New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

network/iptables: Add iptables rules to FORWARD chain #872

Merged
merged 1 commit into from Nov 16, 2017

Conversation

Projects
None yet
6 participants
@tomdee
Member

tomdee commented Nov 11, 2017

To work around the Docker change from v1.13 which
changed the default FORWARD policy to DROP.

The change has bitten many many users.

The troubleshooting documentation is also updated talk about the issue.

Replaces PR #862
Fixes #834
Fixes #823
Fixes #609
Fixes #799

@tomdee tomdee requested a review from gunjan5 Nov 11, 2017

@cehoffman

This comment has been minimized.

cehoffman commented Nov 12, 2017

It looks like the --ip-forward flag got dropped from the changes. It is mentioned in the docs and existed on the replaced #862 PR.

@tomdee

This comment has been minimized.

Member

tomdee commented Nov 13, 2017

My intention was to drop that flag and to have flannel always write the iptables rules. In this PR, flannel is only changing rules for IP addresses that it owns, whereas in the other PR it was changing the default forward policy, which is global and therefore I figured should be optional.

## Connectivity
In Docker v1.13 and later, the default iptables forwarding policy was changed to `DROP`. For more detail on the Docker change, see the Docker [documentation](https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#container-communication-between-hosts).
This problems manifests itself as connectivity problems between containers running on different hosts. To resolve it either run `iptables -P FORWARD ACCEPT` on every host (and on each reboot) or run flannel with the `--ip-forward` argument that was introduced in version v0.10.0.

This comment has been minimized.

@cehoffman

cehoffman Nov 13, 2017

Looks like --ip-forward should be dropped from documentation here.

@cehoffman

This comment has been minimized.

cehoffman commented Nov 13, 2017

@tomdee makes sense and I think dropping the flag is better

@klausenbusk

This comment has been minimized.

klausenbusk commented Nov 15, 2017

Just a question, but do you know how Tectonic works around this? Do they just add the iptables rule from some script?

@squeed

This comment has been minimized.

squeed commented Nov 15, 2017

@klausenbusk The Docker networking code does nothing (noops) if the sysctl net.ipv4.ip_forward is already 1. Users of CoreOS Container Linux (including Tectonic) have this sysctl at boot (before Docker), so it also skips changing the iptables settings.

@klausenbusk

This comment has been minimized.

klausenbusk commented Nov 15, 2017

@klausenbusk The Docker networking code does nothing (noops) if the sysctl net.ipv4.ip_forward is already 1. Users of CoreOS Container Linux (including Tectonic) have this sysctl at boot (before Docker), so it also skips changing the iptables settings.

Thanks, I didn't knew that. Then I'm not worried about upgrading to docker 17.x.

@tomdee

This comment has been minimized.

Member

tomdee commented Nov 16, 2017

I plan to merge this shortly as I'm not hearing any objections. Thanks @squeed for the info on CoreOS, that solves the mystery of why nobody was hitting this problem on CoreOS!

network/iptables: Add iptables rules to FORWARD chain
To work around the Docker change from v1.13 which
changed the default FORWARD policy to DROP.

The change has bitten many many users.

The troubleshooting documentation is also updated talk about the issue.

Replaces PR #862
Fixes #834
Fixes #823
Fixes #609
Fixes #799

@tomdee tomdee force-pushed the tomdee:always-ipforward branch from 3e3a5b4 to 5df82dc Nov 16, 2017

@tomdee tomdee merged commit 476abd9 into coreos:master Nov 16, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@tomdee tomdee deleted the tomdee:always-ipforward branch Nov 16, 2017

@jbrissier

This comment has been minimized.

jbrissier commented Nov 21, 2017

To resolve it upgrade to the lateset version of flannel.

You mean v0.9.1 from quay.io/repository/coreos/flannel ?
The current kube-flannel.yml refers the version v.0.9.0

@tomdee

This comment has been minimized.

Member

tomdee commented Nov 22, 2017

This is now fixed

@Bengrunt

This comment has been minimized.

Bengrunt commented Nov 23, 2017

Thanks, I got stuck by this because I pulled the kube-flannel file 2 days ago.
Bad luck I guess.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment