Swarm overlay network not routing port via the service's VIP/DNS entry

[Hosweay]

Output of docker version:

Client:
 Version:      1.12.1
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   23cf638
 Built:
 OS/Arch:      linux/amd64

Server:
 Version:      1.12.1
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   23cf638
 Built:
 OS/Arch:      linux/amd64

Output of docker info:

Containers: 2
 Running: 2
 Paused: 0
 Stopped: 0
Images: 4
Server Version: 1.12.1
Storage Driver: devicemapper
 Pool Name: docker-202:17-100667008-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: xfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 1.49 GB
 Data Space Total: 107.4 GB
 Data Space Available: 30.68 GB
 Metadata Space Used: 2.908 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.145 GB
 Thin Pool Minimum Free Space: 10.74 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/500000.500000/devicemapper/devicemapper/data
 WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
 Metadata loop file: /var/lib/docker/500000.500000/devicemapper/devicemapper/metadata
 Library Version: 1.02.107-RHEL7 (2015-12-01)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: host bridge null overlay
Swarm: active
 NodeID: 3knd83ehdwck7rmmc3dap8ety
 Is Manager: true
 ClusterID: d107ppgdkmez2bmzg3wyab68d
 Managers: 1
 Nodes: 4
 Orchestration:
  Task History Retention Limit: 5
 Raft:
  Snapshot Interval: 10000
  Heartbeat Tick: 1
  Election Tick: 3
 Dispatcher:
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 3 months
 Node Address: 172.18.50.14
Runtimes: runc
Default Runtime: runc
Security Options: seccomp
Kernel Version: 3.10.0-327.10.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.389 GiB
Name: ip-172-18-50-14.ec2.internal
ID: AYJ2:O4KD:3G23:HRBD:WN5Q:BN6T:BSNS:BNF4:ORUD:3O7G:GGNA:RXTN
Docker Root Dir: /var/lib/docker/500000.500000
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: bridge-nf-call-ip6tables is disabled
Insecure Registries:
 127.0.0.0/8

Additional environment details (AWS, VirtualBox, physical, etc.):
AWS, 4 node swarm, 1 manager, 3 workers

Steps to reproduce the issue:

1. Create overlay network:

docker network create -d overlay --subnet 10.10.0.0/16 redis_net

1. Create 2 services attached to that network

docker service create --name redis1 --replicas=1 --network redis_net redis
docker service create --name redis2 --replicas=1 --network redis_net redis

1. Try to connect to the other service via the DNS entry/VIP

Describe the results you received:
I receive no route to host when connecting to the VIP but am able to connect if I use the containers IP directly.

# redis-cli -h redis2
Could not connect to Redis at redis2:6379: No route to host
Could not connect to Redis at redis2:6379: No route to host
not connected> quit
# redis-cli -h 10.10.0.5
10.10.0.5:6379> quit

Describe the results you expected:
I expected to be able to connect to the service using the VIP created for the service and route accordingly.

Additional information you deem important (e.g. issue happens only occasionally):
I have noticed this when the nodes are on different servers in the cluster.
IP addr from the redis2 container:

# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
49: eth0@if50: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
    link/ether 02:42:0a:0a:00:05 brd ff:ff:ff:ff:ff:ff
    inet 10.10.0.5/16 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.10.0.4/32 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:aff:fe0a:5/64 scope link
       valid_lft forever preferred_lft forever
51: eth1@if52: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:14:00:04 brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.4/16 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe14:4/64 scope link
       valid_lft forever preferred_lft forever

redis_net inspect:

[root@ip-172-18-50-14 ~]# docker network inspect redis_net
[
    {
        "Name": "redis_net",
        "Id": "0gwzlueohh0rav3ouxzjaan5i",
        "Scope": "swarm",
        "Driver": "overlay",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "10.10.0.0/16",
                    "Gateway": "10.10.0.1"
                }
            ]
        },
        "Internal": false,
        "Containers": {
            "09f944032c1b6428877c9fa94e91c708ab940776c682da356a18c66f09fc6223": {
                "Name": "redis2.1.4bpidsb88mt0bkr7zucb8mvga",
                "EndpointID": "bc79ed152485a74177f54716dd48989bdf6cbedd839876c21b90eb4ad46f878a",
                "MacAddress": "02:42:0a:0a:00:05",
                "IPv4Address": "10.10.0.5/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.driver.overlay.vxlanid_list": "257"
        },
        "Labels": {}
    }
]

[vieux]

ping @mrjana can you please take a look ?

[mrjana]

@Hosweay Can you please confirm if you have ipvs enabled in your kernel by doing lsmod | grep ip_vs in your host? If so, can you please post docker logs?

[Hosweay]

I can confirm that all 4 nodes have ipvs enabled.

[root@ip-172-18-50-14 ~]# lsmod | grep ip_vs
ip_vs_rr               12600  1
ip_vs                 140944  4 ip_vs_rr,xt_ipvs
nf_conntrack          105745  6 ip_vs,nf_nat,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv4
libcrc32c              12644  3 xfs,ip_vs,dm_persistent_data

I'll post logs as soon as I can.

[Hosweay]

swarm_manager_journalctl_20160830_0809.log.gz

Those are the journalctl entries from the manager.

All nodes are started with these options:

/usr/bin/dockerd --icc=false --disable-legacy-registry=true --userns-remap=default

[Hosweay]

So I removed the --userns-remap=default from all the nodes in the swarm, which required me to create a new swarm and all the above steps worked. The VIP responds as expected.

So this is possibly related to user namespaces.

[Hosweay]

Recreating everything with --userns-remap=default once again causes the no route to host error when using the VIP.

I also noticed after recreating everything that network files are being created outside of the Docker Root Dir: /var/lib/docker/500000.500000 and directly in /var/lib/docker. I noticed these were created shortly after creating the swarm and joining the swarm from the workers.

Perhaps the swarm is not recognizing or honoring the remapped root?

[thaJeztah]

ping @mrjana @estesp 😇

[HamidEDD]

@mrjana @estesp @thaJeztah any news about this issue ?
I reproduce the same issue with docker 1.17.* using endpoint_mode=vip
however with the endpoint_mode=dnsrr everything seems to work properly.

[agsimeonov]

@mrjana @estesp @thaJeztah @vieux @HamidEDD I too would like an update on this issue. I will provide an exact way to reproduce it and proof this has to do with user namespaces.

Facing the same issue on Docker 17.05.0-ce-rc2 on CentOS 7.2
I am using User Namespaces via daemon.json with "userns-remap": "somensuser" (and all other necessary steps to setup user namespaces correctly)
Everything works fine using endpoint_mode: dnsrr
However facing above described issues with endpoint_mode: vip

An easy way to recreate it is replicating the example from here:
https://github.com/moby/moby/blob/1.12.x/docs/swarm/networking.md#attach-a-service-to-an-overlay-network

I have replicated it using a small stack and a 2 node swarm with only a single replica for my-web and my-busybox with a placement constrain on my-web on node.role == manager and my-busybox on node.role == worker

Here is my docker-compose.yml

version: "3.2"

services:
  my-web:
    image: nginx
    networks:
      my-network:
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.role == manager

  my-busybox:
    image: busybox
    entrypoint: sleep 86400
    networks:
      my-network:
    deploy:
      replicas: 1
      placement:
        constraints:
          - node.role == worker

networks:
  my-network:

I execute this docker-compose.yml via:
docker stack deploy -c docker-compose.yml test

All the steps of the example are as expected as shown in the tutorial in the docs until you try running the following from my-busybox:
wget -O- my-web
the result is:

Connecting to my-web (10.0.0.2:80)
wget: can't connect to remote host (10.0.0.2): No route to host

So it looks like the swarm load balancer does not route the HTTP request to the service’s VIP to an active task.

So here is the interesting part. Please read the following as it shows definitive proof that this is a user namespaces issue:

When I go to my daemon.json and remove "userns-remap": "somensuser" then restart my the manager and worker node and reinitialize the cluster then I execute my docker compose as outline above via:
docker stack deploy -c docker-compose.yml test

Everything runs exactly as described in the example in the docker docs and the swarm load balancer routes things correctly.

So this is with an absolute certainty an issue related to user namespacing with overlay networks.

In conclusion please attempt reproducing it as described here:

1. Setup 2 nodes with docker (I am using CentOS 7.2) and utilize user namespacing on each via userns-remap in daemon.json on both nodes.
2. Initialize your swarm
3. Now deploy the stack in docker-compose.yml provided in this post via docker stack deploy -c docker-compose.yml test
4. Enter interactive shell to the worker nodes busybox image and do a wget -O- my-web notice it failing
5. Now remove userns-remap from your daemon.json on both nodes and reinitialize docker and the swarm on both nodes
6. Now deploy the stack again as in step 3.
7. Enter interactive shell to the worker nodes busybox image and do a wget -O- my-web and notice it work as expected

Here is my docker version:

Client:
 Version:      17.05.0-ce-rc2
 API version:  1.29
 Go version:   go1.7.5
 Git commit:   c57fdb2
 Built:        Thu Apr 27 03:18:37 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.05.0-ce-rc2
 API version:  1.29 (minimum version 1.12)
 Go version:   go1.7.5
 Git commit:   c57fdb2
 Built:        Thu Apr 27 03:18:37 2017
 OS/Arch:      linux/amd64
 Experimental: false

Here is my docker info:

Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 7
Server Version: 17.05.0-ce-rc2
Storage Driver: overlay2
 Backing Filesystem: xfs
 Supports d_type: false
 Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: active
 NodeID: rqzv04sdw944k5c9vxgg6gxpq
 Is Manager: true
 ClusterID: mgnpng9l6n97l8i1ankefcvv7
 Managers: 1
 Nodes: 2
 Orchestration:
  Task History Retention Limit: 5
 Raft:
  Snapshot Interval: 10000
  Number of Old Snapshots to Retain: 0
  Heartbeat Tick: 1
  Election Tick: 3
 Dispatcher:
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 3 months
 Node Address: 172.30.0.41
 Manager Addresses:
  172.30.0.41:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9048e5e50717ea4497b757314bad98ea3763c145
runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
 userns
Kernel Version: 3.10.0-327.10.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.389GiB
Name: ip-172-30-0-41.ec2.internal
ID: EMBG:C7C4:HGCO:H6N5:ONUM:IYBQ:2CBV:XOJR:BBTI:PMTF:YXDZ:JX6J
Docker Root Dir: /var/lib/docker/100000.100000
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

+kind/bug
+area/swarm
+area/networking
+area/security/userns
+status/confirmed
+status/needs-attention