dockerhttpsjetbrains-hubmacvlan

JetBrains/Teamtools in docker container "Could not listen on address 0.0.0.0 and port 443"


Problem

I'm trying to set up JetBrains Hub, Youtrack, Upsource and Teamcity in a docker container and configure each to be available on their own IP (macvlan) at the default ports 80 redirected to 443 and 443 for HTTPS (so the port numbers do not show up in the browser).

However if I do that I get:

Could not listen on address 0.0.0.0 and port 443

Leaving the teamtools on their default ports 8080 and 8443 works or giving them ports over 2000 seems to work as well.

I checked with fuser 443/tcp and netstat -tulpn but there is nothing running on port 80 or 443. (had to install the packages for those in the container)

I tried setting the listening address to the NICs IP or 172.0.0.1 but this is refused as well:

root@teamtools [ /opt/teamtools ]# docker run --rm -it \
    -v /opt/hub/data:/opt/hub/data \
    -v /opt/hub/conf:/opt/hub/conf \
    -v /opt/hub/logs:/opt/hub/logs \
    -v /opt/hub/backups:/opt/hub/backups \
    jetbrains/hub:2018.2.9840 \
    configure --listen-address=192.168.1.211
* Configuring JetBrains Hub 2018.2
* Setting property 'listen-address' to '192.168.1.211' from arguments
[APP-WRAPPER] Failed to configure Hub: java.util.concurrent.ExecutionException: com.jetbrains.bundle.exceptions.BadConfigurationException: Could not listen on address {192.168.1.211} . Please specify another listen address in property listen-address

Question:

  1. Why can I not set ports 80 and 443?
  2. Why does it work for ports over 2000?
  3. How can I make this work without a reverse proxy? (reverse-proxy comes with a whole bunch of other issues, that I'm trying to avoid with this setup)

Setup

ESXi 6.7 Host
  - vSwitch0 (Allow promiscuous mode:   Yes)
     - port group: VM Netork (Allow promiscuous mode:   No)
       - other VMs
     - port group: Promiscuous Ports (Allow promiscuous mode:   Yes)
       - Teamtools VM (Photon OS 2.0, IP: 192.168.1.210)
         - firewall based on: https://unrouted.io/2017/08/15/docker-firewall/
         - docker/docker-compose
           - hub                         (IP: 192.168.1.211:80/443)
           - youtrack                    (IP: 192.168.1.212:80/443)
           - upsource                    (IP: 192.168.1.213:80/443)
           - teamcity-server             (IP: 192.168.1.214:80/443)
           - teamcity_db (MariaDB 10.3)  (IP: 192.168.1.215:3306)

docker-compose.yml

version: '2'
networks:
  macnet:
    driver: macvlan
    driver_opts:
      parent: eth0
    ipam:
      config:
        - subnet: 192.168.1.0/24
          gateway: 192.168.1.1 

services:
  hub:
    # set a custom container name so no more than one container can be created from this config
    container_name: hub
    image: "jetbrains/hub:2018.2.9840"
    restart: unless-stopped
    volumes:
      - /opt/hub/data:/opt/hub/data
      - /opt/hub/conf:/opt/hub/conf
      - /opt/hub/logs:/opt/hub/logs
      - /opt/hub/backups:/opt/hub/backups
      - /opt/teamtools:/opt/teamtools
    expose:
      - "80"
      - "443"
      - "8080"
      - "8443"
    networks:
      macnet:
        ipv4_address: 192.168.1.211
    domainname: office.mydomain.com
    hostname: hub
    environment:
      - "JAVA_OPTS=-J-Djavax.net.ssl.trustStore=/opt/teamtools/certs/keyStore.p12 -J-Djavax.net.ssl.trustStorePassword=xxxxxxxxxxxxxx"
...

Solution

  • Upsource is running by user jetbrans, which is non-root. https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html