnsPinMiddleware->OC\Http\Client\{closure}("*** sensitive parameters replaced ***")
5. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php line 31
GuzzleHttp\PrepareBodyMiddleware->__invoke("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
6. /var/www/html/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php line 71
GuzzleHttp\Middleware::GuzzleHttp\{closure}("*** sensitive parameters replaced ***")
7. /var/www/html/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php line 107
GuzzleHttp\RedirectMiddleware->__invoke("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
8. /var/www/html/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php line 73
GuzzleHttp\RedirectMiddleware->checkRedirect("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
9. /var/www/html/3rdparty/guzzlehttp/promises/src/FulfilledPromise.php line 41
GuzzleHttp\RedirectMiddleware->GuzzleHttp\{closure}("*** sensitive parameters replaced ***")
10. /var/www/html/3rdparty/guzzlehttp/promises/src/TaskQueue.php line 48
GuzzleHttp\Promise\FulfilledPromise::GuzzleHttp\Promise\{closure}("*** sensitive parameters replaced ***")
11. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 248
GuzzleHttp\Promise\TaskQueue->run(true)
12. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 224
GuzzleHttp\Promise\Promise->invokeWaitFn()
13. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 269
GuzzleHttp\Promise\Promise->waitIfPending()
14. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 226
GuzzleHttp\Promise\Promise->invokeWaitList()
15. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 62
GuzzleHttp\Promise\Promise->waitIfPending()
16. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php line 187
GuzzleHttp\Promise\Promise->wait()
17. /var/www/html/lib/private/Http/Client/Client.php line 218
GuzzleHttp\Client->request("get", "https://github. ... z", ["/var/www/html/ ... "])
18. /var/www/html/lib/private/Installer.php line 295
OC\Http\Client\Client->get("https://github. ... z", ["/tmp/oc_tmp_Fhxhxs-.tar.gz",120])
19. /var/www/html/lib/private/Installer.php line 193
OC\Installer->downloadApp("*** sensitive parameters replaced ***", false)
20. /var/www/html/apps/settings/lib/Controller/AppSettingsController.php line 535
OC\Installer->updateAppstoreApp("*** sensitive parameters replaced ***")
21. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 225
OCA\Settings\Controller\AppSettingsController->updateApp("*** sensitive parameters replaced ***")
22. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 133
OC\AppFramework\Http\Dispatcher->executeController(["OCA\\Settings\ ... "], "updateApp")
23. /var/www/html/lib/private/AppFramework/App.php line 172
OC\AppFramework\Http\Dispatcher->dispatch(["OCA\\Settings\ ... "], "updateApp")
24. /var/www/html/lib/private/Route/Router.php line 298
OC\AppFramework\App::main("OCA\\Settings\\ ... r", "updateApp", ["OC\\AppFramewo ... "], ["*** sensitive ... "])
25. /var/www/html/lib/base.php line 1047
OC\Route\Router->match("/settings/apps/update/spreed")
26. /var/www/html/index.php line 36
OC::handleRequest()
GET /settings/apps/update/spreed
from 192.168.77.30 by admin at 2023-03-09T12:11:50+00:00
В остальных контейнерах, а у меня их десять, все коннектится, все обновления проходят, из контейнеров могу подключится к тырнету. Все контейнеры в одном сегменте. У НК нет. На профильный форум писал, ничего работающего не посоветовали. Разрабам по мылу писал, запросили инфу, ничего не ответили (уже полгода прошло). В багтрекер писал (похожая нерешенная тема), ничего не ответили.
В чем может быть проблема? Судя по всему она не распространенная, иначе бы все уже подняли бы шум.
Работает НК после реверс прокси (nginx-proxy-manager в отдельном контейнере). В логах нжинкса я никаких ошибок или блоков не вижу. Все как у других контейнеров. На хосте поднят wg до vps она же шлюз. Весь трафик идет через wg. Внутри wg все клиенты nextcloud. Снаружи их нет. Все клиенты успешно взаимодействуют друг с другом, с НК и с другими сервисами в докере.
Где-то мисконфиг у меня в настройках сети или НК, не знаю… docker-compose.yml если что:
services:
db:
image: mariadb:10.5
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
restart: always
volumes:
- /opt/docker/persistent/nextcloud-db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=secret
- MARIADB_AUTO_UPGRADE=0
- MARIADB_DISABLE_UPGRADE_BACKUP=1
env_file:
- db.env
redis:
image: redis:alpine
restart: always
app:
image: nextcloud:apache
restart: always
ports:
- "51005:80"
volumes:
- /mnt/media/docker/containers/nextcloud:/var/www/html
environment:
- MYSQL_HOST=db
- REDIS_HOST=redis
env_file:
- db.env
depends_on:
- db
- redis
cron:
image: nextcloud:apache
restart: always
volumes:
- /mnt/media/docker/containers/nextcloud:/var/www/html
entrypoint: /cron.sh
depends_on:
- db
- redis
networks:
default:
name: dockerpub0
external: true
