Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow reachability across services on the same host #1398

Merged
merged 1 commit into from
Aug 30, 2016

Conversation

sanimej
Copy link

@sanimej sanimej commented Aug 17, 2016

Services with published port on different networks should be able to access each other's service from a given host. Currently this gets blocked by the ICC filter on docker_gwbridge.

Also, an unmanaged container on a local bridge network should be able to access a published service on the local host. This gets blocked by the inter-bridge isolation rule in DOCKER-ISOLATION chain.

Fix is to insert a specific rule at the beginning of the FORWARD chain to allow the published ports. This will be hit before the two rules mentioned earlier and thus giving the desired behavior.

related to docker #25463

Signed-off-by: Santhosh Manohar [email protected]

@sanimej
Copy link
Author

sanimej commented Aug 17, 2016

This works for one service task accessing another service's published port. But will not work for accessing a service from a container on the bridge network if the network was created later. Its because the FORWARD chain rules are inserted at the beginning of the chain. This change needs some rework. Moving to WIP.

@sanimej sanimej changed the title Allow reachability across services on the same host [WIP] Allow reachability across services on the same host Aug 17, 2016
@sanimej
Copy link
Author

sanimej commented Aug 20, 2016

@mrjana To address the problem with newer iptables entries getting inserted in the beginning I moved the allow rules for accessing the published port to DOCKER-INGRESS chain in the filter table. And the jump rule to DOCKER-INGRESS will be checked after any network create to make sure it always remains at the top. Its similar to approach for DOCKER-ISOLATION chain.

@sanimej sanimej changed the title [WIP] Allow reachability across services on the same host Allow reachability across services on the same host Aug 20, 2016
@sanimej sanimej force-pushed the access branch 2 times, most recently from 9e3fe2f to 2847000 Compare August 22, 2016 17:02
@sanimej
Copy link
Author

sanimej commented Aug 22, 2016

@mrjana Fixed the CI failure. PTAL

…host

This also allows pubslied services to be accessible from containers on bridge
networks on the host

Signed-off-by: Santhosh Manohar <[email protected]>
@mrjana
Copy link
Contributor

mrjana commented Aug 30, 2016

LGTM

return fmt.Errorf("%s", errStr)
}

logrus.Infof("%s", errStr)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given it is an error, why not logging it at least as a Warnf() ?

@sanimej sanimej force-pushed the access branch 2 times, most recently from 9e63a4b to 9dfce0b Compare August 30, 2016 20:46
@aboch
Copy link
Contributor

aboch commented Aug 30, 2016

LGTM

@aboch
Copy link
Contributor

aboch commented Aug 30, 2016

CI issue is known and already fixed in master. Merging.

@aboch aboch merged commit e5daeca into moby:master Aug 30, 2016
@yank1
Copy link

yank1 commented Sep 4, 2016

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants