mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Qian Zhang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MESOS-9031) Mesos CNI portmap plugins' iptables rules doesn't allow connections via host ip and port from the same bridge container network
Date Wed, 04 Jul 2018 13:08:00 GMT

    [ https://issues.apache.org/jira/browse/MESOS-9031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16532725#comment-16532725
] 

Qian Zhang commented on MESOS-9031:
-----------------------------------

[~Kirill P] Yeah, I think we could do it.

And for the timeout issue, I think it is because the packets are dropped by the "FORWARD"
chain in the "filter" table, and it seems adding a rule "iptables -t filter -A FORWARD -o
mesos-cni0 -j ACCEPT" can fix it, can you please try and see if it works for you?

> Mesos CNI portmap plugins' iptables rules doesn't allow connections via host ip and port
from the same bridge container network
> -------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: MESOS-9031
>                 URL: https://issues.apache.org/jira/browse/MESOS-9031
>             Project: Mesos
>          Issue Type: Bug
>          Components: cni, containerization
>    Affects Versions: 1.6.0
>            Reporter: Kirill Plyashkevich
>            Assignee: Qian Zhang
>            Priority: Major
>
> using `mesos-cni-port-mapper` with folllowing config:
> {noformat}
> { 
>    "name" : "dcos", 
>    "type" : "mesos-cni-port-mapper", 
>    "excludeDevices" : [], 
>    "chain": "MESOS-CNI0-PORT-MAPPER", 
>    "delegate": { 
>        "type": "bridge", 
>        "bridge": "mesos-cni0", 
>        "isGateway": true, 
>        "ipMasq": true, 
>        "hairpinMode": true, 
>        "ipam": { 
>            "type": "host-local", 
>            "ranges": [ 
>                [{"subnet": "172.26.0.0/16"}] 
>            ], 
>            "routes": [ 
>                {"dst": "0.0.0.0/0"} 
>            ] 
>        } 
>    } 
> }
> {noformat}
>  - 2 services running on the same mesos-slave using unified containerizer in different
tasks and communicating via host ip and host port
>  - connection timeouts due to iptables rules per container CNI-XXX chain
>  - actually timeouts are caused by
> {noformat}
> Chain CNI-XXX (1 references)
> num  target     prot opt source               destination         
> 1    ACCEPT     all  --  anywhere             172.26.0.0/16        /* name: "dcos" id:
"YYYY" */
> 2    MASQUERADE  all  --  anywhere            !base-address.mcast.net/4  /* name: "dcos"
id: "YYYY" */
> {noformat}
> rule #1 is executed and no masquerading happens.
> there are multiple solutions:
>  - -simpliest and fastest one is not to add that ACCEPT- - NOT A SOLUTION. it's happening
in `bridge` plugin and `cni/portmap` shows that snat/masquerade should be done during portmapping
as well.
>  - perhaps, there's a better change in iptables rules that can fix it
>  - proper one (imho) is to finally implement cni spec 0.3.x in order to be able to use
chaining of plugins and use cni's `bridge` and `portmap` plugins in chain (and get rid of
mesos-cni-port-mapper completely eventually).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message