Hi!
I have the following setup: PMM server in docker and MySQL (w/o docker) on the same machine.
Then I try to add monitoring using pmm-admin I get the following error:
Failed to register pmm-agent on PMM Server: Post https://192.168.0.200:8443/v1/management/Node/Register: dial tcp 192.168.0.200:8443: i/o timeout
IP is one of the interfaces (tried localhost and others), port is public port for PMM server.
External pmm-clients (on other servers) work just fine.
How to monitor this MySQL instance?
This is absolutely possible and I’m doing this myself (with docker and installed DB servers all on the same host) I’m curious about your pmm-admin config command but if you can do it elsewhere and not locally I’d be suspect of something around networking or firewall. You running SELinux by chance? Possibly your accepting connections from external ips but not localhost to your pmm server port.
Thanks for reply!
My command is:
pmm-admin config --server-insecure-tls --server-url=https://admin:*****@192.168.0.200:8443
I have Ubuntu 18.04 (Apparmor) but I don’t see any problem with firewall.
Here’s my dump of iptables -L -nv and iptables -L -t nat -nv (attached in file to message).
iptables.log (6.49 KB)
I think I see the issue…and hopefully I can explain it :neutral: You’re allowing traffic in on 8443 on ingress eth1 and * (but only eth1 has hits on it) you’re NATing traffic to 8080 and 8443 to the respective 80 and 443 but notice you have an explicit ‘!docker0’ so that nat rule won’t work on localhost. Even though you’re specifying a destination IP that would target eth1 as the “destination”, your routing rules are likely optimizing and making the decision that it’s less optimal to go from eth1 to docker0 and instead just originating the request from docker0 which you deny by rule (I think docker does that by rule actually). You could do something like
iptables -I INPUT -i docker0 -j ACCEPT
which should allow all traffic originating from interface docker0 and in a sense override the “rejection” of the !docker0 in the nat rules. (you can tighten it up to be tcp dpt:8443 or possibly figure out where docker establishes that exclusion and make it * but this will be an easy rule to add and then delete just to test.
steve.hoffman said:Thanks a lot, Steve! That did the trick. Now I can add my services to monitor itself. Later I'll try to make more specific rule.
``` iptables -I INPUT -i docker0 -j ACCEPT ```