Opening Azure Web App for Containers ports? - azure

I have a 3rd party Tomcat server image/container running in LinuxVM on Azure. The LinxVM actually started as 2 images(NGINX loadbalancer) running via a docker-compose script, but to test this on a webapp I've wittled down to just the single tomcat image. Now, the compose script uses the key:
ports:
- 80:8090
- 8445:8443
In the VM I can run the docker-compose script and hit http://mypage:80 and it works just fine. I can also run:
docker run -d -p <somePort>:8090 --name tomcat_1 <myrepo/myimage>
I can then access my site with http://mypage:<somePort> regardless of which port I want to map to the container. This all works great.
Now, with the Azure Web App, I'm using an Azure Web App for Containers --> Docker Compose (Preview). My compose script looks something like:
version: "3.0"
services:
pdfd-tomcat:
image: <myrepo/myimage>
build:
context: .
args:
INCLUDE_DEMO: 'true'
LIBRE_SUPPORT: 'false'
HTML_SUPPORT: 'false'
container_name: Blackbox
environment:
TRN_PDFNET_KEY:
TRN_DB_TYPE: SQLITE
TRN_DB_LINK:
TRN_BALANCER_COOKIE_NAME: HAPROXID
TRN_DEBUG_MODE: 'false'
ports:
- 80:8090
- 8445:8443
I've exposed 80:8090 because I've read that Azure Web Apps only expose port 80 and 443 by default. However, I cannot access this site from any port once the web app is spun up. I've verified running this same compose script works in a VM. Now, when I hit the web app logs, I see this:
Status: Image is up to date for <myrepo/myimage>
2018-06-17 05:38:41.298 INFO - Starting container for site
2018-06-17 05:38:41.298 INFO - docker run -d -p 18455:8090 --name tomcat_1 -e WEBSITE_SITE_NAME=<mywebsite> -e WEBSITE_AUTH_ENABLED=False -e WEBSITE_ROLE_INSTANCE_ID=0 -e WEBSITE_INSTANCE_ID=<stuff goes here>
2018-06-17 05:38:41.298 INFO - Logging is not enabled for this container.
Please use https://aka.ms/linux-diagnostics to enable logging to see container logs here.
2018-06-17 05:38:56.994 INFO - Started multi-container app
2018-06-17 05:38:57.008 INFO - Container tomcat_1 for site <mywebsite> initialized successfully.
So, it seems that it's trying to map external port: 18455 to my internal 8090 port. Why? Also, if I try to hit my site via that port, I can't. Each time the app deploys/restarts it maps a different external port.
Also, if I retroactively go to 'Application Settings' and use the key/value: WEBSITES_PORT:<current externally mapped port> it has literally no effect. Then if the app gets restarted/redeployed, I can see that WEBSITES_PORT:<port> is what the previous port was mapped with, but since that changes every deployment, the current external port and the WEBSITES_PORT values never match. I don't even know if it works to begin with.
How the heck do get this working in a deterministic manner? I can supply other material if needed.

This boiled down to a permissions issue when using Tomcat 9.0+ with Docker.
Permission problem while running tomcat as a non-root user
The Dockerfile would create a new usergroup and add a user, then give that user permissions in the folders where Tomcat existed. If you jumped into the container via docker exec /bin/bash and checked permissions, they all seemed perfectly fine. However, logs would show that Tomcat couldn't gain access to those folders.
Once I implemented the fix as described by Empinator in the link everything worked (using root also worked).

Related

Azure Functions runtime is unreachable while deploying through Azure Container Image

I have an azure function, I am using azure container registry image for the deployment but getting Azure runtime is unreachable. I have checked the docker logs from Kudu, it is throwing -
Pull Image successful, Time taken: 0 Minutes and 1 Seconds
2022-12-13T07:40:49.911Z INFO - Starting container for site
2022-12-13T07:40:49.912Z INFO - docker run -d --expose=80 --name <function_app>_0_e2779bae -e DOCKER_CUSTOM_IMAGE_NAME=/: -e WEBSITES_ENABLE_APP_SERVICE_STORAGE=false -e WEBSITE_SITE_NAME=<function_app> -e WEBSITE_AUTH_ENABLED=False -e PORT=80 -e WEBSITE_ROLE_INSTANCE_ID=0 -e WEBSITE_HOSTNAME=<function_app>.azurewebsites.net -e WEBSITE_INSTANCE_ID= -e WEBSITE_USE_DIAGNOSTIC_SERVER=False <image_path>
2022-12-13T07:40:49.913Z INFO - Logging is not enabled for this container.
Please use https://aka.ms/linux-diagnostics to enable logging to see container logs here.
2022-12-13T07:40:50.683Z INFO - Initiating warmup request to container <function_app>_0_e2779bae_msiProxy for site <function_app>
2022-12-13T07:40:50.692Z INFO - Container <function_app>_0_e2779bae_msiProxy for site <function_app> initialized successfully and is ready to serve requests.
2022-12-13T07:40:50.693Z INFO - Initiating warmup request to container <function_app>_0_e2779bae for site <function_app>
2022-12-13T07:40:50.706Z ERROR - Container <function_app>_0_e2779bae for site <function_app> has exited, failing site start
2022-12-13T07:40:50.712Z ERROR - Container <function_app>_0_e2779bae didn't respond to HTTP pings on port: 80, failing site start. See container logs for debugging.
2022-12-13T07:40:50.718Z INFO - Stopping site <function_app> because it failed during startup.
I have added docker url, username and password attributes in the app-settings and are correct. Can someone please help me out with the same?
Container <function_app>_0_e2779bae didn’t respond to HTTP pings on port: 80, failing site start.
There could be several reasons for the above error such as:
Allow the Port 8080 or 80 by adding the app setting as WEBSITES_PORT .
If it is the custom container, you have to give certain port number for routing the requests.
In Docker File, expose the above-mentioned port.
Refer to this MS Q&A Issue No 750525 regarding the similar error on Azure Functions Container Context and also many similar issues reported on GitHub Repositories such as 46401, 34451 for the solutions given by MSFT Azure Team.
I have tried several ways but got to know the reason at last.
The issue was with the dockerfile, but the error logs were not showing the actual cause.
Previously in the dockerfile we were using entrypoint and the code was not getting published to wwwroot
WORKDIR /app
COPY --from=publish /app/publish .
ENTRYPOINT ["dotnet", "someapplication.dll"]
and then we modified the file to publish it to wwwroot
WORKDIR /home/site/wwwroot
COPY --from=publish /app/publish .
ENV AzureWebJobsScriptRoot=/home/site/wwwroot
This resolved my problem.

How to add additional options to docker run on Azure Service App

I am trying to run docker run -i --rm -d --cap-add=SYS_ADMIN --name <azure-container> <azure-container-registry>/<image-name>:<tag>
By default the container is created using docker run -p port1:port2
I want to remove the -p option and add --cap-add=SYS_ADMIN , every time my container gets created from azure container registry using App Service.
Any help appreciated.
Regards,
Aarushi
Unfortunately, the docker command cannot be custom when you deploy your image to Azure Web App. It runs by Azure. You can add the environment variables in the App Setting, but not change the docker command.
You cannot run a container without exposing a port, on App Services. It needs to run a server process in order to become 'healthy'. You can use port 80 (default) or 8080.
Also, as Charles Xu said, you cannot add capabilities at this time.
In Service Fabric you have more port mapping options, but you should still expose a port for the liveness probe.
No cap-add support here either.

Azure App Service Container keeps on restarting

I created an azure app Service running a docker container.
but the container seems to be restarting all the time:
2020-01-09 07:21:56.543 INFO - Container XXX for site xxx initialized successfully and is ready to serve requests.
2020-01-09 07:22:01.559 ERROR - Container for xxx site xxx is unhealthy, Stopping site.
2020-01-09 07:22:01.559 INFO - Stoping site xxx because it is not healthy.
As it is a ressource intensive application it can be that the Service is not responding quickly.
i already tried to add the following Setting:
{
"name": "CONTAINER_AVAILABILITY_CHECK_MODE",
"value": "Off",
"slotSetting": false
}
but with no effect.
According to the Dockerfile of the image apache/drill:1.17.0 you used, it does not expose the port 8047 to access outside. And there are two ways to expose the port that displayed here and then you can access outside if you want. So the second way is suitable for this situation, and when you set the environment variable WEBSITES_PORT with value 8047, then you can access the web app outside. Here is the screenshot which works fine on my side:
Update:
It seems the image needs an interactive mode and the docker command to run it should be docker run -i --name drill-1.17.0 -p 8047:8047 --detach -t apache/drill:1.17.0 /bin/bash or another similar command with an interactive mode. Or it would stop in a few munites later. But you cannot change the command that runs the image in Web App, so you also cannot use an interactive mode in Web App for the image.
So the solution is that you need to create a custom image to keep it on running state base on the image apache/drill:1.17.0. Then it will work well.

Docker never runs on Azure - Waiting for response to warmup request for container

I'm trying to deploy a dockerized app on Azure's App Service. I enter all the fields correctly, my image gets pulled, put I keep getting this error until something times out.
Waiting for response to warmup request for container -<container name > Elapsed time = 154.673506 sec
I did set WEBSITE_PORT 8080 (used by my app)
Here is the dockerfile
FROM google/dart
WORKDIR /app
ADD pubspec.* /app/
RUN pub get --no-precompile
ADD . /app/
RUN pub get --offline --no-precompile
WORKDIR /app
EXPOSE 8080
ENTRYPOINT ["pub", "run", "aqueduct:aqueduct", "serve", "--port", "8080"]
It was working fine. I had it working last night. I wanted to refresh my image so I restarted. Nothing worked. After multiple hours I deleted my app and started again... no luck. Any ideas?
EDIT 1:
Tried changing port to 80, no luck (This was the port I was using at first when it was working fine)
RESOLVED (Partially)*
I changed everything to port 8000. I realized that Linux and windows did not like having something non-system listening on 80. Therefore I changed everything on 8000 and set the system properties on Azure {WEBSITE_PORT, 8000}. IT now seems to work fine. I don't know if this is an official fix... But it does warmup after 30-ish seconds
You can also try setting WEBSITES_CONTAINER_START_TIME_LIMIT to 1800
Depending which App Service plan you have, if there is an option ‘always on’, try to set ‘always on’ in the configuration of your app in Azure portal.
If you are using a Premium App service plan, you can set pre-warm number of instances. Try to set that to 2-3 and see if it gets any better..here
I had the same experience as you, but my container was really big since it contained ML model, so at the end I switched to AKS because it performed better..
what actually worked for me was a combination of the answers above by Ethiene and kgalic, setting all ports to 8000 in the docker file
EXPOSE 8000
CMD gunicorn -w 4 -b :8000 app:app
in the azure configuration application settings adding
"WEBSITES_PORT" : "8000"
in the azure configuration general settings setting
"Always on" : "on"
App Service - Docker container deploy
In my case, this slowdown was caused by automatic port detection.
Setting the WEBSITES_PORT in the application setting solved the problem.
WEBSITES_PORT=8000
Pay attention if you have more slots (production/staging?), you have to set this env variable in the other slots too.
From: Azure App Service on Linux FAQ - Custom Contaniers
We have automatic port detection. You can also specify an app setting called WEBSITES_PORT and give it the value of the expected port number. Previously, the platform used the PORT app setting. We are planning to deprecate this app setting and to use WEBSITES_PORT exclusively.
I had this same problem when I used the nodejs application, so I did build the dist folder by npm build on the creation of the docker image, so it is part of the docker image rather than the docker cmd creating the build image on the initial execution of the app. Maybe the RAM and CPU wasn't enough for the npm build to happen at the initial runtime

What server URL should one provide for TeamCity agent in Docker?

The problem. I am trying to create a TeamCity infrastructure (a server and an agent) on Ubuntu Linux 16.04.1 LTS using Docker. I have run a Docker container with jetbrains/teamcity-server image as described on this page. It is possible to access the TeamCity server via web browser using the IP address of the server and port 8111.
Now I try to run a Docker container with an agent as described on this page. It is written: Note that "localhost" will not generally not work as that will refer to the "localhost" inside the container. Well, when I supply "http://localhost:8111", or "http://127.0.0.1:8111", or "http://my_server_ip:8111" to the running script for the agent container I finally get 1) "WARN - buildServer.AGENT.registration - Error registering on the server via URL http://localhost:8111 (sic! always localhost). Will continue repeating connection attempts.", or 2) "WARN - buildServer.AGENT.registration - Error while asking server for the communication protocols via URL http://localhost:8111/app/agents/protocols."
Also I have tried to reveal the IP address of the Docker container running the server and supply it for the agent running script. But the result was the same.
Question. What server URL I should provide? Are there any implicit steps in the TeamCity configuration with Docker which I miss?
You can use the --link parameter to link containers:
Start your jetbrains/teamcity-server and use --name teamcity-server to give it a descriptive name
Start the agent container and use --link teamcity-server to enable connectivity to the teamcity-server container
Inside of your agent container you can now use teamcity-server as the hostname to connect to the teamcity-server container
Please also check out Docker container networking which superseded the --link feature.

Resources