-
Notifications
You must be signed in to change notification settings - Fork 879
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add service virtual IP to sandbox's loopback address #1585
Conversation
@aboch @mavenugo It looks like the elasticsearch does allow binding to |
@sanimej True. But regardless of that specific issue, I feel it is logically more correct that the task's service VIP is programmed on the loopback interface. It is also less confusing when debugging, the IP on the interface will be just that, and the ones on loopback are the services' VIPs. Also I'd like to avoid in future to deal with a use case where an app fails to start or function properly because of the IPs ambiguity on an ethX interface if the app happens to make any such assumptions. |
@aboch I don't think it makes any difference for debugging or understanding; both needs some documentation. At least the current behavior is already familiar to most users. When a task is attached to multiple networks, currently the interface corresponding to a network will have only that VIP as alias IP. With the change VIPs in different subnets will be an alias IP in the loopback interface. I don't know if this could break any working scenarios. Unless it fixes any specific use case I am not sure if its needed. |
@sanimej I think adding the virtual-ip in this case logically belongs to the loopback interface. The only reason we added the virtual-ip to the container interface is to support the "loopback" functionality of the self reaching itself using this IP. If we read the purpose of having the loopback interface is exactly that. And it is assigned the 127.0.0.1 address to signify that. Infact the loopback interface must contain all of the virtual-ips that it has to reach itself and it does logically make sense IMO. |
@sanimej @mavenugo In other words, the service VIP has only significance inside the service container. I also think that if we had some more time to think about it when this was first added, we'd have agreed to set it on the loopback interface. But the fact that it was added to the interface as alias few months ago should not be a reason for now correct it now. Even more given this should not have any functionality change. And no inspect API change, it is transparent change to user. But I agree, this is not about functionality or bug fix. It is about refining things before it is too late so that IMO they look easier, more natural to understand and verify during debugging. |
AddVirtualIP(ip *net.IPNet) error | ||
|
||
// RemoveVirtualIP removes the passes IP address from the sandbox loopback interface | ||
RemoveVirtualIP(ip *net.IPNet) error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sticking to the convention, lets call these functions AddAliasIP
or more explicitly, AddLoopbackAlias
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, from the sandbox pov this is an alias IP on the loopback interface. I will change to AddLookbakcAliasIP
. Thanks.
Its pretty common for apps to bind to a specific IP (in this case the overlay IP). In such cases I think accessing the service from within the container won't work ? We are expecting the service to be available on the service VIP. This comment is not specific to this PR. |
if len(ep.virtualIP) != 0 { | ||
vipAlias := &net.IPNet{IP: ep.virtualIP, Mask: net.CIDRMask(32, 32)} | ||
ifaceOptions = append(ifaceOptions, sb.osSbox.InterfaceOptions().IPAliases([]*net.IPNet{vipAlias})) | ||
} | ||
Ifaces[fmt.Sprintf("%s+%s", i.srcName, i.dstPrefix)] = ifaceOptions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we decided to go with the alias IPs on the loopback interface lets remove the unused code from the original change introduced in #1321
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would retain that code instead. It's only few lines and generic enough that we could need it in future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Previous code has the aliasIP on the osl interface and accessor functions for it. And in configureInterface
we will be calling setInterfaceIPAliases
expecting it to do nothing. Its confusing to leave such dead code. I think we should remove it.
Signed-off-by: Alessandro Boch <aboch@docker.com>
if len(ep.virtualIP) != 0 { | ||
vipAlias := &net.IPNet{IP: ep.virtualIP, Mask: net.CIDRMask(32, 32)} | ||
ifaceOptions = append(ifaceOptions, sb.osSbox.InterfaceOptions().IPAliases([]*net.IPNet{vipAlias})) | ||
} | ||
Ifaces[fmt.Sprintf("%s+%s", i.srcName, i.dstPrefix)] = ifaceOptions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Refreshed the PR: moby#1585 Addressed comments suggesting to remove the IPAlias logic not anymore used Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
Refreshed the PR: moby#1585 Addressed comments suggesting to remove the IPAlias logic not anymore used Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
Refreshed the PR: moby#1585 Addressed comments suggesting to remove the IPAlias logic not anymore used Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
Refreshed the PR: moby#1585 Addressed comments suggesting to remove the IPAlias logic not anymore used Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
Refreshed the PR: moby#1585 Addressed comments suggesting to remove the IPAlias logic not anymore used Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
Refreshed the PR: moby#1585 Addressed comments suggesting to remove the IPAlias logic not anymore used Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
Merged in #1877 |
Refreshed the PR: moby/libnetwork#1585 Addressed comments suggesting to remove the IPAlias logic not anymore used Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
Related to moby/moby#29022
Signed-off-by: Alessandro Boch aboch@docker.com