Re: Review Request 51617: Added the logic for installing and removing DNAT rules.

Mon, 17 Oct 2016 06:42:56 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51617/
-----------------------------------------------------------

(Updated Oct. 17, 2016, 1:42 p.m.)


Review request for mesos, Jie Yu and Qian Zhang.


Changes
-------

Made `CNI_CONTAINTERID` a required env variable for the plugin.


Bugs: MESOS-6023
    https://issues.apache.org/jira/browse/MESOS-6023


Repository: mesos


Description
-------

Added the logic for installing and removing DNAT rules.


Diffs (updated)
-----

  
src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.hpp
 7fad707a240234e35828917aea1bc79f42fe130e 
  
src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp
 2ff8b0e76a11b6f6c98b839d3ac91a81e41285f5 

Diff: https://reviews.apache.org/r/51617/diff/


Testing
-------

Ran the CNI plugin against a network namespace with the following JSON input:
```
{
    "name": "mynet",
    "type": "port-mapper",
    "chain": "MESOS-TEST",
    "excludeDevices": ["mesos-cni0"],
    "delegate": {
      "type" : "bridge",
      "bridge": "cni0",
      "isGateway": true,
      "ipMasq": true,
      "ipam": {
          "type": "host-local",
          "subnet": "192.168.37.0/24",
          "routes": [
            { "dst": "0.0.0.0/0" }
          ]
      }
    },
    "args" : {
      "org.apache.mesos" : {
        "network_info" : {
          "port_mappings": {
            "host_port" : 8080,
            "container_port" : 9000
          }
        }
      }
    }
}
```

Used the ADD command to test that the CNI plugin correctly invokes the delegate 
plugin (a CNI bridge plugin in this case) and also inserts the correct iptable 
entries for the given port mapping. After running this plugin, this was the 
output of the `iptables -t nat -S MESOS-TEST` command:
```
sudo iptables -t nat -S MESOS-TEST
-N MESOS-TEST
-A MESOS-TEST ! -i mesos-cni0 -p tcp -m tcp --dport 8080 -j DNAT 
--to-destination 192.168.37.21:9000
```

Ran a python HTTP server in this network namespace and verified that DNAT works 
from outside the box. Was able to connect to port 9000 of this server, by 
connecting to port 8080 on the host.

Used the DEL command to test the CNI plugin correctly deletes the DNAT rule and 
chain, if there are no DNAT rules exist in the chain. After running the DEL 
command (by injecting `NetworkInfo` into the above JSON schema) verified the 
chain and the DNAT rule is deleted from iptables.


Apart from these tests ran a single node cluster and did an end-to-end test 
with a modified `mesos-execute` binary that can setup port-mapping.


Thanks,

Avinash sridharan

Reply via email to