Uploaded image for project: 'DC/OS'
  1. DC/OS
  2. DCOS_OSS-3697

Connectivity between bridged and overlay networks broken

    Details

    • Component Version:
    • Sprint:
      Networking 1.12 RI-3 Sprint 25, Networking 1.12 RI-4 Sprint 26
    • Story Points:
      5

      Description

      I have a problem with docker containers using overlay network. My setup:

      • service A in docker container using overlay network
      • service B in docker container using bridge network
      • both services on the same host.
        When I want to connect from A to B it's not possible (for ex. ping doesn't work). Fun fact - when services are on different hosts it works as expected. After short investigation i found the problem - iptables rules:

       

      Chain DOCKER-ISOLATION (1 references)
      pkts bytes target prot opt in out source destination
      0 0 DROP all -- d-dcos docker0 anywhere anywhere
      0 0 DROP all -- docker0 d-dcos anywhere anywhere
      0 0 DROP all -- d-dcos6 docker0 anywhere anywhere
      0 0 DROP all -- docker0 d-dcos6 anywhere anywhere
      0 0 DROP all -- d-dcos d-dcos6 anywhere anywhere
      0 0 DROP all -- d-dcos6 d-dcos anywhere anywhere
      10465 1935K RETURN all -- any any anywhere anywhere
      

       

      What is strange - this is a cluster running 1.11.2 upgraded from 1.10. The problem is only on nodes which was rebooted after upgrade.
      On nodes which wasn't rebooted it looks different:

      Chain DOCKER-ISOLATION (1 references)
      pkts bytes target prot opt in out source destination
      3270M 805G RETURN all -- any any anywhere anywhere
      0 0 DROP all -- d-dcos d-dcos6 anywhere anywhere
      0 0 DROP all -- d-dcos6 d-dcos anywhere anywhere
      0 0 DROP all -- docker0 d-dcos6 anywhere anywhere
      0 0 DROP all -- d-dcos6 docker0 anywhere anywhere
      0 0 DROP all -- docker0 d-dcos anywhere anywhere
      0 0 DROP all -- d-dcos docker0 anywhere anywhere
      

      As workaround I added a RETURN rule on the top of the chain manually.

       

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                dgoel Deepak Goel
                Reporter:
                grzegorzkocur Grzegorz Kocur
                Team:
                Networking Team
                Watchers:
                Deepak Goel, Grzegorz Kocur, Jan Repnak, John Smith, Pawel Rozlach, Sergey Urbanovich
              • Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: