Hi, I tried to setup CNI bridge + mesos port mapper with unified container, following doc http://mesos.apache.org/documentation/latest/cni/#a-port-mapper-plugin
This partially works (example with container ip 192.0.0.2 and port mapping 22 => 31000) - my container starts and get a local assigned IP 192.0.0.2 - I can access directly to the port of the container: ssh 192.0.0.2 - I can access via the *local* gateway: ssh 192.0.0.1 -p 31000 However, I cannot access the container via the IP of my server: ssh 131.x.y.z -p 31000 In iptables rules, I do not see any mesos related chain. I see no specific CHAIN nor comment in iptables (iptables -L) Is it an expected behavior (port mapping maps ports but only via local bridge gateway), or should mesos add routes to local mesos bridge to allow remote access to the mapped ports? I have iptables 1.6.0 and linux kernel 4.4. I used config from documentation bridge.conf { "name": "cni-test", "type": "bridge", "bridge": "mesos-cni0", "isGateway": true, "ipMasq": true, "ipam": { "type": "host-local", "subnet": "192.168.0.0/16", "routes": [ { "dst": "0.0.0.0/0" } ] } } and portmapper.conf { "name" : "port-mapper-test", "type" : "mesos-cni-port-mapper", "excludeDevices" : ["mesos-cni0"], "chain": "MESOS-TEST-PORT-MAPPER", "delegate": { "type": "bridge", "bridge": "mesos-cni0", "isGateway": true, "ipMasq": true, "ipam": { "type": "host-local", "subnet": "192.168.0.0/16", "routes": [ { "dst": "0.0.0.0/0" } ] } } } Thanks Olivier -- gpg key id: 4096R/326D8438 (keyring.debian.org) Key fingerprint = 5FB4 6F83 D3B9 5204 6335 D26D 78DC 68DB 326D 8438