I am using ufw
on Linux to lock down the host and run Nomad on different IP than the default (so it can run on my Tailscale network). Waypoint Server works fine but the Waypoint Runner fails to start. If I disable the firewall, the runner starts properly.
What are the required firewall rules for Waypoint Runner installed into Nomad?
Or alternatively, is this a bug where Waypoint Runner can’t exist with these restrictive firewall rules but Waypoint Server can?
ufw
Default rule is deny.
$ sudo ufw status
Status: active
To Action From
-- ------ ----
Anywhere on tailscale0 ALLOW Anywhere
41641/udp ALLOW Anywhere
Anywhere (v6) on tailscale0 ALLOW Anywhere (v6)
41641/udp (v6) ALLOW Anywhere (v6)
Allocation logs
|Jul 20, '21 07:24:32 +0100|Alloc Unhealthy|Unhealthy because of failed task|
|---|---|---|
|Jul 20, '21 07:24:32 +0100|Not Restarting|Exceeded allowed attempts 2 in interval 30m0s and mode is fail|
|Jul 20, '21 07:24:32 +0100|Terminated|Exit Code: 1, Exit Message: Docker container exited with non-zero exit code: 1|
|Jul 20, '21 07:24:26 +0100|Started|Task started by client|
|Jul 19, '21 23:10:31 +0100|Driver|Downloading image|
|Jul 19, '21 23:10:15 +0100|Restarting|Task restarting in 15.474501718s|
|Jul 19, '21 23:10:15 +0100|Terminated|Exit Code: 1, Exit Message: Docker container exited with non-zero exit code: 1|
|Jul 19, '21 23:10:09 +0100|Started|Task started by client|
|Jul 19, '21 23:10:06 +0100|Driver|Downloading image|
|Jul 19, '21 23:09:50 +0100|Restarting|Task restarting in 16.629469115s|
stderr
2021-07-19T22:09:44.451Z [INFO] waypoint: waypoint version: full_string="v0.4.1 (4d5c838e+CHANGES)" version=v0.4.1 prerelease= metadata= revision=4d5c838e+CHANGES
2021-07-19T22:09:44.451Z [TRACE] waypoint: starting interrupt listener for context cancellation
2021-07-19T22:09:44.452Z [TRACE] waypoint: interrupt listener goroutine started
2021-07-19T22:09:44.456Z [DEBUG] waypoint: home configuration directory: path=/home/waypoint/.config/waypoint
2021-07-19T22:09:44.456Z [TRACE] waypoint: no API client provided, initializing connection if possible
2021-07-19T22:09:44.457Z [INFO] waypoint.server: attempting to source credentials and connect
2021-07-19T22:09:49.457Z [ERROR] waypoint: failed to create client: error="context deadline exceeded"
2021-07-19T22:09:49.457Z [TRACE] waypoint: stopping signal listeners and cancelling the context
2021-07-19T22:10:09.789Z [INFO] waypoint: waypoint version: full_string="v0.4.1 (4d5c838e+CHANGES)" version=v0.4.1 prerelease= metadata= revision=4d5c838e+CHANGES
2021-07-19T22:10:09.790Z [TRACE] waypoint: starting interrupt listener for context cancellation
2021-07-19T22:10:09.791Z [TRACE] waypoint: interrupt listener goroutine started
2021-07-19T22:10:09.795Z [DEBUG] waypoint: home configuration directory: path=/home/waypoint/.config/waypoint
2021-07-19T22:10:09.795Z [TRACE] waypoint: no API client provided, initializing connection if possible
2021-07-19T22:10:09.795Z [INFO] waypoint.server: attempting to source credentials and connect
2021-07-19T22:10:14.798Z [ERROR] waypoint: failed to create client: error="context deadline exceeded"
2021-07-19T22:10:14.798Z [TRACE] waypoint: stopping signal listeners and cancelling the context
2021-07-20T06:24:26.974Z [INFO] waypoint: waypoint version: full_string="v0.4.1 (4d5c838e+CHANGES)" version=v0.4.1 prerelease= metadata= revision=4d5c838e+CHANGES
2021-07-20T06:24:26.975Z [TRACE] waypoint: starting interrupt listener for context cancellation
2021-07-20T06:24:26.976Z [TRACE] waypoint: interrupt listener goroutine started
2021-07-20T06:24:26.978Z [DEBUG] waypoint: home configuration directory: path=/home/waypoint/.config/waypoint
2021-07-20T06:24:26.979Z [TRACE] waypoint: no API client provided, initializing connection if possible
2021-07-20T06:24:26.980Z [INFO] waypoint.server: attempting to source credentials and connect
2021-07-20T06:24:31.981Z [ERROR] waypoint: failed to create client: error="context deadline exceeded"
2021-07-20T06:24:31.982Z [TRACE] waypoint: stopping signal listeners and cancelling the context
With the firewall disabled, the runner starts fine:
» Runner configuration:
Server address: 100.103.178.62:28239
» Runner logs: