The Sentry SDK for Node.js is unable to send events to the Sentry server while it's running inside a Docker container. I'm fairly new to running containerized setups on my DigitalOcean Ubuntu 20.04 VPS, so any help is appreciated!
The error:
Sentry Logger [Log]: [Tracing] starting gql transaction - GET_REFRESH_TOKEN
Sentry Logger [Log]: [Tracing] Finishing gql transaction: GET_REFRESH_TOKEN.
Sentry Logger [Error]: Error while sending event: Error: connect ETIMEDOUT 34.120.195.249:443
The IP is the from Sentry as expected and found here: https://docs.sentry.io/product/security/ip-ranges/#event-ingestion.
Relevant settings:
Sentry Initialization
{
dsn: 'https://<secret>@<secret>.ingest.sentry.io/<secret>',
environment: 'Testing',
debug: true,
integrations: [ Http { name: 'Http', _breadcrumbs: true, _tracing: true } ],
tracesSampleRate: 1,
_metadata: {
sdk: {
name: 'sentry.javascript.node',
packages: [Array],
version: '6.13.3'
}
}
}
Docker Compose file
version: '3'
services:
frontend:
#...
api:
container_name: api-${COMPOSE_PROJECT_NAME}
restart: always
build:
context: ./api
dockerfile: Dockerfile.prod
env_file:
- .env
environment:
API_PORT: 3001
DB_HOST: db
DB_PORT: 5432
DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}?schema=${DB_SCHEMA}
depends_on:
- db
ports:
- ${API_PORT_INTERNAL}:3001
volumes:
- ./api:/app
- /app/node_modules
db:
#...
API Dockerfile
FROM node:14 AS builder
# Create app directory
WORKDIR /app
COPY package*.json ./
COPY prisma ./prisma/
RUN npm install
RUN npx prisma generate
COPY . .
# Latest LTS version
FROM node:14
# Set default values for environment variables
ENV API_PORT=3001
COPY . .
COPY --from=builder /app/node_modules ./node_modules
COPY --from=builder /app/package*.json ./
# Bind port
EXPOSE 3001
# Start server
CMD ["npm", "start"]
If any more details are needed I'll append this list.
Self-answer after some more investigation:
It turns out all outside network access from within the containers was blocked. The usage of Sentry was simply the first time this was necessary.
Problem
While configuring the VPS firewall (UFW), Docker was bypassing the firewall and exposing unwanted ports. To fix this I disabled iptables completely in /etc/docker/daemon.json:
{
"iptables": false
}
This does the job but blocks all outside network access from within containers.
Solution
All credits for the solution go to @Feng with his answer here to the following question: What is the best practice of docker + ufw under Ubuntu.
The solution was to remove the iptables = false option and fix it properly in the UFW configuration. You can do this manually as described in his post or do as I did and use his tool: https://github.com/chaifeng/ufw-docker.
TL;DR
"iptables": false from /etc/docker/daemon.json