-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Swarm overlay network not routing via service VIP (18.09.4/ARM64) #644
Comments
Syslog output, not quite sure what I should be seeing here though and whether the device removal is expected? deploying the stack. attaching alpine container to network |
Is there anything in the daemon log (in debug mode)? |
There are lots of messages from NetworkManager trying to configure network settings on the interfaces. I tend to disable it on servers, limiting which network interfaces it looks at can alsohelp. |
Just got round to looking at this again tonight, recompiling the kernel did the trick.. 49c49
< CONFIG_LOCALVERSION=""
---
> CONFIG_LOCALVERSION="-mccabe-v4"
733c733
< # CONFIG_INET_ESP is not set
---
> CONFIG_INET_ESP=y
826c826
< # CONFIG_NF_NAT_REDIRECT is not set
---
> CONFIG_NF_NAT_REDIRECT=m
857c857
< # CONFIG_NETFILTER_XT_TARGET_REDIRECT is not set
---
> CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
925,926c925,926
< # CONFIG_IP_VS_PROTO_TCP is not set
< # CONFIG_IP_VS_PROTO_UDP is not set
---
> CONFIG_IP_VS_PROTO_TCP=y
> CONFIG_IP_VS_PROTO_UDP=y
955a956
> # CONFIG_IP_VS_FTP is not set
956a958
> # CONFIG_IP_VS_PE_SIP is not set
983c985
< # CONFIG_IP_NF_TARGET_REDIRECT is not set
---
> CONFIG_IP_NF_TARGET_REDIRECT=m
1136c1138
< # CONFIG_NET_L3_MASTER_DEV is not set
---
> CONFIG_NET_L3_MASTER_DEV=y
1842a1845,1848
> CONFIG_DM_BUFIO=y
> # CONFIG_DM_DEBUG_BLOCK_STACK_TRACING is not set
> CONFIG_DM_BIO_PRISON=y
> CONFIG_DM_PERSISTENT_DATA=y
1845c1851
< # CONFIG_DM_THIN_PROVISIONING is not set
---
> CONFIG_DM_THIN_PROVISIONING=y
1877a1884
> CONFIG_IPVLAN=m
1889a1897
> # CONFIG_NET_VRF is not set
6215c6223
< CONFIG_CRYPTO_AUTHENC=m
---
> CONFIG_CRYPTO_AUTHENC=y
6231c6239
< CONFIG_CRYPTO_CBC=m
---
> CONFIG_CRYPTO_CBC=y
6257c6265
< CONFIG_CRYPTO_MD5=m
---
> CONFIG_CRYPTO_MD5=y
6280c6288
< CONFIG_CRYPTO_DES=m
---
> CONFIG_CRYPTO_DES=y
6364c6372
< CONFIG_LIBCRC32C=m
---
> CONFIG_LIBCRC32C=y Enabling IPVLAN (and CONFIG_NET_L3_MASTER_DEV) on its own hadn't been working at the weekend, I enabled more of the missing modules as highlighted by check_config and it seems to have done the trick. Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled (as module)
- CONFIG_BRIDGE: enabled
- CONFIG_BRIDGE_NETFILTER: enabled (as module)
- CONFIG_NF_NAT_IPV4: enabled (as module)
- CONFIG_IP_NF_FILTER: enabled (as module)
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled (as module)
- CONFIG_IP_NF_NAT: enabled (as module)
- CONFIG_NF_NAT: enabled (as module)
- CONFIG_NF_NAT_NEEDED: enabled
- CONFIG_POSIX_MQUEUE: enabled
Optional Features:
- CONFIG_USER_NS: enabled
- CONFIG_SECCOMP: enabled
- CONFIG_CGROUP_PIDS: enabled
- CONFIG_MEMCG_SWAP: enabled
- CONFIG_MEMCG_SWAP_ENABLED: enabled
(cgroup swap accounting is currently enabled)
- CONFIG_BLK_CGROUP: enabled
- CONFIG_BLK_DEV_THROTTLING: enabled
- CONFIG_IOSCHED_CFQ: enabled
- CONFIG_CFQ_GROUP_IOSCHED: missing
- CONFIG_CGROUP_PERF: enabled
- CONFIG_CGROUP_HUGETLB: missing
- CONFIG_NET_CLS_CGROUP: enabled
- CONFIG_CGROUP_NET_PRIO: enabled
- CONFIG_CFS_BANDWIDTH: enabled
- CONFIG_FAIR_GROUP_SCHED: enabled
- CONFIG_RT_GROUP_SCHED: enabled
- CONFIG_IP_NF_TARGET_REDIRECT: enabled (as module)
- CONFIG_IP_VS: enabled (as module)
- CONFIG_IP_VS_NFCT: enabled
- CONFIG_IP_VS_PROTO_TCP: enabled
- CONFIG_IP_VS_PROTO_UDP: enabled
- CONFIG_IP_VS_RR: enabled (as module)
- CONFIG_EXT4_FS: enabled
- CONFIG_EXT4_FS_POSIX_ACL: enabled
- CONFIG_EXT4_FS_SECURITY: enabled
- Network Drivers:
- "overlay":
- CONFIG_VXLAN: enabled
Optional (for encrypted networks):
- CONFIG_CRYPTO: enabled
- CONFIG_CRYPTO_AEAD: enabled
- CONFIG_CRYPTO_GCM: enabled
- CONFIG_CRYPTO_SEQIV: enabled
- CONFIG_CRYPTO_GHASH: enabled
- CONFIG_XFRM: enabled
- CONFIG_XFRM_USER: enabled
- CONFIG_XFRM_ALGO: enabled
- CONFIG_INET_ESP: enabled
- CONFIG_INET_XFRM_MODE_TRANSPORT: enabled
- "ipvlan":
- CONFIG_IPVLAN: enabled (as module)
- "macvlan":
- CONFIG_MACVLAN: enabled (as module)
- CONFIG_DUMMY: enabled
- "ftp,tftp client in container":
- CONFIG_NF_NAT_FTP: enabled (as module)
- CONFIG_NF_CONNTRACK_FTP: enabled (as module)
- CONFIG_NF_NAT_TFTP: enabled (as module)
- CONFIG_NF_CONNTRACK_TFTP: enabled (as module)
- Storage Drivers:
- "aufs":
- CONFIG_AUFS_FS: missing
- "btrfs":
- CONFIG_BTRFS_FS: enabled (as module)
- CONFIG_BTRFS_FS_POSIX_ACL: enabled
- "devicemapper":
- CONFIG_BLK_DEV_DM: enabled
- CONFIG_DM_THIN_PROVISIONING: enabled
- "overlay":
- CONFIG_OVERLAY_FS: enabled (as module)
- "zfs":
- /dev/zfs: missing
- zfs command: missing
- zpool command: missing
Limits:
- /proc/sys/kernel/keys/root_maxkeys: 1000000 |
Many thanks for the help and pointers @justincormack / @alexellis |
|
Points out another symbol that Docker might need. in this case Docker's mesh network in swarm mode does not route Virtual IPs if it's unset. From /var/logs/docker.log: time="2021-02-19T18:15:39+01:00" level=error msg="set up rule failed, [-t mangle -A INPUT -d 10.0.1.2/32 -j MARK --set-mark 257]: (iptables failed: iptables --wait -t mang le -A INPUT -d 10.0.1.2/32 -j MARK --set-mark 257: iptables v1.8.7 (legacy): unknown option \"--set-mark\"\nTry `iptables -h' or 'iptables --help' for more information.\n (exit status 2))" Bug: moby/libnetwork#2227 Bug: docker/for-linux#644 Bug: docker/for-linux#525 Signed-off-by: Piotr Karbowski <piotr.karbowski@protonmail.ch>
Points out another symbol that Docker might need. in this case Docker's mesh network in swarm mode does not route Virtual IPs if it's unset. From /var/logs/docker.log: time="2021-02-19T18:15:39+01:00" level=error msg="set up rule failed, [-t mangle -A INPUT -d 10.0.1.2/32 -j MARK --set-mark 257]: (iptables failed: iptables --wait -t mang le -A INPUT -d 10.0.1.2/32 -j MARK --set-mark 257: iptables v1.8.7 (legacy): unknown option \"--set-mark\"\nTry `iptables -h' or 'iptables --help' for more information.\n (exit status 2))" Bug: moby/libnetwork#2227 Bug: docker/for-linux#644 Bug: docker/for-linux#525 Signed-off-by: Piotr Karbowski <piotr.karbowski@protonmail.ch> Upstream-commit: e8ceb976469e15547ed368ba5c110102ccc5fbfa Component: engine
Points out another symbol that Docker might need. in this case Docker's mesh network in swarm mode does not route Virtual IPs if it's unset. From /var/logs/docker.log: time="2021-02-19T18:15:39+01:00" level=error msg="set up rule failed, [-t mangle -A INPUT -d 10.0.1.2/32 -j MARK --set-mark 257]: (iptables failed: iptables --wait -t mang le -A INPUT -d 10.0.1.2/32 -j MARK --set-mark 257: iptables v1.8.7 (legacy): unknown option \"--set-mark\"\nTry `iptables -h' or 'iptables --help' for more information.\n (exit status 2))" Bug: moby/libnetwork#2227 Bug: docker/for-linux#644 Bug: docker/for-linux#525 Signed-off-by: Piotr Karbowski <piotr.karbowski@protonmail.ch> (cherry picked from commit e8ceb97) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Points out another symbol that Docker might need. in this case Docker's mesh network in swarm mode does not route Virtual IPs if it's unset. From /var/logs/docker.log: time="2021-02-19T18:15:39+01:00" level=error msg="set up rule failed, [-t mangle -A INPUT -d 10.0.1.2/32 -j MARK --set-mark 257]: (iptables failed: iptables --wait -t mang le -A INPUT -d 10.0.1.2/32 -j MARK --set-mark 257: iptables v1.8.7 (legacy): unknown option \"--set-mark\"\nTry `iptables -h' or 'iptables --help' for more information.\n (exit status 2))" Bug: moby/libnetwork#2227 Bug: docker/for-linux#644 Bug: docker/for-linux#525 Signed-off-by: Piotr Karbowski <piotr.karbowski@protonmail.ch> (cherry picked from commit e8ceb97) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Points out another symbol that Docker might need. in this case Docker's mesh network in swarm mode does not route Virtual IPs if it's unset. From /var/logs/docker.log: time="2021-02-19T18:15:39+01:00" level=error msg="set up rule failed, [-t mangle -A INPUT -d 10.0.1.2/32 -j MARK --set-mark 257]: (iptables failed: iptables --wait -t mang le -A INPUT -d 10.0.1.2/32 -j MARK --set-mark 257: iptables v1.8.7 (legacy): unknown option \"--set-mark\"\nTry `iptables -h' or 'iptables --help' for more information.\n (exit status 2))" Bug: moby/libnetwork#2227 Bug: docker/for-linux#644 Bug: docker/for-linux#525 Signed-off-by: Piotr Karbowski <piotr.karbowski@protonmail.ch> (cherry picked from commit e8ceb97) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Expected behavior
Deploying a stack on Swarm should result in services being accessible via the service VIP
Actual behavior
Service VIP does not route to container IPs, connecting to container IP works, setting endpoint_mode to
dnsrr
works.The behaviour seems indentical to that observed in #525 but its not clear from that issue what the actual root cause was, what modules might I need to compile.
Steps to reproduce the behavior
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.)
Single node swarm running on a Jetson Nano board, fresh docker install with no customisation.
Check config output
Reproducing the issue
Deploy simple stack.
Where
docker-compose.yml
contains.Check container and VIP IP addresses.
Run container attached to same network (install curl).
Check direct container (10.0.5.3) connectivity - OK
Check VIP (10.0.5.2) connectivity - FAILS
The text was updated successfully, but these errors were encountered: