[
https://issues.apache.org/jira/browse/MESOS-4823?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15197927#comment-15197927
]
Avinash Sridharan edited comment on MESOS-4823 at 3/16/16 10:32 PM:
--------------------------------------------------------------------
[~djosborne] interesting point. I guess the ticket is a bit misleading. The
fact that containers are addressable (layer 3 addressable) doesn't mean that
their IP addresses are globally routeable. The idea here was to provide NAT
capability, along with the ability for the containers to specify the ports (if
required) on which they want to expose their service. While the CNI spec allows
the IP masquerade option to be specified, it doesn't specify any mechanisms to
specify port forwarding rules. This is particularly essential to support any
EXPOSE primitives specified by the images (as with docker's EXPOSE primitives).
I have raised this issue in the cni-dev mailing list as well,
https://groups.google.com/forum/#!topic/cni-dev/FW3BCFJwAxY
and it does seem like there are other folks interested in port forwarding and
firewall rules to be part of the CNI spec. Currently, however, this is not the
case and hence we will need to support it in the isolator.
was (Author: [email protected]):
[~djosborne] interesting point. I guess the ticket is a bit misleading. The
fact that containers are addressable (layer 3 addressable) doesn't mean that
their IP addresses are globally routeable. The idea hear was to provide NAT
capability, along with the ability for the containers to specify the ports (if
requireD) on which they want to expose their service. While the CNI spec allows
the IP masquerade option to be specified, it doesn't specify any mechanisms to
specify port forwarding rules. This is particularly essential to support any
EXPOSE primitives specified by the images (as with docker's EXPOSE primitives).
I have raised this issue in the cni-dev mailing list as well,
https://groups.google.com/forum/#!topic/cni-dev/FW3BCFJwAxY
and it does seem like there are other folks interested in port forwarding and
firewall rules to be part of the CNI spec. Currently, however, this is not the
case and hence we will need to support it in the isolator.
> Implement port forwarding in `network/cni` isolator
> ---------------------------------------------------
>
> Key: MESOS-4823
> URL: https://issues.apache.org/jira/browse/MESOS-4823
> Project: Mesos
> Issue Type: Task
> Components: containerization
> Environment: linux
> Reporter: Avinash Sridharan
> Assignee: Avinash Sridharan
> Priority: Critical
> Labels: mesosphere
>
> Most docker and appc images wish to expose ports that micro-services are
> listening on, to the outside world. When containers are running on bridged
> (or ptp) networking this can be achieved by installing port forwarding rules
> on the agent (using iptables). This can be done in the `network/cni`
> isolator.
> The reason we would like this functionality to be implemented in the
> `network/cni` isolator, and not a CNI plugin, is that the specifications
> currently do not support specifying port forwarding rules. Further, to
> install these rules the isolator needs two pieces of information, the exposed
> ports and the IP address associated with the container. Bother are available
> to the isolator.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
