network_mode: service:vpnclient gives error

Product support
, ,
1

We’re currently struggling with the network_mode: service:[name] which causes HTTP 400 errors when checking the journalctl -f --lines=100 -u balena -a output:

May 30 19:12:10 97fadcc e518b461e71b[1160]: [event]   Event: Service install {"service":{"appId":2053583,"serviceId":2165180,"serviceName":"xrdp","commit":"9b002172c046311b09caf288f94ac06e","releaseId":2605677}}
May 30 19:12:10 97fadcc e518b461e71b[1160]: [error]   Scheduling another update attempt in 64000ms due to failure:  Error: Failed to apply state transition steps. (HTTP code 400) unexpected - conflicting options: port exposing and the container type network mode  Steps:["start"]
May 30 19:12:10 97fadcc e518b461e71b[1160]: [error]         at fn (/usr/src/app/dist/app.js:6:8594)
May 30 19:12:10 97fadcc e518b461e71b[1160]: [error]       at runMicrotasks (<anonymous>)
May 30 19:12:10 97fadcc e518b461e71b[1160]: [error]       at processTicksAndRejections (internal/process/task_queues.js:97:5)
May 30 19:12:10 97fadcc e518b461e71b[1160]: [error]   Device state apply error Error: Failed to apply state transition steps. (HTTP code 400) unexpected - conflicting options: port exposing and the container type network mode  Steps:["start"]
May 30 19:12:10 97fadcc e518b461e71b[1160]: [error]         at fn (/usr/src/app/dist/app.js:6:8594)
May 30 19:12:10 97fadcc e518b461e71b[1160]: [error]       at runMicrotasks (<anonymous>)
May 30 19:12:10 97fadcc e518b461e71b[1160]: [error]       at processTicksAndRejections (internal/process/task_queues.js:97:5)
May 30 19:12:31 97fadcc e518b461e71b[1160]: [error]   LogBackend: unexpected error: Error: read ECONNRESET
May 30 19:12:31 97fadcc e518b461e71b[1160]: [error]         at TLSWrap.onStreamRead (internal/stream_base_commons.js:205:27)

This setup works flawlessly when testing local Docker (Docker Desktop, Windows 10)

  vpnclient:
    image: "containinger/docker-softether-vpn-client:latest"
    container_name: vpnclient
    hostname: vpnclient
    privileged: true
    cap_add:
      - NET_ADMIN
    restart: always
    ports:
      - "3389:3389"
    labels:
      service.name: "vpnclient"
    environment:
      SE_HUB: DEFAULT
      SE_SERVER: "my.vpn.server.com:1234"
      SE_USERNAME: <<my-usr>
      SE_PASSWORD: <<my-pwd>>

  xrdp:
    image: piscada/xrdp:latest
    privileged: true
    shm_size: "1gb"
    restart: always
    labels:
      service.name: "xrdp"
    command: ["foo", "bar", "yes" ]
    depends_on:
      - vpnclient
    # use network stack of vpnclient to gain access to
    # the VPN network
    network_mode: service:vpnclient
3

I’ve debugged using the “host os”:
I’m able to run the equivalent command with “balena run …”

balena run --privileged --net container:<vpnclient-id> --shm-size 1gb -l service.name=xrdp piscada/xrdp:latest foo bar yes

This works now flawlessly.

Update:
The “bug” comes down to the problem of using EXPOSE 3389 in the xrdp-image.
This is apparently handled ok/ignored with the local Docker Desktop environment, but not with balenaOS.

Removing this line solves the issue. So I had to rebuild the xrdp image to fix this.
Also, removing all ports or expose properties from the compose file:

The final compose is now:

services:
  vpnclient:
      image: "containinger/docker-softether-vpn-client:latest"
      container_name: vpnclient
      hostname: vpnclient
      privileged: true
      cap_add:
        - NET_ADMIN
      restart: always

    xrdp:
      image: piscada/xrdp:latest
      privileged: true
      shm_size: "1gb"
      restart: "no"
      command: ["foo", "bar", "yes" ]
      network_mode: service:vpnclient