SwarmMode - Not routing on worker node

[WTFKr0]

Hi,

I want to set up a 2 nodes swarm cluster (1 manager, 1 worker)
I have traefik running on master, with theses options (i took pr 728 which i found is the last with functionnal dashboard)

docker service create \
--constraint "node.role == manager" \
--name traefikswarm \
--network swarm_net \
--mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
--label "traefik.frontend.rule=Host:traefik.swarm.mydomain.org" \
--label "traefik.backend=traefikswarm" \
--label "traefik.port=81" \
-p 85:80 \
containous/traefik:pr-728 --web --retry --retry.attempts=10 --docker --docker.domain=swarm.mydomain.org --docker.swarmmode --logLevel=DEBUG --entryPoints='Name:http Address::80' --defaultEntryPoints=http --web.address=":81"

Then i run whoami service on manager node :

docker service create \
--replicas 2 \
--network swarm_net \
--name whoamiswarm \
--label "traefik.frontend.rule=Host:whoami.swarm.mydomain.org" \
--label "traefik.port=80"  \
--constraint "node.role == manager"  \
emilevauge/whoami

That's OK I can access http://whoami.swarm.mydomain.org:85/

I remove service and start same conf on worker node :

docker service create \
--replicas 2 \
--network swarm_net \
--name whoamiswarm \
--label "traefik.frontend.rule=Host:whoami.swarm.mydomain.org" \
--label "traefik.port=80"  \
--constraint "node.role == worker"  \
emilevauge/whoami

As expected the container start on worker and traefik dashboard show me an entry to the VIP, like :
http://10.0.0.7:80
But then traefik can't access it
Logs :
time="2016-11-14T09:41:21Z" level=warning msg="Error forwarding to http://10.0.0.7:80, err: dial tcp 10.0.0.7:80: getsockopt: no route to host"

What am I missing ?

Thanx for reading

[WTFKr0]

Some tests with 2 ubuntu containers :
I ran 2 ubuntu :

• One in manager node, in swarm net
• One in worker node in swarm net

They can't reach each other on the VIP
So I think it's a docker issue, not traefik
But info on that appreciated ! :D

[michaelkrog]

Have you made sure you have all the required ports open? If your overlay is encrypted you will also need to make sure you can send ESP packets.

https://docs.docker.com/engine/swarm/swarm-tutorial/#/open-ports-between-the-hosts

[WTFKr0]

Yeah thanks
I check all that, but I think I'm facing a NAT problem
I got Network Address Translation between hosts, so I use the "advertise-addr" to tell consul on which IP the host is joinable
That's OK for consul, but I think the network overlay on vxlan don't support that for the moment
Tring to find info on that on docker github...
Thanks

[WTFKr0]

After some tests, its clearly a docker swarm config issue itself. I don"t know what i'm missing.
If somebody have a docker swarm behind NAT OK, please tell me !

To reproduce my setup, it's quite easy.

• Take 2 windows Hosts (let's say IP 192.168.1.11 a 192.168.1.12)
• Install docker toolbox on PC 1 (internal IP 10.0.0.2-NAT and 192.168.99.100-bridge)
• Install docker toolbox on PC 2 (internal IP 10.0.0.2-NAT and 192.168.99.100-bridge)
• On each PC, place NAT forwarding on the swarm ports
  https://docs.docker.com/swarm/plan-for-production/#/network-access-control
  So that for example 192.168.1.11:2377/tcp redirect to VirtualBoxPC1 : 10.0.0.2:2377/TCP

Now i'm trying do do a swarm init on docker PC 1 and a swarm join on PC 2
(Have to play with --advertise-addr & --listen-addr)

Then :

• create an overlay network
• create service like nginx running on PC 1 on that network
• create service like nginx running on PC 2 on that network

Try to ping/curl each other by VIP or IP

[WTFKr0]

Closing cause no pb with real swarm cluster
I think I got a pb with NAT and port forcarding