-
Notifications
You must be signed in to change notification settings - Fork 881
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow reachability across services on the same host #1398
Conversation
177a230
to
638ef31
Compare
This works for one service task accessing another service's published port. But will not work for accessing a service from a container on the bridge network if the network was created later. Its because the FORWARD chain rules are inserted at the beginning of the chain. This change needs some rework. Moving to WIP. |
@mrjana To address the problem with newer iptables entries getting inserted in the beginning I moved the allow rules for accessing the published port to DOCKER-INGRESS chain in the filter table. And the jump rule to DOCKER-INGRESS will be checked after any network create to make sure it always remains at the top. Its similar to approach for DOCKER-ISOLATION chain. |
9e3fe2f
to
2847000
Compare
@mrjana Fixed the CI failure. PTAL |
…host This also allows pubslied services to be accessible from containers on bridge networks on the host Signed-off-by: Santhosh Manohar <[email protected]>
LGTM |
return fmt.Errorf("%s", errStr) | ||
} | ||
|
||
logrus.Infof("%s", errStr) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given it is an error, why not logging it at least as a Warnf()
?
9e63a4b
to
9dfce0b
Compare
LGTM |
CI issue is known and already fixed in master. Merging. |
Thanks |
Services with published port on different networks should be able to access each other's service from a given host. Currently this gets blocked by the ICC filter on docker_gwbridge.
Also, an unmanaged container on a local bridge network should be able to access a published service on the local host. This gets blocked by the inter-bridge isolation rule in DOCKER-ISOLATION chain.
Fix is to insert a specific rule at the beginning of the FORWARD chain to allow the published ports. This will be hit before the two rules mentioned earlier and thus giving the desired behavior.
related to docker #25463
Signed-off-by: Santhosh Manohar [email protected]