SFTPGo or MiroTalk SFU not starting because they use ephemeral ports
-
Thanks for the hint, I investigated further:
The left IPv6 is my Cloudron server, from there is had an active connection (ssh outside of Docker) to the right IPv6 my storage box!I only use 1 Volume to a Storagebox and 1 Backup location. Could it be that one of those 2 uses the same port-range (41000+100)? @girish
BTW: @James please redact my ip's in your message (I just corrected mine)
-
I imc67 marked this topic as a question on
-
J joseph marked this topic as a regular topic on
-
Thanks for the hint, I investigated further:
The left IPv6 is my Cloudron server, from there is had an active connection (ssh outside of Docker) to the right IPv6 my storage box!I only use 1 Volume to a Storagebox and 1 Backup location. Could it be that one of those 2 uses the same port-range (41000+100)? @girish
BTW: @James please redact my ip's in your message (I just corrected mine)
said in Server security update reboot: SFTPGo doesn't start:
Thanks for the hint, I investigated further:
The left IPv6 is my Cloudron server, from there is had an active connection (ssh outside of Docker) to the right IPv6 my storage box!I only use 1 Volume to a Storagebox and 1 Backup location. Could it be that one of those 2 uses the same port-range (41000+100)? @girish
BTW: @James please redact my ip's in your message (I just corrected mine)
@girish is this a bug? There are more topics with the same kind of error message
-
@imc67 some blind guess here. I think what's happening is that something in box side (maybe backups code) is occupying that port 41000. This is in turn blocking the containers from using that port.
Digging deeper, this seems possible. The ephemeral port range is
$ cat /proc/sys/net/ipv4/ip_local_port_range 32768 60999So, 40000 is not a good choice for a container to listen to. @imc67 a quick fix for you is to change sftpgo to use some other port which is outside the 32768-60999 range. In the meantime, I will fix the package to default to some port range outside the ephemeral port range.
I think it would be nice to also warn people when try to run containers in ephemeral port ranges. I will put a note in the docs for a start. @james what do you think?
-
@imc67 some blind guess here. I think what's happening is that something in box side (maybe backups code) is occupying that port 41000. This is in turn blocking the containers from using that port.
Digging deeper, this seems possible. The ephemeral port range is
$ cat /proc/sys/net/ipv4/ip_local_port_range 32768 60999So, 40000 is not a good choice for a container to listen to. @imc67 a quick fix for you is to change sftpgo to use some other port which is outside the 32768-60999 range. In the meantime, I will fix the package to default to some port range outside the ephemeral port range.
I think it would be nice to also warn people when try to run containers in ephemeral port ranges. I will put a note in the docs for a start. @james what do you think?
@girish good founds! It's also the same issue with MiroTalk (what I know of and experienced) but maybe more apps?
https://forum.cloudron.io/search?term=bind%3A address already in use&in=titlesposts
-
@imc67 max port is 65535 so it can't be 70000 . A package cannot change the port ranges (just like it cannot change the installated domain names) . But for new installation, it will recommend 20000 instead . I have also fixed up the sfu package, will be published shortly .
-
@imc67 max port is 65535 so it can't be 70000 . A package cannot change the port ranges (just like it cannot change the installated domain names) . But for new installation, it will recommend 20000 instead . I have also fixed up the sfu package, will be published shortly .
@girish said in Server security update reboot: SFTPGo doesn't start:
A package cannot change the port ranges (just like it cannot change the installated domain names) . But for new installation, it will recommend 20000 instead
Maybe you can explicitly mention in the update notes the default / advised ports? Existing installs will not be moved to the "new" ports and thus keep having issues?
-
@robi I think the port range comes part of linux/ubuntu setup . I also don't completely know the side effects of making it tighter.
-
J joseph referenced this topic
-
M MiroTalk referenced this topic
