[
https://issues.apache.org/jira/browse/MESOS-9031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16536983#comment-16536983
]
Qian Zhang edited comment on MESOS-9031 at 7/9/18 2:40 PM:
-----------------------------------------------------------
[~Kirill P] I tried it just now by adding `listen 192.168.3.70:80` into Nginx
config file and confirmed it indeed listens on it:
{code:java}
$ sudo nsenter -t 7517 -m -n netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:33957 0.0.0.0:* LISTEN 7494/mesos-executor
tcp 0 0 192.168.3.70:80 0.0.0.0:* LISTEN 7517/nginx: master
...{code}
And then the second container can still access it via `192.168.56.5:8080`
successfully, and in first container's log I see:
{code:java}
192.168.3.71 - - [09/Jul/2018:14:33:49 +0000] "GET / HTTP/1.1" 200 612 "-"
"curl/7.55.1" "-"
{code}
192.168.3.71 is the IP of the second container.
was (Author: qianzhang):
[~Kirill P] I tried it just now by adding `listen 192.168.3.70:80` into Nginx
config file and confirmed it indeed listens on it:
{code:java}
$ sudo nsenter -t 7517 -m -n netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:33957 0.0.0.0:* LISTEN 7494/mesos-executor
tcp 0 0 192.168.3.70:80 0.0.0.0:* LISTEN 7517/nginx: master
...{code}
And then the second container can still access it via `192.168.56.5:8080`
successfully, and in first container's log I see:
{code:java}
192.168.3.71 - - [09/Jul/2018:14:33:49 +0000] "GET / HTTP/1.1" 200 612 "-"
"curl/7.55.1" "-"
{code}
192.168.3.71 is the IP of the second container.
> Mesos CNI portmap plugins' iptables rules doesn't allow connections via host
> ip and port from the same bridge container network
> -------------------------------------------------------------------------------------------------------------------------------
>
> Key: MESOS-9031
> URL: https://issues.apache.org/jira/browse/MESOS-9031
> Project: Mesos
> Issue Type: Bug
> Components: cni, containerization
> Affects Versions: 1.6.0
> Reporter: Kirill Plyashkevich
> Assignee: Qian Zhang
> Priority: Major
>
> using `mesos-cni-port-mapper` with folllowing config:
> {noformat}
> {
> "name" : "dcos",
> "type" : "mesos-cni-port-mapper",
> "excludeDevices" : [],
> "chain": "MESOS-CNI0-PORT-MAPPER",
> "delegate": {
> "type": "bridge",
> "bridge": "mesos-cni0",
> "isGateway": true,
> "ipMasq": true,
> "hairpinMode": true,
> "ipam": {
> "type": "host-local",
> "ranges": [
> [{"subnet": "172.26.0.0/16"}]
> ],
> "routes": [
> {"dst": "0.0.0.0/0"}
> ]
> }
> }
> }
> {noformat}
> - 2 services running on the same mesos-slave using unified containerizer in
> different tasks and communicating via host ip and host port
> - connection timeouts due to iptables rules per container CNI-XXX chain
> - actually timeouts are caused by
> {noformat}
> Chain CNI-XXX (1 references)
> num target prot opt source destination
> 1 ACCEPT all -- anywhere 172.26.0.0/16 /* name:
> "dcos" id: "YYYY" */
> 2 MASQUERADE all -- anywhere !base-address.mcast.net/4 /*
> name: "dcos" id: "YYYY" */
> {noformat}
> rule #1 is executed and no masquerading happens.
> there are multiple solutions:
> - -simpliest and fastest one is not to add that ACCEPT- - NOT A SOLUTION.
> it's happening in `bridge` plugin and `cni/portmap` shows that
> snat/masquerade should be done during portmapping as well.
> - perhaps, there's a better change in iptables rules that can fix it
> - proper one (imho) is to finally implement cni spec 0.3.x in order to be
> able to use chaining of plugins and use cni's `bridge` and `portmap` plugins
> in chain (and get rid of mesos-cni-port-mapper completely eventually).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
