mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kirill Plyashkevich (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (MESOS-9031) Mesos CNI portmap plugins' iptables rules doesn't allow connections via host ip and port from the same bridge container network
Date Wed, 04 Jul 2018 14:35:00 GMT

    [ https://issues.apache.org/jira/browse/MESOS-9031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16532792#comment-16532792
] 

Kirill Plyashkevich edited comment on MESOS-9031 at 7/4/18 2:34 PM:
--------------------------------------------------------------------

well,
{quote}
iptables-save 
# Generated by iptables-save v1.6.0 on Wed Jul  4 16:02:17 2018 
*nat 
:PREROUTING ACCEPT [24461:3273622] 
:INPUT ACCEPT [3685:221116] 
:OUTPUT ACCEPT [61553:3695793] 
:POSTROUTING ACCEPT [61570:3696813] 
:CNI-025840922b472570a38a4ff9 - [0:0] 
:CNI-0a58edcad11107f6e5d4fd4b - [0:0] 
:CNI-1adbfceb24a0b762e6fc5f79 - [0:0] 
:MESOS-CNI0-PORT-MAPPER - [0:0] 
-A PREROUTING -m addrtype --dst-type LOCAL -j MESOS-CNI0-PORT-MAPPER 
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j MESOS-CNI0-PORT-MAPPER 
-A POSTROUTING -s 172.26.0.0/16 -m comment --comment "name: \"dcos\" id: \"7126e3f1-d0cd-42b0-812d-91f328f83325\""
-j CNI-0a58edcad11107f6e5d4fd4b 
-A POSTROUTING -s 172.26.0.0/16 -m comment --comment "name: \"dcos\" id: \"1d580809-fdd4-44a4-83ff-7488702c9ef1\""
-j CNI-1adbfceb24a0b762e6fc5f79 
-A POSTROUTING -s 172.26.0.0/16 -m comment --comment "name: \"dcos\" id: \"cd0b0120-dc9a-4ef7-9af1-c2e777848df1\""
-j CNI-025840922b472570a38a4ff9 
-A CNI-025840922b472570a38a4ff9 -d 172.26.0.0/16 -m comment --comment "name: \"dcos\" id:
\"cd0b0120-dc9a-4ef7-9af1-c2e777848df1\"" -j ACCEPT 
-A CNI-025840922b472570a38a4ff9 ! -d 224.0.0.0/4 -m comment --comment "name: \"dcos\" id:
\"cd0b0120-dc9a-4ef7-9af1-c2e777848df1\"" -j MASQUERADE 
-A CNI-0a58edcad11107f6e5d4fd4b -d 172.26.0.0/16 -m comment --comment "name: \"dcos\" id:
\"7126e3f1-d0cd-42b0-812d-91f328f83325\"" -j ACCEPT 
-A CNI-0a58edcad11107f6e5d4fd4b ! -d 224.0.0.0/4 -m comment --comment "name: \"dcos\" id:
\"7126e3f1-d0cd-42b0-812d-91f328f83325\"" -j MASQUERADE 
-A CNI-1adbfceb24a0b762e6fc5f79 -d 172.26.0.0/16 -m comment --comment "name: \"dcos\" id:
\"1d580809-fdd4-44a4-83ff-7488702c9ef1\"" -j ACCEPT 
-A CNI-1adbfceb24a0b762e6fc5f79 ! -d 224.0.0.0/4 -m comment --comment "name: \"dcos\" id:
\"1d580809-fdd4-44a4-83ff-7488702c9ef1\"" -j MASQUERADE 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31225 -m comment --comment "container_id:
7126e3f1-d0cd-42b0-812d-91f328f83325" -j DNAT --to-destination 172.26.4.235:2552 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31226 -m comment --comment "container_id:
7126e3f1-d0cd-42b0-812d-91f328f83325" -j DNAT --to-destination 172.26.4.235:8080 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31227 -m comment --comment "container_id:
7126e3f1-d0cd-42b0-812d-91f328f83325" -j DNAT --to-destination 172.26.4.235:6379 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31662 -m comment --comment "container_id:
1d580809-fdd4-44a4-83ff-7488702c9ef1" -j DNAT --to-destination 172.26.4.236:2552 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31663 -m comment --comment "container_id:
1d580809-fdd4-44a4-83ff-7488702c9ef1" -j DNAT --to-destination 172.26.4.236:8080 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31664 -m comment --comment "container_id:
1d580809-fdd4-44a4-83ff-7488702c9ef1" -j DNAT --to-destination 172.26.4.236:6379 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31607 -m comment --comment "container_id:
cd0b0120-dc9a-4ef7-9af1-c2e777848df1" -j DNAT --to-destination 172.26.4.240:2552 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31608 -m comment --comment "container_id:
cd0b0120-dc9a-4ef7-9af1-c2e777848df1" -j DNAT --to-destination 172.26.4.240:8080 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31609 -m comment --comment "container_id:
cd0b0120-dc9a-4ef7-9af1-c2e777848df1" -j DNAT --to-destination 172.26.4.240:6379 
COMMIT 
# Completed on Wed Jul  4 16:02:17 2018 
# Generated by iptables-save v1.6.0 on Wed Jul  4 16:02:17 2018 
*filter 
:INPUT ACCEPT [20893031:7950495915] 
:FORWARD ACCEPT [146628:34388360] 
:OUTPUT ACCEPT [20266322:3745534528] 
-A FORWARD -o mesos-cni0 -j ACCEPT 
COMMIT 
# Completed on Wed Jul  4 16:02:17 2018
{quote}

still gives
{quote}

2018-07-04T14:02:42.101Z [lp-akka-cluster-stg-remote-dispatcher-96] INFO [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31225/system/transports/akkaprotocolmanager.tcp0/akkaProtocol-tcp%3A%2F%2Flp-akka-cluster-stg%40<HOST_IP>%3A31662-220]
a.r.transport.ProtocolStateActor - No response from remote for outbound association. Associate
timed out after [15000 ms]. 
2018-07-04T14:02:42.101Z [lp-akka-cluster-stg-remote-dispatcher-55] WARN [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31225/system/endpointManager/reliableEndpointWriter-akka.tcp%3A%2F%2Flp-akka-cluster-stg%40<HOST_IP>%3A31662-26]
a.r.ReliableDeliverySupervisor - Association with remote system [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31662]
has failed, address is now gated for [5000] ms. Reason: [Association failed with [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31662]]
Caused by: [No response from remote for outbound association. Associate timed out after [15000
ms].] 
2018-07-04T14:02:42.104Z [New I/O boss #17] WARN [NettyTransport(akka://lp-akka-cluster-stg)]
a.r.t.netty.NettyTransport - Remote connection to [null] failed with org.jboss.netty.channel.ConnectTimeoutException:
connection timed out: /<HOST_IP>:31662 
2018-07-04T14:02:52.449Z [lp-akka-cluster-stg-remote-dispatcher-58] INFO [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31225/system/transports/akkaprotocolmanager.tcp0/akkaProtocol-tcp%3A%2F%2Flp-akka-cluster-stg%40<HOST_IP>%3A31607-221]
a.r.transport.ProtocolStateActor - No response from remote for outbound association. Associate
timed out after [15000 ms]. 
2018-07-04T14:02:52.449Z [lp-akka-cluster-stg-remote-dispatcher-6] WARN [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31225/system/endpointManager/reliableEndpointWriter-akka.tcp%3A%2F%2Flp-akka-cluster-stg%40<HOST_IP>%3A31607-56]
a.r.ReliableDeliverySupervisor - Association with remote system [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31607]
has failed, address is now gated for [5000] ms. Reason: [Association failed with [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31607]]
Caused by: [No response from remote for outbound association. Associate timed out after [15000
ms].] 
2018-07-04T14:02:52.503Z [New I/O boss #17] WARN [NettyTransport(akka://lp-akka-cluster-stg)]
a.r.t.netty.NettyTransport - Remote connection to [null] failed with org.jboss.netty.channel.ConnectTimeoutException:
connection timed out: /<HOST_IP>:31607 
2018-07-04T14:03:21.100Z [lp-akka-cluster-stg-remote-dispatcher-54] INFO [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31225/system/transports/akkaprotocolmanager.tcp0/akkaProtocol-tcp%3A%2F%2Flp-akka-cluster-stg%40<HOST_IP>%3A31607-222]
a.r.transport.ProtocolStateActor - No response from remote for outbound association. Associate
timed out after [15000 ms]. 
2018-07-04T14:03:21.100Z [lp-akka-cluster-stg-remote-dispatcher-100] WARN [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31225/system/endpointManager/reliableEndpointWriter-akka.tcp%3A%2F%2Flp-akka-cluster-stg%40<HOST_IP>%3A31607-56]
a.r.ReliableDeliverySupervisor - Association with remote system [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31607]
has failed, address is now gated for [5000] ms. Reason: [Association failed with [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31607]]
Caused by: [No response from remote for outbound association. Associate timed out after [15000
ms].] 
2018-07-04T14:03:21.103Z [New I/O boss #17] WARN [NettyTransport(akka://lp-akka-cluster-stg)]
a.r.t.netty.NettyTransport - Remote connection to [null] failed with org.jboss.netty.channel.ConnectTimeoutException:
connection timed out: /<HOST_IP>:31607 
2018-07-04T14:03:40.449Z [lp-akka-cluster-stg-remote-dispatcher-101] INFO [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31225/system/transports/akkaprotocolmanager.tcp0/akkaProtocol-tcp%3A%2F%2Flp-akka-cluster-stg%40<HOST_IP>%3A31662-223]
a.r.transport.ProtocolStateActor - No response from remote for outbound association. Associate
timed out after [15000 ms]. 
2018-07-04T14:03:40.449Z [lp-akka-cluster-stg-remote-dispatcher-100] WARN [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31225/system/endpointManager/reliableEndpointWriter-akka.tcp%3A%2F%2Flp-akka-cluster-stg%40<HOST_IP>%3A31662-26]
a.r.ReliableDeliverySupervisor - Association with remote system [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31662]
has failed, address is now gated for [5000] ms. Reason: [Association failed with [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31662]]
Caused by: [No response from remote for outbound association. Associate timed out after [15000
ms].] 
2018-07-04T14:03:40.458Z [New I/O boss #17] WARN [NettyTransport(akka://lp-akka-cluster-stg)]
a.r.t.netty.NettyTransport - Remote connection to [null] failed with org.jboss.netty.channel.ConnectTimeoutException:
connection timed out: /<HOST_IP>:31662
{quote}

 

perhaps, things are a bit more complicated wit h akka. I'll dig a bit, if there's smth else
missing...

*formatting


was (Author: kirill p):
well,
{quote}
iptables-save 
# Generated by iptables-save v1.6.0 on Wed Jul  4 16:02:17 2018 
*nat 
:PREROUTING ACCEPT [24461:3273622] 
:INPUT ACCEPT [3685:221116] 
:OUTPUT ACCEPT [61553:3695793] 
:POSTROUTING ACCEPT [61570:3696813] 
:CNI-025840922b472570a38a4ff9 - [0:0] 
:CNI-0a58edcad11107f6e5d4fd4b - [0:0] 
:CNI-1adbfceb24a0b762e6fc5f79 - [0:0] 
:MESOS-CNI0-PORT-MAPPER - [0:0] 
-A PREROUTING -m addrtype --dst-type LOCAL -j MESOS-CNI0-PORT-MAPPER 
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j MESOS-CNI0-PORT-MAPPER 
-A POSTROUTING -s 172.26.0.0/16 -m comment --comment "name: \"dcos\" id: \"7126e3f1-d0cd-42b0-812d-91f328f83325\""
-j CNI-0a58edcad11107f6e5d4fd4b 
-A POSTROUTING -s 172.26.0.0/16 -m comment --comment "name: \"dcos\" id: \"1d580809-fdd4-44a4-83ff-7488702c9ef1\""
-j CNI-1adbfceb24a0b762e6fc5f79 
-A POSTROUTING -s 172.26.0.0/16 -m comment --comment "name: \"dcos\" id: \"cd0b0120-dc9a-4ef7-9af1-c2e777848df1\""
-j CNI-025840922b472570a38a4ff9 
-A CNI-025840922b472570a38a4ff9 -d 172.26.0.0/16 -m comment --comment "name: \"dcos\" id:
\"cd0b0120-dc9a-4ef7-9af1-c2e777848df1\"" -j ACCEPT 
-A CNI-025840922b472570a38a4ff9 ! -d 224.0.0.0/4 -m comment --comment "name: \"dcos\" id:
\"cd0b0120-dc9a-4ef7-9af1-c2e777848df1\"" -j MASQUERADE 
-A CNI-0a58edcad11107f6e5d4fd4b -d 172.26.0.0/16 -m comment --comment "name: \"dcos\" id:
\"7126e3f1-d0cd-42b0-812d-91f328f83325\"" -j ACCEPT 
-A CNI-0a58edcad11107f6e5d4fd4b ! -d 224.0.0.0/4 -m comment --comment "name: \"dcos\" id:
\"7126e3f1-d0cd-42b0-812d-91f328f83325\"" -j MASQUERADE 
-A CNI-1adbfceb24a0b762e6fc5f79 -d 172.26.0.0/16 -m comment --comment "name: \"dcos\" id:
\"1d580809-fdd4-44a4-83ff-7488702c9ef1\"" -j ACCEPT 
-A CNI-1adbfceb24a0b762e6fc5f79 ! -d 224.0.0.0/4 -m comment --comment "name: \"dcos\" id:
\"1d580809-fdd4-44a4-83ff-7488702c9ef1\"" -j MASQUERADE 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31225 -m comment --comment "container_id:
7126e3f1-d0cd-42b0-812d-91f328f83325" -j DNAT --to-destination 172.26.4.235:2552 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31226 -m comment --comment "container_id:
7126e3f1-d0cd-42b0-812d-91f328f83325" -j DNAT --to-destination 172.26.4.235:8080 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31227 -m comment --comment "container_id:
7126e3f1-d0cd-42b0-812d-91f328f83325" -j DNAT --to-destination 172.26.4.235:6379 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31662 -m comment --comment "container_id:
1d580809-fdd4-44a4-83ff-7488702c9ef1" -j DNAT --to-destination 172.26.4.236:2552 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31663 -m comment --comment "container_id:
1d580809-fdd4-44a4-83ff-7488702c9ef1" -j DNAT --to-destination 172.26.4.236:8080 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31664 -m comment --comment "container_id:
1d580809-fdd4-44a4-83ff-7488702c9ef1" -j DNAT --to-destination 172.26.4.236:6379 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31607 -m comment --comment "container_id:
cd0b0120-dc9a-4ef7-9af1-c2e777848df1" -j DNAT --to-destination 172.26.4.240:2552 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31608 -m comment --comment "container_id:
cd0b0120-dc9a-4ef7-9af1-c2e777848df1" -j DNAT --to-destination 172.26.4.240:8080 
-A MESOS-CNI0-PORT-MAPPER -p tcp -m tcp --dport 31609 -m comment --comment "container_id:
cd0b0120-dc9a-4ef7-9af1-c2e777848df1" -j DNAT --to-destination 172.26.4.240:6379 
COMMIT 
# Completed on Wed Jul  4 16:02:17 2018 
# Generated by iptables-save v1.6.0 on Wed Jul  4 16:02:17 2018 
*filter 
:INPUT ACCEPT [20893031:7950495915] 
:FORWARD ACCEPT [146628:34388360] 
:OUTPUT ACCEPT [20266322:3745534528] 
-A FORWARD -o mesos-cni0 -j ACCEPT 
COMMIT 
# Completed on Wed Jul  4 16:02:17 2018
{quote}

still gives
{quote}

2018-07-04T14:02:42.101Z [lp-akka-cluster-stg-remote-dispatcher-96] INFO [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31225/system/transports/akkaprotocolmanager.tcp0/akkaProtocol-tcp%3A%2F%2Flp-akka-cluster-stg%40<HOST_IP>%3A31662-220]
a.r.transport.ProtocolStateActor - No response from remote for outbound association. Associate
timed out after [15000 ms]. 
2018-07-04T14:02:42.101Z [lp-akka-cluster-stg-remote-dispatcher-55] WARN [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31225/system/endpointManager/reliableEndpointWriter-akka.tcp%3A%2F%2Flp-akka-cluster-stg%40<HOST_IP>%3A31662-26]
a.r.ReliableDeliverySupervisor - Association with remote system [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31662]
has failed, address is now gated for [5000] ms. Reason: [Association failed with [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31662]]
Caused by: [No response from remote for outbound association. Associate timed out after [15000
ms].] 
2018-07-04T14:02:42.104Z [New I/O boss #17] WARN [NettyTransport(akka://lp-akka-cluster-stg)]
a.r.t.netty.NettyTransport - Remote connection to [null] failed with org.jboss.netty.channel.ConnectTimeoutException:
connection timed out: /<HOST_IP>:31662 2018-07-04T14:02:52.449Z [lp-akka-cluster-stg-remote-dispatcher-58]
INFO [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31225/system/transports/akkaprotocolmanager.tcp0/akkaProtocol-tcp%3A%2F%2Flp-akka-cluster-stg%40<HOST_IP>%3A31607-221]
a.r.transport.ProtocolStateActor - No response from remote for outbound association. Associate
timed out after [15000 ms]. 
2018-07-04T14:02:52.449Z [lp-akka-cluster-stg-remote-dispatcher-6] WARN [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31225/system/endpointManager/reliableEndpointWriter-akka.tcp%3A%2F%2Flp-akka-cluster-stg%40<HOST_IP>%3A31607-56]
a.r.ReliableDeliverySupervisor - Association with remote system [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31607]
has failed, address is now gated for [5000] ms. Reason: [Association failed with [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31607]]
Caused by: [No response from remote for outbound association. Associate timed out after [15000
ms].] 
2018-07-04T14:02:52.503Z [New I/O boss #17] WARN [NettyTransport(akka://lp-akka-cluster-stg)]
a.r.t.netty.NettyTransport - Remote connection to [null] failed with org.jboss.netty.channel.ConnectTimeoutException:
connection timed out: /<HOST_IP>:31607 
2018-07-04T14:03:21.100Z [lp-akka-cluster-stg-remote-dispatcher-54] INFO [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31225/system/transports/akkaprotocolmanager.tcp0/akkaProtocol-tcp%3A%2F%2Flp-akka-cluster-stg%40<HOST_IP>%3A31607-222]
a.r.transport.ProtocolStateActor - No response from remote for outbound association. Associate
timed out after [15000 ms]. 
2018-07-04T14:03:21.100Z [lp-akka-cluster-stg-remote-dispatcher-100] WARN [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31225/system/endpointManager/reliableEndpointWriter-akka.tcp%3A%2F%2Flp-akka-cluster-stg%40<HOST_IP>%3A31607-56]
a.r.ReliableDeliverySupervisor - Association with remote system [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31607]
has failed, address is now gated for [5000] ms. Reason: [Association failed with [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31607]]
Caused by: [No response from remote for outbound association. Associate timed out after [15000
ms].] 
2018-07-04T14:03:21.103Z [New I/O boss #17] WARN [NettyTransport(akka://lp-akka-cluster-stg)]
a.r.t.netty.NettyTransport - Remote connection to [null] failed with org.jboss.netty.channel.ConnectTimeoutException:
connection timed out: /<HOST_IP>:31607 
2018-07-04T14:03:40.449Z [lp-akka-cluster-stg-remote-dispatcher-101] INFO [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31225/system/transports/akkaprotocolmanager.tcp0/akkaProtocol-tcp%3A%2F%2Flp-akka-cluster-stg%40<HOST_IP>%3A31662-223]
a.r.transport.ProtocolStateActor - No response from remote for outbound association. Associate
timed out after [15000 ms]. 
2018-07-04T14:03:40.449Z [lp-akka-cluster-stg-remote-dispatcher-100] WARN [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31225/system/endpointManager/reliableEndpointWriter-akka.tcp%3A%2F%2Flp-akka-cluster-stg%40<HOST_IP>%3A31662-26]
a.r.ReliableDeliverySupervisor - Association with remote system [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31662]
has failed, address is now gated for [5000] ms. Reason: [Association failed with [akka.tcp://lp-akka-cluster-stg@<HOST_IP>:31662]]
Caused by: [No response from remote for outbound association. Associate timed out after [15000
ms].] 
2018-07-04T14:03:40.458Z [New I/O boss #17] WARN [NettyTransport(akka://lp-akka-cluster-stg)]
a.r.t.netty.NettyTransport - Remote connection to [null] failed with org.jboss.netty.channel.ConnectTimeoutException:
connection timed out: /<HOST_IP>:31662
{quote}

 

perhaps, things are a bit more complicated wit h akka. I'll dig a bit, if there's smth else
missing...

*formatting

> Mesos CNI portmap plugins' iptables rules doesn't allow connections via host ip and port
from the same bridge container network
> -------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: MESOS-9031
>                 URL: https://issues.apache.org/jira/browse/MESOS-9031
>             Project: Mesos
>          Issue Type: Bug
>          Components: cni, containerization
>    Affects Versions: 1.6.0
>            Reporter: Kirill Plyashkevich
>            Assignee: Qian Zhang
>            Priority: Major
>
> using `mesos-cni-port-mapper` with folllowing config:
> {noformat}
> { 
>    "name" : "dcos", 
>    "type" : "mesos-cni-port-mapper", 
>    "excludeDevices" : [], 
>    "chain": "MESOS-CNI0-PORT-MAPPER", 
>    "delegate": { 
>        "type": "bridge", 
>        "bridge": "mesos-cni0", 
>        "isGateway": true, 
>        "ipMasq": true, 
>        "hairpinMode": true, 
>        "ipam": { 
>            "type": "host-local", 
>            "ranges": [ 
>                [{"subnet": "172.26.0.0/16"}] 
>            ], 
>            "routes": [ 
>                {"dst": "0.0.0.0/0"} 
>            ] 
>        } 
>    } 
> }
> {noformat}
>  - 2 services running on the same mesos-slave using unified containerizer in different
tasks and communicating via host ip and host port
>  - connection timeouts due to iptables rules per container CNI-XXX chain
>  - actually timeouts are caused by
> {noformat}
> Chain CNI-XXX (1 references)
> num  target     prot opt source               destination         
> 1    ACCEPT     all  --  anywhere             172.26.0.0/16        /* name: "dcos" id:
"YYYY" */
> 2    MASQUERADE  all  --  anywhere            !base-address.mcast.net/4  /* name: "dcos"
id: "YYYY" */
> {noformat}
> rule #1 is executed and no masquerading happens.
> there are multiple solutions:
>  - -simpliest and fastest one is not to add that ACCEPT- - NOT A SOLUTION. it's happening
in `bridge` plugin and `cni/portmap` shows that snat/masquerade should be done during portmapping
as well.
>  - perhaps, there's a better change in iptables rules that can fix it
>  - proper one (imho) is to finally implement cni spec 0.3.x in order to be able to use
chaining of plugins and use cni's `bridge` and `portmap` plugins in chain (and get rid of
mesos-cni-port-mapper completely eventually).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message