Uploaded image for project: 'DC/OS'
  1. DC/OS
  2. DCOS_OSS-5061

Conflict between VIP port and port mapping

    Details

    • Sprint:
      Networking: RI-12 Sprint 43, Networking: RI-13 Sprint 44
    • Story Points:
      8

      Description

      If there a container that is using port mapping functionality such as a container in bridge mode and if there a VIP listening on the same port as the host port in port mapping then the VIP traffic doesn't work. This happens because the iptable rules for portmapper kicks in before the VIP iptable rule.

      A fix would be to add iptable rules to skip traffic destined to VIP:

      1. Create an ipset of type ip,port
      
      sudo ipset create -exist dcos-l4lb hash:ip,port counters
      
      2. Create the necessary iptables rule referencing the ipset
      
      sudo iptables -w -t nat -I PREROUTING 1 -m set --match-set dcos-l4lb dst,dst -m comment --comment "Skip VIP traffic" -j RETURN
      sudo iptables -w -t nat -I OUTPUT 1 -m set --match-set dcos-l4lb dst,dst -m comment --comment "Skip VIP traffic" -j RETURN
      
      3. Add entries to ipset as and when VIP are created
      
      sudo ipset add -exist dcos-l4lb 11.131.150.79,tcp:10151
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sergeyurbanovich Sergey Urbanovich
                Reporter:
                dgoel Deepak Goel
                Team:
                Networking Team
                Watchers:
                Anitha Muthu (Inactive), Deepak Goel, Jie Yu, Lisa Gunn (Inactive), Mergebot, Sergey Urbanovich
              • Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: