Hybrid-Swarm: Services in Stack can only communicate from Linux to Windows but not vice-versa

[NKnusperer]

Description
When deploying a Docker Compose Stack into a Hybrid Docker Swarm Cluster containing a service running on Linux and one running under Windows the Linux service can reach the Windows service but not vice-versa.
When exposing the Linux container port to a random host port using ports the Windows service can reach the Linux service successfully.

Infrastructure overview:

• Manager: Debian 10 / Docker 19.03.12
• Linux Worker: Debian 10 / Docker 19.03.12
• Windows Worker: Server 2019 (10.0.19041) / Docker 19.03.12 EE

All system were fully patched by date of writing.

Steps to reproduce the issue:

version: "3.7"

services:
  linux-service:
    image: mcr.microsoft.com/dotnet/core/samples:aspnetapp-buster-slim
    deploy:
      placement:
        constraints:
          - node.platform.os == linux

  windows-service:
    image: mcr.microsoft.com/dotnet/core/samples:aspnetapp-nanoserver-2004
    deploy:
      placement:
        constraints:
          - node.platform.os == windows

Describe the results you received:
From within the linux-service I can reach the windows-service:

root@5a9b30668625:/app# curl http://windows-service
<!DOCTYPE html>
[...]

But from within the windows-service I cannot reach the linux-service:

C:\app>curl http://linux-service
curl: (7) Failed to connect to linux-service port 80: Timed out

Now when adding a random host port mapping to the linux-service like this:

services:
  linux-service:
    ports:
      - "80"

Everything works as expected:

C:\app>curl http://linux-service
<!DOCTYPE html>
[...]

Describe the results you expected:
The windows-service can reach the linux-service without a random host port mapping.

Output of docker version:
Linux node:

Client: Docker Engine - Community
 Version:           19.03.12
 API version:       1.40
 Go version:        go1.13.10
 Git commit:        48a66213fe
 Built:             Mon Jun 22 15:45:52 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.12
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.10
  Git commit:       48a66213fe
  Built:            Mon Jun 22 15:44:23 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.13
  GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Windows node:

Client: Docker Engine - Enterprise
 Version:           19.03.12
 API version:       1.40
 Go version:        go1.13.13
 Git commit:        4306744
 Built:             08/05/2020 19:27:53
 OS/Arch:           windows/amd64
 Experimental:      false

Server: Docker Engine - Enterprise
 Engine:
  Version:          19.03.12
  API version:      1.40 (minimum version 1.24)
  Go version:       go1.13.13
  Git commit:       f295753ffd
  Built:            08/05/2020 19:26:41
  OS/Arch:          windows/amd64
  Experimental:     false

Output of docker info:
Linux node:

Client:
 Debug Mode: false

Server:
 Containers: 1
  Running: 1
  Paused: 0
  Stopped: 0
 Images: 9
 Server Version: 19.03.12
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: active
  NodeID: jter4yafrg96n15rse1zsfwm7
  Is Manager: false
  Node Address: 172.16.200.85
  Manager Addresses:
   172.16.1.220:2377
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.19.0-10-amd64
 Operating System: Debian GNU/Linux 10 (buster)
 OSType: linux
 Architecture: x86_64
 CPUs: 36
 Total Memory: 23.54GiB
 Name: d4r-linux-node01
 ID: T6M2:2WZH:OWIU:X6M5:3BGI:I7AS:7Y7L:KUX4:W6WR:6KQD:EUM5:C4XT
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Windows node:

Client:
 Debug Mode: false
 Plugins:
  cluster: Manage Docker Enterprise clusters (Mirantis Inc., v1.6.0)

Server:
 Containers: 1
  Running: 0
  Paused: 0
  Stopped: 1
 Images: 2
 Server Version: 19.03.12
 Storage Driver: windowsfilter
  Windows:
 Logging Driver: json-file
 Plugins:
  Volume: local
  Network: ics internal l2bridge l2tunnel nat null overlay private transparent
  Log: awslogs etwlogs fluentd gcplogs gelf json-file local logentries splunk syslog
 Swarm: active
  NodeID: jv1gk7z2h94h6i04f6bkcdqj5
  Is Manager: false
  Node Address: 172.16.200.248
  Manager Addresses:
   172.16.1.220:2377
 Default Isolation: process
 Kernel Version: 10.0 19041 (19041.1.amd64fre.vb_release.191206-1406)
 Operating System: Windows Server Datacenter Version 2004 (OS Build 19041.450)
 OSType: windows
 Architecture: x86_64
 CPUs: 36
 Total Memory: 24GiB
 Name: d4r-win-node01
 ID: RSE6:7GFB:BPSE:SKUS:EWMQ:L6HZ:VF7E:2AUT:F2VO:PIIZ:NEI7:I6QA
 Docker Root Dir: C:\ProgramData\docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

[olljanat]

@NKnusperer I wondered if old bug has came back on 2004 and you need include endpoint_mode=dnsrr to get this working (include to Linux service)?

Also it would be interesting to test ping from Windows to see if name resolution works?

[olljanat]

Yes, definitely we see old issue again here and it looks to happen even with just released KB45770699 patch. Both ICMP and HTTP from Windows to Linux works using container IP but not using VIP.

ping @daschott @taylorb-microsoft ptal

[olljanat]

FYI. I pushed updated examples to https://github.com/olljanat/docker-issue-tracking

Also note that this most probably caused by same root cause than #40998

[NKnusperer]

When using endpoint_mode: dnsrr for the linux-service in my compose file works as expected @olljanat.
Name resolution was never a issue, this works from both Windows and Linux, but routing the actual traffic is.

[olljanat]

@NKnusperer sure but difference is that when you use endpoint_mode: dnsrr then name resolution actually resolves container IP instead of load balancer VIP.

Earlier that was known limitation on Windows implementation of overlay networks that dnsrr mode was needed but on combination of Windows Server, version 1803 + Docker 18.03 it was fixed docker/for-win#1476 (comment) but looks it has came back on latest Windows updates 😢

[terrpan]

Hi,

I have a support case with MS about this. We started to see issues like this in May (all communication on the overlay network stoped working on Windows containers) and in August/september we got a private hotfix which solved our problems.

We were told that the issues were fixed in the november rollup. But it only works for a couple of hours. If one of the hosts in the cluster gets a lot of container churn (restarts or new deployments) one out of several (radnom) overlay network just stops working, and if we check the arp table in a container attached to the failing overlay network we can see that VIP-endpoints running on linux are marked as invalid. Only way to recover is to clean out the HNS and reboot the server, or to deploy a new endpoint.

We had a lot if this issues in earlier version of Windows Server and it definitely feels like this issue has come back since the novemeber rollup or even earlier...

[olljanat]

@terrpan did you got any useful answer to your support case about that which KB version these should works?

[terrpan]

@olljanat heya, Yea after some extensive troubleshooting together with Mirantis and Microsoft they narrowed it down to that issue was caused by the updates in HNS was not done in the correct order.

• Mirantis has this PR to lib-network and they will include it in their next release of enterprise engine.
• Last time I talked to MS they where aiming for the may patch of Windows.