Skip to content

docker-autoscaler worker instance unable to access HTTP destinations #1302

New issue
New issue
Closed
#1303
Closed
docker-autoscaler worker instance unable to access HTTP destinations#1302
#1303
@jonpas

Description

@jonpas
jonpas
opened on Jul 21, 2025

Describe the bug

Using docker-autoscaler runner worker type with default runner_worker_egress_rules combined with accessing external resources leads to failed jobs compared to old docker+machine setup. Source is in #1222, which is a good change otherwise.

We have observed failed jobs when using CMake's `FetchContent` 
CUSTOMBUILD : error : downloading 'https://github.com/ValveSoftware/steam-audio/releases/download/v4.0.3/steamaudio_4.0.3.zip' failed [C:\builds\timi\test-cmake-cpp-ssl\build\_deps\steam-audio-subbuild\steam-audio-populate.vcxproj]
            status_code: 35
            status_string: "SSL connect error"
            log:
            --- LOG BEGIN ---
            timeout on name lookup is not supported
  
    Host github.com:443 was resolved.
  
    IPv6: (none)
  
    IPv4: 140.82.114.3
  
      Trying 140.82.114.3:443...
  
    schannel: disabled automatic use of client certificate
  
    ALPN: curl offers h2,http/1.1
  
    schannel: next InitializeSecurityContext failed: CRYPT_E_REVOCATION_OFFLINE
    (0x80092013) - The revocation function was unable to check revocation
    because the revocation server was offline.
  
    closing connection #0
And regular `apt-get` on Debian instances 
$ apt-get update -qq
W: Failed to fetch http://deb.debian.org/debian/dists/trixie/InRelease  Unable to connect to deb.debian.org:80:
W: Failed to fetch http://deb.debian.org/debian/dists/trixie-updates/InRelease  Unable to connect to deb.debian.org:80:
W: Failed to fetch http://deb.debian.org/debian-security/dists/trixie-security/InRelease  Unable to connect to deb.debian.org:80:
W: Some index files failed to download. They have been ignored, or old ones used instead.

It is worth noting that full-HTTPS resources worked fine, such as Docker image pulls, builds and pushes to registry.

For our needs we just opened all egress traffic on IPv4 and IPv6 using the following configuration, as it is an internal runner in a controlled environment.

runner_worker_egress_rules = {
  allow_all = {
    cidr_block = "0.0.0.0/0"
    from_port = -1
    to_port = -1
    protocol = "-1"
    description = "Allow all egress traffic to all destinations"
  }
}

I suggest at least HTTP (port 80) traffic be allowed by default as well, that solves both of our test cases above as well (CMake and apt).

To Reproduce

Steps to reproduce the behavior:

  1. Run something that requires non-HTTPS egress traffic on docker-autoscaler worker instance (eg. CMake FetchContent or Debian apt update).
  2. Observer unable to access external resources.

Expected behavior

Defaults to allow widely-used external resources such as apt or downloads from GitHub etc.

Additional context

/

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions