Hello,
I have the following configuration file for Kibana and Elasticsearch operating in a swarm, i deploy with docker stack:
version: '3'
services:
kibana-node1:
image: amazon/opendistro-for-elasticsearch-kibana:0.8.0
#container_name: kibana-node1
deploy:
placement:
constraints: [node.hostname == kb01a.hostname]
ports:
- "5601:5601"
networks:
- test-net
environment:
ELASTICSEARCH_URL: https://test_es-node1:9200
es-node1:
image: amazon/opendistro-for-elasticsearch:0.8.0
#container_name: es-node1
deploy:
placement:
constraints: [node.hostname == es01a.hostname]
environment:
- cluster.name=test-cluster
#- bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
- "ES_JAVA_OPTS=-Xms2048m -Xmx2048m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- test-data:/usr/share/elasticsearch/data
ports:
- "9200:9200"
- "9600:9600" # required for Performance Analyzer
networks:
- test-net
volumes:
test-data:
networks:
test-net:
I can curl https://127.0.0.1:9200/_cluster/health but i cannot access kibana on port 5601.
Docker service ls:
ID NAME MODE REPLICAS IMAGE PORTS
s6saye28ib0p test_es-node1 replicated 1/1 amazon/opendistro-for-elasticsearch:0.8.0 *:9200->9200/tcp, *:9600->9600/tcp
mbeczgli0ark test_kibana-node1 replicated 1/1 amazon/opendistro-for-elasticsearch-kibana:0.8.0 *:5601->5601/tcp
However if i run docker ps -a on the node that is running the kibana container we can see that it does not expose any ports:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0b16574cc2b9 amazon/opendistro-for-elasticsearch-kibana:0.8.0 "/usr/local/bin/kiba…" 51 seconds ago Up 49 seconds test_kibana-node1.1.ko0wszldf2dg7epu5zhsy2wsv
I have no firewall enabled, output of iptables -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-INGRESS all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
Chain DOCKER-INGRESS (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:5601
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp spt:5601
ACCEPT tcp -- anywhere anywhere tcp dpt:9600
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp spt:9600
ACCEPT tcp -- anywhere anywhere tcp dpt:9200
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp spt:9200
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere