Docker swarm - encrypted network overlay - stops working.

[ventz]

Description
After creating a 3 node swarm (all managers), and then creating an encrypted overlay, we have noticed that the overlay network drops out randomly

Steps to reproduce the issue:

1. Create docker swarm cluster of at least 3 nodes
2. Create overlay with:

docker network create --attachable --opt encrypted -d overlay networkname"

NOTE: Making it attachable to test easily

3. Start an alpine container (easy test) on 2 nodes:

docker run -it --rm --net=networkname alpine /bin/ash

4.) Find the IPs (ifconfig) of each, and ping across.

Describe the results you received:
It works and randomly it stops. Firewall (both IP protocol 50 and the rest of the parts are any/any allowed between the 3 nodes)

Describe the results you expected:
To work all the time :)

Additional information you deem important (e.g. issue happens only occasionally):
Happens randomly almost. If you reboot, it starts working again.

Output of docker version:

Client:
 Version:      1.13.0
 API version:  1.25
 Go version:   go1.7.3
 Git commit:   49bf474
 Built:        Tue Jan 17 09:58:26 2017
 OS/Arch:      linux/amd64

Server:
 Version:      1.13.0
 API version:  1.25 (minimum version 1.12)
 Go version:   go1.7.3
 Git commit:   49bf474
 Built:        Tue Jan 17 09:58:26 2017
 OS/Arch:      linux/amd64
 Experimental: false

Output of docker info:

Containers: 1
 Running: 1
 Paused: 0
 Stopped: 0
Images: 8
Server Version: 1.13.0
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 34
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: active
 NodeID: 4y3mi5goxun18p0rif8hdrt5o
 Is Manager: true
 ClusterID: vcwzg0mebqw4kp58pz8ynm0cn
 Managers: 3
 Nodes: 3
 Orchestration:
  Task History Retention Limit: 5
 Raft:
  Snapshot Interval: 10000
  Number of Old Snapshots to Retain: 0
  Heartbeat Tick: 1
  Election Tick: 3
 Dispatcher:
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 3 months
 Node Address: PUB#1
 Manager Addresses:
  PUB#1:2377
  PUB#2:2377
  PUB#2:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 03e5862ec0d8d3b3f750e19fca3ee367e13c090e
runc version: 2f7393a47307a16f8cee44a37b262e8b81021e3e
init version: 949e6fa
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-59-generic
Operating System: Ubuntu 16.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 24
Total Memory: 100 GiB
Name: swarmhost01
ID: GVD4:VFPH:ELAN:X2CK:CLFZ:MFDC:C5LT:RLTU:DWKE:KDKY:HT6M:BAC2
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
 nfs=yes
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):
Environment is between physical and virtual systems. We have changed it around to be only virtual and only physical - same results. Systems are located in 3 different regions, on 3 different public IP spaces.

[ventz]

Additional information: the overlay seems to be aware of the other IPs, since when launching new containers on the different swarm subnets, it keeps increasing the last octet by 1 (ex: 10.0.0.3, 10.0.0.4, etc)

Also, so far from a few tests, it seems in some way related specifically to encrypted overlays -- we have not seen this happen on non-encrypted overlays. In fact, if you remove the overlay (when encrypted) and re-created it non-encrypted, it starts working again.

Also, if you remove and re-create the encrypted overlay, it still will not work until the host(s) are rebooted.

[aboch]

@ventz Few questions:

• How long does it take to hit the issue
• Do you have one container on one node ping the container on another node, or both pinging each other
• Once the ping stops working, have you tried capturing on the rx container node interface with tcpdump to see if the other node is still sending the packets (tcpdump -i <iface> -p esp)
  Just to see if the issue is at the tx node or at the rx node.

Thanks

[ventz]

@aboch

• It seems "random". For example, on the latest cluster it worked for a few days (given no containers on it) before it hit this status again. I have seen it as soon as an hour, and the "average" (if you can even call it that) seems to be a few hours to less than a couple of days. I can start monitoring this more carefully.

• I have one container on each node (when I test), but I've noticed that since I first test with just ICMP (easiest), it won't matter which way I am initializing it. If I get both ICMP echo + reply, the overlay works. As soon as I stop getting "replies", that indicates a problem. Once it hits this state, I do open it from all the sides, and test to see which way exactly it fails. I have noticed a few times that the issue seems to be surrounding the leader node. Ex: in this case where it just happened, as soon as I rebooted the leader, it started working again.

• This is the interesting scenario -- you can see ESP coming in on the docker host (not container) while pinging, but it will not send ESP back (or originate if you try to originate only). It's almost like some part responsible for this just collapses. No error logs so far in /var/log/system

Here is what a tcpdump looks like

NOTE: again, PUB#1 happened to be leader again in this case
NOTE2: tcpdump taken _on_ NODE#3 (thus why "private#3"):

16:09:54.836702 IP PUB#1 > private#3: ESP(spi=0xd3052651,seq=0x13), length 140
16:09:55.836722 IP PUB#1 > private#3: ESP(spi=0xd3052651,seq=0x14), length 140
16:09:56.836727 IP PUB#1 > private#3: ESP(spi=0xd3052651,seq=0x15), length 140
16:09:57.836676 IP PUB#1 > private#3: ESP(spi=0xd3052651,seq=0x16), length 140
16:09:58.836693 IP PUB#1 > private#3: ESP(spi=0xd3052651,seq=0x17), length 140
16:09:59.836695 IP PUB#1 > private#3: ESP(spi=0xd3052651,seq=0x18), length 140
16:10:00.836763 IP PUB#1 > private#3: ESP(spi=0xd3052651,seq=0x19), length 140

As you can see, the system is not even trying to originate protocol 50 traffic back.

[aboch]

Thanks @ventz
It looks like the system is currently in the erroneous state. If so, it would be interesting do some debugging:

Can you please check if the container running on node#3 is actually receiving the icmp echo request packet and that it is generating the responses back (For this either tcpdump from docker exec if the container image has it, or nsenter into the container netns from the host (nsenter --net=<value from docker inspect container | grep xKey">)

[ventz]

@aboch Hi - this is sadly the tcpdump I had taken from earlier today when it happened. I have already rebooted that node.

That said, the container on private#3 was generating back the icmp replies, but they didn't show up on the component responsible for receiving/processing/sending ESP.

It's almost like something isolated to the ESP connection is failing.

To give you an example, when this happened, I removed the containers and removed the overlay. Then re-created the overlay (encrypted), and it still didn't work. Tried removing+re-adding one more time. At that point, I re-added it without encryption, and it worked. I removed it, and re-added it with encryption again, nothing. But then rebooting the leader node fixed it.

[aboch]

It's almost like something isolated to the ESP connection is failing.

Looks like.

I did it before, but let me run again few nodes on AWS overnight with containers pinging over encrypted network. I will have them be all managers as in your test. I will report back my findings.

[ventz]

I did get it to happen on AWS, but if possible - try to do one at a local datacenter or a different network. Noticed it happening a lot more when it's going over public lines -- so it might be a disruption or blip that ends up causing it.

I'll keep an eye for it again too, although for now the latest cluster seems to be working.

I know this sucks for debugging -- it's clearly broken in some way, but capturing what exactly is not easy, especially from someone going "hey it just fails, oh and it's random" :)

[ventz]

@aboch I have an environment where this is happening right now.

[aboch]

@ventz
Check with ip -s xfrm state if the counters are increasing for the proper SAs (check the src and dst IP and the SPI). On each node you will find 4 states for each couple of nodes, 3 RX (dst is this node) states and one TX (src is this node).

[ventz]

Ok, this is kind of interesting:

The overlay seems to be a 10.0.0.0/24

04:06:30.845862 IP 10.0.0.5 > 10.0.0.13: ICMP echo request, id 3328, seq 0, length 64
04:06:31.846990 IP 10.0.0.5 > 10.0.0.13: ICMP echo request, id 3328, seq 1, length 64
04:06:32.848206 IP 10.0.0.5 > 10.0.0.13: ICMP echo request, id 3328, seq 2, length 64
04:06:33.848998 IP 10.0.0.5 > 10.0.0.13: ICMP echo request, id 3328, seq 3, length 64
04:06:34.849709 IP 10.0.0.5 > 10.0.0.13: ICMP echo request, id 3328, seq 4, length 64
04:06:35.849833 ARP, Request who-has 10.0.0.13 tell 10.0.0.5, length 28
04:06:35.849892 ARP, Reply 10.0.0.13 is-at 02:42:0a:00:00:0d, length 28
04:06:35.850421 IP 10.0.0.5 > 10.0.0.13: ICMP echo request, id 3328, seq 5, length 64
04:06:36.851073 IP 10.0.0.5 > 10.0.0.13: ICMP echo request, id 3328, seq 6, length 64
04:06:37.851824 IP 10.0.0.5 > 10.0.0.13: ICMP echo request, id 3328, seq 7, length 64
04:06:38.852600 IP 10.0.0.5 > 10.0.0.13: ICMP echo request, id 3328, seq 8, length 64

Trying from PUB#1 -> PUB#3 (out of 5, where the first 3 are managers, and 2 are workers)
The interesting part is that the arp request had the right mac (00:00:0d) of .13 --> which I verified on .13, was the case. But .13 was not seeing any traffic. Same in the reverse direction.

However, I can actually see ESP exchanges in this case. Also, some part of the overlay works -- because I can reach some of the other nodes, so it's not complete shot. It's just the connection between these 2 hosts (even though they are both online)

[aboch]

Also please check on the node which is not generating the responses back whether the counter in increasing for the rule the following command returns:

sudo iptables -t mangle -nvL OUTPUT

[ventz]

@aboch any way we can chat in real time (irc?) - I can also share access into the env via a screen session.