Docker-compose doesn't resolve origin service, docker run does

Performance Cloudflare Tunnel
#1

I have set up a Tunnel to my server and configured for all requests to be routed to my traefik proxy.
The cloudflared service is also running inside a container on the same host. But there seems to be a difference if I run the container with docker run vs running it in docker-compose, because with compose it cannot connect to the origin service (traefik).

My run command:

docker run --rm -v /opt/docker/data/cloudflared/.cloudflared:/home/nonroot/.cloudflared/ cloudflare/cloudflared:2022.2.0 tunnel run

My compose file:

version: "3.9"

services:
  cloudflare:
    image: cloudflare/cloudflared:2022.2.0
    container_name: cloudflared-tunnel
    restart: always
    volumes:
      - /opt/docker/data/cloudflared/.cloudflared:/home/nonroot/.cloudflared/
    command: tunnel run

As I see it (and apparently I’m wrong, bc it doesn’t work) they both should be exactly the same.
However, when run through compose, this is in the logs:

{"level":"error","error":"Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 127.0.0.1:443: connect: connection refused","cfRay":"2083rns3p87149-ABC","ingressRule":"0","originService":"https://my-hostname","time":"2022-02-20T11:20:16Z"}

When adding network_mode: host to compose it works again, but I’m wondering why this isn’t needed when using docker run.

#2

By default whenever you run docker run without additional parameters, the network mode should be “bridge”. However, according to Docker documentation:

The docker run command must specify an IMAGE to derive the container from. An image developer can define image defaults related to:

  • detached or foreground running
  • container identification
  • network settings
  • runtime constraints on CPU and memory

With the docker run [OPTIONS] an operator can add to or override the image defaults set by a developer. And, additionally, operators can override nearly all the defaults set by the Docker runtime itself. The operator’s ability to override image and Docker runtime defaults is why run has more options than any other docker command.

I believe Cloudflare has set the default network mode to “host” when they build the cloudflared image from Dockerfile and publish it.

On the other side, docker-compose does not use the network settings provided by the image, so the default will be always network: bridge and you will need to always specify network: host in your docker-compose.yml (unless your application is also running via docker-compose service definition and you want to just point the tunnel service to the docker-compose service without the need to talk to your host directly).

#3

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.