Swarm mode does not listen on published ports

[dedalusj]

Description

I have a swarm cluster composed of 3 managers running on AWS. When I create a new service using a docker compose file none of the managers listen on the published ports for the service.

Steps to reproduce the issue:

1. Create a swarm cluster with 3 managers
2. Run docker deploy --compose-file docker-compose.yml traefik from one of the managers
3. Run curl -v localhost:8080 from one of the manager nodes

Describe the results you received:

* Rebuilt URL to: localhost:8080/
*   Trying 127.0.0.1...
* connect to 127.0.0.1 port 8080 failed: Connection refused
* Failed to connect to localhost port 8080: Connection refused
* Closing connection 0
curl: (7) Failed to connect to localhost port 8080: Connection refused

Describe the results you expected:

Should be able to contact the running service

Additional information you deem important (e.g. issue happens only occasionally):

The compose file for creating the service is:

version: "3"
networks:
    base:
      driver: overlay
services:
    traefik:
      image: traefik:1.2.0
      command: -c /dev/null --web --docker --docker.swarmmode --docker.watch --docker.domain=traefik --logLevel=DEBUG
      networks:
        - base
      ports:
        - "80:80"
        - "8080:8080"
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock
      deploy:
        placement:
          constraints: [node.role == manager]

Output of docker service inspect --pretty traefik:

ID:		xjqwrdjjnwf1ssovc9ehneis9
Name:		control_traefik
Labels:
 com.docker.stack.namespace=traefik
Service Mode:	Replicated
 Replicas:	1
Placement:Contraints:	[node.role == manager]
ContainerSpec:
 Image:		traefik:1.2.0@sha256:d9d82c52bb091466b167ea1c0f2a27c0032baef786ead275d3c40fb9e4759aaa
 Args:		-c /dev/null --web --docker --docker.swarmmode --docker.watch --docker.domain=traefik --logLevel=DEBUG 
Mounts:
  Target = /var/run/docker.sock
   Source = /var/run/docker.sock
   ReadOnly = false
   Type = bind
Resources:
Networks: v6v9yr3847770cp5hjez9cb60 
Endpoint Mode:	vip
Ports:
 PublishedPort 80
  Protocol = tcp
  TargetPort = 80
 PublishedPort 8080
  Protocol = tcp
  TargetPort = 8080 

Output of sudo netstat -tunap | grep LISTEN:

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1328/sshd      
tcp6       0      0 :::2377                 :::*                    LISTEN      10141/dockerd   
tcp6       0      0 :::4243                 :::*                    LISTEN      10141/dockerd   
tcp6       0      0 :::22                   :::*                    LISTEN      1328/sshd  

(here I was expecting docker to listen to ports 80 and 8080)

Output of sudo iptables -nvL -t nat:

Chain PREROUTING (policy ACCEPT 1186 packets, 71170 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1180 70804 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 1180 packets, 70804 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 542 packets, 37953 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 542 packets, 37953 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    6   366 MASQUERADE  all  --  *      !docker_gwbridge  172.18.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker_gwbridge *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0 

Output of docker version:

Docker version 17.03.0-ce, build 3a232c8

Output of docker info:

Containers: 1
 Running: 1
 Paused: 0
 Stopped: 0
Images: 1
Server Version: 17.03.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge host ipvlan macvlan null overlay
Swarm: active
 NodeID: 2ezx7ap7kgiv3r6mq5zdoso79
 Is Manager: true
 ClusterID: y5p5sqpgew4tfqy2sr2na4ang
 Managers: 3
 Nodes: 3
 Orchestration:
  Task History Retention Limit: 5
 Raft:
  Snapshot Interval: 10000
  Number of Old Snapshots to Retain: 0
  Heartbeat Tick: 1
  Election Tick: 3
 Dispatcher:
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 3 months
 Node Address: 172.31.7.109
 Manager Addresses:
  0.0.0.0:2377
  172.31.21.219:2377
  172.31.7.109:2377
  172.31.8.25:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 977c511eda0925a723debdc94d09459af49d082a
runc version: a01dafd48bc1c7cc12bdb01206f9fea7dd6feb70
init version: 949e6fa
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-59-generic
Operating System: Ubuntu 16.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 486.7 MiB
Name: ip-172-31-7-109
ID: HUMZ:FHWJ:XFYZ:ECNW:4Z5P:7D7L:RW45:7OSL:DPXL:E47P:TUE5:JAVH
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 41
 Goroutines: 102
 System Time: 2017-03-26T07:01:09.469308353Z
 EventsListeners: 1
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Experimental: true
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):

The docker nodes are running in AWS. The security group attached to the EC2 instances allow all traffic over all protocol between the docker nodes.

[dedalusj]

The issue can be reliably reproduced using the Cloudformation template from https://gist.github.com/dedalusj/7f0ffd2fb057abee345ff672ce14f867 .

The CF will create three manager instances that will form a swarm. You can then ssh into one of the instances and deploy the service from the compose file above using docker deploy --compose-file docker-compose.yml traefik.

Consistently one of the manager nodes will not expose the port 8080 published by the service.

[m4r10k]

Yes, i would like to report the same behavior. Port mapping through docker stack with service compose file does not work.

docker version:

Client:
Version: 17.03.1-ce
API version: 1.27
Go version: go1.7.5
Git commit: c6d412e
Built: Mon Mar 27 17:14:09 2017
OS/Arch: linux/amd64

Server:
Version: 17.03.1-ce
API version: 1.27 (minimum version 1.12)
Go version: go1.7.5
Git commit: c6d412e
Built: Mon Mar 27 17:14:09 2017
OS/Arch: linux/amd64
Experimental: false

[dedalusj]

Looking at the syslog for the instances it seems that docker never calls iptables to setup the listening rules for the ports of the service.

I have attached the syslog of the three instances I used for a test where I tried to deploy a service with both traefik and nginx both failing to listen on the published ports.

syslog_nginx_1.txt
syslog_nginx_2.txt
syslog_nginx_3.txt

[thaJeztah]

ping @aboch @mavenugo PTAL

[aboch]

@dedalusj
Yes, something is actually missing, nobody is listening on networking control plane, following is missing:

tcp6       0      0 :::7946                 :::*                    LISTEN 

When node1 joined the swarm, this failure was infact reported:

Mar 28 11:33:35 ip-172-31-26-192 dockerd[10126]: time="2017-03-28T11:33:35.389905440Z" level=info msg="Initializing Libnetwork Agent Listen-Addr=0.0.0.0 Local-addr=172.31.26.192 Adv-addr=172.31.26.192 Remote-addr =172.31.13.94"
[...]
Mar 28 11:33:35 ip-172-31-26-192 dockerd[10126]: time="2017-03-28T11:33:35.392981104Z" level=error msg="Error in agentInit : failed to create memberlist: Failed to start TCP listener. Err: listen tcp 0.0.0.0:7946: bind: address already in use"
Mar 28 11:33:35 ip-172-31-26-192 cloud-init[1336]: This node joined a swarm as a manager.
Mar 28 11:33:35 ip-172-31-26-192 cloud-init[1336]: Successfully joined manager at 172.31.13.94

I am thinking this could happen if the daemon, with a swarm config, is restarted too quickly after a stop, because on stop, the cleanup of the sockets could take a little bit.

In fact we see the daemon being stopped a second after it became a swarm node:

Mar 28 11:33:32 ip-172-31-26-192 dockerd[10126]: time="2017-03-28T11:33:32.573864385Z" level=info msg="Initializing Libnetwork Agent Listen-Addr=0.0.0.0 Local-addr=172.31.26.192 Adv-addr=172.31.26.192 Remote-addr ="
[...]
Mar 28 11:33:33 ip-172-31-26-192 dockerd[10126]: time="2017-03-28T11:33:33.336906764Z" level=info msg="Manager shut down"

So it looks like this node was first started as a follower (Remote-addr =172.31.13.94), then quick after stopped and started as a leader (Remote-addr =).

Can you try to modify your template to insert some delay between these stop/start operations.

[dedalusj]

Thanks @aboch that was definitely the cause of the problem. After adding a couple of sleep in the setup scripts everything works as expected.

[slotix]

I have a similar problem. Docker in Swarm mode doesn't listen any exposed ports when deploying services to Scaleway C2S server.
I've investigated docker logs with journalctl -u docker.service
and found some errors like
Apr 11 19:40:18 scw-a728ca dockerd[12709]: time="2017-04-11T19:40:18Z" level=error msg="setting up rule failed, [-t mangle -D OUTPUT -d 10.0.0.8/32 -j MARK --set-mark 323]: (iptables failed: iptables --wait -t mangle -D OUTPUT -d 10.0.0.8/32 -j MARK --set-mark 323: iptables: No chain/target/match by that name.\n (exit status 1))" Apr 11 19:40:18 scw-a728ca dockerd[12709]: time="2017-04-11T19:40:18.259536582Z" level=error msg="Failed to delete firewall mark rule in sbox 097582e (c8f11d8): reexec failed: exit status 5" Apr 11 19:40:18 scw-a728ca dockerd[12709]: time="2017-04-11T19:40:18Z" level=info msg="Firewalld running: false" Apr 11 19:40:18 scw-a728ca dockerd[12709]: time="2017-04-11T19:40:18Z" level=error msg="setting up rule failed, [-t mangle -D PREROUTING -p tcp --dport 8000 -j MARK --set-mark 324]: (iptables failed: iptables --wait -t mangle -D PREROUTING -p tcp --dport 8000 -j MARK --set-mark 324: iptables: No chain/target/match by that name.\n (exit status 1))" Apr 11 19:40:18 scw-a728ca dockerd[12709]: time="2017-04-11T19:40:18.478598359Z" level=error msg="Failed to delete firewall mark rule in sbox ingress (ingress): reexec failed: exit status 5" Apr 11 19:40:18 scw-a728ca dockerd[12709]: time="2017-04-11T19:40:18Z" level=info msg="Firewalld running: false"

However everything with exactly the same configuration works perfectly on DigitalOcean hosted servers. No any errors are logged.

[aboch]

This issue should be fixed in 17.05 because of #32283 because now the swarm init/join will be processed only after the swarm leave is complete, after the networking agent has closed the network DB (control plane and its socket). Same after graceful daemon stop/start sequence, stop will wait for the graceful stop of network DB.

[aboch]

Fixed by #32283

But feel free to reopen if you are able to reproduce with 17.05

[hermanzdosilovic]

I was able to reproduce it with 17.05.0-ce on Raspberry Pi 3 Model B.

Output of uname -a: Linux shpaolin 4.9.24-v7+ #993 SMP Wed Apr 26 18:01:23 BST 2017 armv7l GNU/Linux

Output of docker version:

Client:
 Version:      17.05.0-ce
 API version:  1.29
 Go version:   go1.7.5
 Git commit:   89658be
 Built:        Thu May  4 22:30:54 2017
 OS/Arch:      linux/arm

Server:
 Version:      17.05.0-ce
 API version:  1.29 (minimum version 1.12)
 Go version:   go1.7.5
 Git commit:   89658be
 Built:        Thu May  4 22:30:54 2017
 OS/Arch:      linux/arm
 Experimental: false

Output of docker info:

Containers: 6                                                                                                                                                             
 Running: 4                                                                                                                                                               
 Paused: 0                                                                                                                                                                
 Stopped: 2                                                                                                                                                               
Images: 11                                                                                                                                                                
Server Version: 17.05.0-ce                                                                                                                                                
Storage Driver: overlay2                                                                                                                                                  
 Backing Filesystem: extfs                                                                                                                                                
 Supports d_type: true                                                                                                                                                    
 Native Overlay Diff: true                                                                                                                                                
Logging Driver: json-file                                                                                                                                                 
Cgroup Driver: cgroupfs                                                                                                                                                   
Plugins:                                                                                                                                                                  
 Volume: local                                                                                                                                                            
 Network: bridge host macvlan null overlay                                                                                                                                
Swarm: active                                                                                                                                                             
 NodeID: s6z17gd583r9s4x84kk0wlaa9                                                                                                                                        
 Is Manager: true                                                                                                                                                         
 ClusterID: p570wxedr4gofd6iam7rxl2be                                                                                                                                     
 Managers: 1                                                                                                                                                              
 Nodes: 2                                                                                                                                                                 
 Orchestration:                                                                                                                                                           
  Task History Retention Limit: 5                                                                                                                                         
 Raft:
  Snapshot Interval: 10000
  Number of Old Snapshots to Retain: 0
  Heartbeat Tick: 1
  Election Tick: 3
 Dispatcher:
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 3 months
 Node Address: 192.168.0.33
 Manager Addresses:
  192.168.0.33:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9048e5e50717ea4497b757314bad98ea3763c145
runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228
init version: 949e6fa
Kernel Version: 4.9.24-v7+
Operating System: Raspbian GNU/Linux 8 (jessie)
OSType: linux
Architecture: armv7l
CPUs: 4
Total Memory: 923.4MiB
Name: shpaolin
ID: IRZC:MW6N:VEPG:PPNX:L4LF:2CY7:OV2K:VOU6:JBR6:WCDR:F5XC:CSIV
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
WARNING: No cpuset support

Here is the output of my reproduction of this issue:

pi@shpaolin:~/httpd $ docker run -p 80:80 --name httpd -d hypriot/rpi-busybox-httpd
05927cde03f10c2e7c52102a1f610a63949090bc68b120526dc55e73fa6b4907

pi@shpaolin:~/httpd $ curl localhost:80
<html>
<head><title>Pi armed with Docker by Hypriot</title>
  <body style="width: 100%; background-color: black;">
    <div id="main" style="margin: 100px auto 0 auto; width: 800px;">
      <img src="pi_armed_with_docker.jpg" alt="pi armed with docker" style="width: 800px">
    </div>
  </body>
</html>

pi@shpaolin:~/httpd $ docker stop httpd
httpd

pi@shpaolin:~/httpd $ docker service create -p 80:80 --constraint 'node.role == manager' --detach=true hypriot/rpi-busybox-httpd
988j3cs57b6qc2xeksk7yla6d

pi@shpaolin:~/httpd $ curl localhost:80
curl: (7) Failed to connect to localhost port 80: Connection refused

pi@shpaolin:~/httpd $ docker service ls
ID                  NAME                MODE                REPLICAS            IMAGE                              PORTS
988j3cs57b6q        awesome_jones       replicated          0/1                 hypriot/rpi-busybox-httpd:latest   *:80->80/tcp

pi@shpaolin:~/httpd $ docker service create -p 80:80 --constraint 'node.role == manager' --detach=true hypriot/rpi-busybox-httpd
Error response from daemon: rpc error: code = 3 desc = port '80' is already in use by service 'awesome_jones' (988j3cs57b6qc2xeksk7yla6d)

pi@shpaolin:~/httpd $ docker service ls
ID                  NAME                MODE                REPLICAS            IMAGE                              PORTS
988j3cs57b6q        awesome_jones       replicated          0/1                 hypriot/rpi-busybox-httpd:latest   *:80->80/tcp

pi@shpaolin:~/httpd $ curl localhost:80
curl: (7) Failed to connect to localhost port 80: Connection refused

[HenrikBach1]

I'm also able to reproduce it on fedora 26:

$ cat /etc/fedora-release
Fedora release 26 (Twenty Six)

$ uname -a
Linux localhost.localdomain 4.13.11-200.fc26.x86_64 #1 SMP Thu Nov 2 18:28:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

$ docker stack deploy -c stack.yml traefik
Creating network traefik_base
Creating service traefik_traefik

$ docker version
Client:
Version: 17.11.0-ce-rc4
API version: 1.34
Go version: go1.8.3
Git commit: 587f1f0
Built: Thu Nov 16 01:27:19 2017
OS/Arch: linux/amd64

Server:
Version: 17.11.0-ce-rc4
API version: 1.34 (minimum version 1.12)
Go version: go1.8.3
Git commit: 587f1f0
Built: Thu Nov 16 01:29:54 2017
OS/Arch: linux/amd64
Experimental: false

$ docker info
Containers: 7
Running: 1
Paused: 0
Stopped: 6
Images: 26
Server Version: 17.11.0-ce-rc4
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: active
NodeID: qtcygeegb8qqy93jox9hy8080
Is Manager: true
ClusterID: qfb564q6yjemihr3u7czg3559
Managers: 1
Nodes: 1
Orchestration:
Task History Retention Limit: 5
Raft:
Snapshot Interval: 10000
Number of Old Snapshots to Retain: 0
Heartbeat Tick: 1
Election Tick: 3
Dispatcher:
Heartbeat Period: 5 seconds
CA Configuration:
Expiry Duration: 3 months
Force Rotate: 0
Autolock Managers: false
Root Rotation In Progress: false
Node Address: 192.168.0.35
Manager Addresses:
192.168.0.35:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 992280e8e265f491f7a624ab82f3e238be086e49
runc version: 0351df1c5a66838d0c392b4ac4cf9450de844e2d
init version: 949e6fa
Security Options:
seccomp
Profile: default
Kernel Version: 4.13.11-200.fc26.x86_64
Operating System: Fedora 26 (Workstation Edition)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.57GiB
Name: localhost.localdomain
ID: T7ZJ:O6AC:TO3J:EXTA:NKW4:CL4W:FH6Q:4546:AXLR:VFWN:RCT7:CALI
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

$ curl localhost:80
hangs...

$ curl localhost:8080
hangs...

$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
17pnwopsw8kq traefik_traefik replicated 1/1 traefik:1.2.0 :80->80/tcp,:8080->8080/tcp

$ docker stack ps traefik
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
f5d5g9byhiq3 traefik_traefik.1 traefik:1.2.0 localhost.localdomain Running Running 16 minutes ago

/Henrik

[Fank]

Same here updated from 17.07 to 17.11 and added a new node, now all services with non host publish are not reachable, only get a connection refused.

• same as my issue No such network: "gwaas-qa" module=node/agent node.id=1701sbvw4vbkql5h804xfpoxu #35466
• and this hopefully fixes it Tasks fail with error "Unable to complete atomic operation, key modified" #35310 (comment)

[wjma90]

I solved it using an earlier version of "boot2docker". Apparently version 18.09 has problems.

docker-machine create -d hyperv --hyperv-virtual-switch "myswitch" --hyperv-boot2docker-url=https://github.com/boot2docker/boot2docker/releases/down
load/v18.05.0-ce/boot2docker.iso myvm1

I have tested this solution with virtualbox driver (in mac) and with hyper-v (obviously windows)

[ushuz]

Same problem with 18.06.2.

May  9 17:56:22 manager-01 dockerd[11809]: time="2019-05-09T17:56:22.500666281+08:00" level=warning msg="rmServiceBinding 78af3f49b99b296d9c6bf76ef1
c9a03e8c8cff74f13a6912746f0f122d6c1dcc possible transient state ok:false entries:0 set:false "
May  9 17:56:22 manager-01 dockerd[11809]: time="2019-05-09T17:56:22.500876295+08:00" level=error msg="Failed to delete real server 10.255.47.131 fo
r vip 10.255.47.126 fwmark 338 in sbox ingress (ingress): no such process"
May  9 17:56:22 manager-01 dockerd[11809]: time="2019-05-09T17:56:22.500933809+08:00" level=error msg="Failed to delete service for vip 10.255.47.12
6 fwmark 338 in sbox ingress (ingress): no such process"
May  9 17:56:22 manager-01 dockerd[11809]: time="2019-05-09T17:56:22+08:00" level=error msg="setting up rule failed, [-t mangle -D PREROUTING -p tcp
 --dport 8788 -j MARK --set-mark 338]:  (iptables failed: iptables --wait -t mangle -D PREROUTING -p tcp --dport 8788 -j MARK --set-mark 338: iptables:
No chain/target/match by that name.\n (exit status 1))"
May  9 17:56:22 manager-01 dockerd[11809]: time="2019-05-09T17:56:22.548208699+08:00" level=error msg="Failed to delete firewall mark rule in sbox i
ngress (ingress): reexec failed: exit status 8"

After rerun iptables -L on each node, the problem seems to be resolved.

[robertsilvatech]

@ushuz how did you get this log?

[ushuz]

@treborbrz From syslog, /var/log/syslog on Ubuntu.