Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

network/iptables: Add iptables rules to FORWARD chain #872

Merged
merged 1 commit into from Nov 16, 2017
Merged

network/iptables: Add iptables rules to FORWARD chain #872

merged 1 commit into from Nov 16, 2017

Conversation

tomdee
Copy link
Contributor

@tomdee tomdee commented Nov 11, 2017

To work around the Docker change from v1.13 which
changed the default FORWARD policy to DROP.

The change has bitten many many users.

The troubleshooting documentation is also updated talk about the issue.

Replaces PR #862
Fixes #834
Fixes #823
Fixes #609
Fixes #799

@tomdee tomdee requested a review from gunjan5 November 11, 2017 00:57
@cehoffman
Copy link

It looks like the --ip-forward flag got dropped from the changes. It is mentioned in the docs and existed on the replaced #862 PR.

@tomdee
Copy link
Contributor Author

tomdee commented Nov 13, 2017

My intention was to drop that flag and to have flannel always write the iptables rules. In this PR, flannel is only changing rules for IP addresses that it owns, whereas in the other PR it was changing the default forward policy, which is global and therefore I figured should be optional.

cehoffman
cehoffman reviewed Nov 13, 2017
View reviewed changes
Documentation/troubleshooting.md Outdated
## Connectivity
In Docker v1.13 and later, the default iptables forwarding policy was changed to `DROP`. For more detail on the Docker change, see the Docker [documentation](https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#container-communication-between-hosts).

This problems manifests itself as connectivity problems between containers running on different hosts. To resolve it either run `iptables -P FORWARD ACCEPT` on every host (and on each reboot) or run flannel with the `--ip-forward` argument that was introduced in version v0.10.0.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like --ip-forward should be dropped from documentation here.

@cehoffman
Copy link

@tomdee makes sense and I think dropping the flag is better

@klausenbusk
Copy link

Just a question, but do you know how Tectonic works around this? Do they just add the iptables rule from some script?

@squeed
Copy link
Contributor

squeed commented Nov 15, 2017

@klausenbusk The Docker networking code does nothing (noops) if the sysctl net.ipv4.ip_forward is already 1. Users of CoreOS Container Linux (including Tectonic) have this sysctl at boot (before Docker), so it also skips changing the iptables settings.

@klausenbusk
Copy link

@klausenbusk The Docker networking code does nothing (noops) if the sysctl net.ipv4.ip_forward is already 1. Users of CoreOS Container Linux (including Tectonic) have this sysctl at boot (before Docker), so it also skips changing the iptables settings.

Thanks, I didn't knew that. Then I'm not worried about upgrading to docker 17.x.

@tomdee
Copy link
Contributor Author

tomdee commented Nov 16, 2017

I plan to merge this shortly as I'm not hearing any objections. Thanks @squeed for the info on CoreOS, that solves the mystery of why nobody was hitting this problem on CoreOS!

@tomdee
network/iptables: Add iptables rules to FORWARD chain
5df82dc 
To work around the Docker change from v1.13 which
changed the default FORWARD policy to DROP.

The change has bitten many many users.

The troubleshooting documentation is also updated talk about the issue.

Replaces PR flannel-io#862
Fixes flannel-io#834
Fixes flannel-io#823
Fixes flannel-io#609
Fixes flannel-io#799
@tomdee tomdee merged commit 476abd9 into flannel-io:master Nov 16, 2017
@tomdee tomdee deleted the always-ipforward branch November 16, 2017 15:03
@jbrissier
Copy link

jbrissier commented Nov 21, 2017
edited

To resolve it upgrade to the lateset version of flannel.

You mean v0.9.1 from quay.io/repository/coreos/flannel ?
The current kube-flannel.yml refers the version v.0.9.0

@tomdee
Copy link
Contributor Author

tomdee commented Nov 22, 2017

This is now fixed

@Bengrunt
Copy link

Thanks, I got stuck by this because I pulled the kube-flannel file 2 days ago.
Bad luck I guess.

@jkemp101 jkemp101 mentioned this pull request Nov 27, 2017
Closed
@KashifSaadat KashifSaadat mentioned this pull request Dec 11, 2017
Closed
@klausenbusk klausenbusk mentioned this pull request Dec 26, 2017
Closed
@tianhuil tianhuil mentioned this pull request Dec 27, 2017
Closed
@bencord0 bencord0 mentioned this pull request Jan 8, 2018
Open
@KashifSaadat KashifSaadat mentioned this pull request Feb 1, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cehoffman cehoffman cehoffman left review comments

@gunjan5 gunjan5 Awaiting requested review from gunjan5

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@tomdee @cehoffman @klausenbusk @squeed @jbrissier @Bengrunt