Docker Swarm overlay network published port resets every tcp connection

248 views
Skip to first unread message

sgas

unread,
Sep 8, 2016, 10:46:19 PM9/8/16
to docker-dev
 Created a overlay network with docker swarm .    I exposed some ports (e.g  80 )  to the  outside .  I  see the   docker_gwbridge, ingress , and teh overlay network gets created  with corresponding  network name spaces.    However any TCP session to port 80 is  reset  immediately .  From within the overly network the  port accepts connections. 

The packet reaches the  host   and looks like  hits the following iptables rule. 

*nat
-A DOCKER-INGRESS -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.18.0.2:80


The 172.18.0.2 address  is on a interface that  is  in  a network namespace that  spans the docker_gwbridge and the ingress networks .  The iptables rules in this space marks  the packet . Do not see the packet  exiting out the other interface with tcpdump. 

*mangle
-A PREROUTING -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x121/0xffffffff 

*nat
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 80 

Do not see any  ip rule or route table   in that network namespace 

# ip rule list
0: from all lookup local 
32766: from all lookup main 
32767: from all lookup default 

cat /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0 unspec

I have the following questions. 

1.  What should I have seen in the ip rules and ip route tables . 
2.  What is the best  source of  information for "a day in the life of a packet "  in the context of  published ports in overlay network . 
3.  I also see that  all container interface in the ingress and the overlay networks has one /24 and one /32 address (e.g. 172.16.1.22/24 and   172.16.1.21/32 ) .. What is that for ? 


sgas

unread,
Sep 12, 2016, 12:51:14 PM9/12/16
to docker-dev
Looks  like the issue  was   older versions of iptables  do not have libxt_ipvs.so .

Andrea Luzzardi

unread,
Sep 12, 2016, 7:33:18 PM9/12/16
to sgas, docker-dev, Jana Radhakrishnan, Madhu Venugopal
+mrjana +madhu

--
You received this message because you are subscribed to the Google Groups "docker-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to docker-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages