Unable to run /admin/export on server via Putty

Hi All,

I am running Dgraph on Ubuntu on AWS and trying to backup my data using /admin/export. I get this error when hitting the endpoint with curl, running in a secure shell over putty on Windows:

ubuntu@ip-xxx-xxx-xxx-xxx:~$ curl localhost:7000/admin/export
{"errors":[{"code":"ErrorUnauthorized","message":"Request from IP: 172.17.0.1"}] }ubuntu@ip-xxx-xxx-xxx-xxx:~$

I’m on the same server as Dgraph, so Dgraph seems to be throwing a false positive error that I am trying to call the endpoint from a remote machine. I’m not a networking expert so not 100% what is going on. However, I’m wondering if this is impacted by the fact I am also running Open VPN on the server. Any help would be appreciated!

We allow backup requests originating only from localhost. In your case the request is coming from your machine(windows) so it’s not allowed.

I guess you must be doing port forwarding via putty. You need to ssh into the machine for export to work.

Hi @janardhan,

So I’ll show my ignorance here - I’m using SSH through putty (using a private key file), and to my knowledge I don’t have another way to access the machine.

Is there an alternative way I can back up my data other than caling the /admin/export endpoint? Maybe I can just copy my p and w directories?

Or maybe dgraph would provide a way to backup data with a command line command rather than hitting a server HTTP endpoint?

I sounds like you’re SSHing into the same machine that is running dgraph, so the backup should work. Putty shouldn’t make a difference.

What is the IP address of the machine dgraph is running from? Is it the same as in the error from dgraph? (i.e. 172.17.0.1?).

I suspect OpenVPN may be the problem. Possible to temporarily disable it?

I think we could allow a whitelist for /admin access. By default, it could be set to only localhost but a user should be able to modify it to a limited set of IPs, or just anything.

So the address that is being rejected is the “inet addr” listed for docker when I fun “ifconfig” on ubuntu. Is this a docker problem? I tried disabling openVPN and that didn’t have any effect.

ifconfig output:
docker0   Link encap:Ethernet  HWaddr 02:42:1d:43:c3:c7
          inet addr:172.17.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:1dff:fe43:c3c7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:143353 errors:0 dropped:0 overruns:0 frame:0
          TX packets:148338 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:37611002 (37.6 MB)  TX bytes:17906029 (17.9 MB)

A whitelist would be great to get around this problem. But given the address rejected is the address of the docker network interface (if I’m using the correct terminology), could this be a docker problem?

Seems like a docker related problem rather than anything to do with OpenVPN. @pawan, any ideas?

@tamethecomplex, do you have dgraph running in a docker on ubuntu ? If yes you need to go inside the container to trigger the backup.
docker -it <image_name or id> -exec curl localhost:8080/admin/export.

We can whitelist a set of ip’s as manish suggested if you want to trigger it from outside docker.

Thanks @janardhan, Just had to make a slight modification to get this to work:

docker exec -it dgraph curl localhost:8080/admin/export

Thank you!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.