Hi,
I tried to setup CNI bridge + mesos port mapper with unified container,
following doc
http://mesos.apache.org/documentation/latest/cni/#a-port-mapper-plugin
This partially works (example with container ip 192.0.0.2 and port
mapping 22 => 31000)
- my container starts and get a local assigned IP 192.0.0.2
- I can access directly to the port of the container: ssh 192.0.0.2
- I can access via the *local* gateway: ssh 192.0.0.1 -p 31000
However, I cannot access the container via the IP of my server: ssh
131.x.y.z -p 31000
In iptables rules, I do not see any mesos related chain. I see no
specific CHAIN nor comment in iptables (iptables -L)
Is it an expected behavior (port mapping maps ports but only via local
bridge gateway), or should mesos add routes to local mesos bridge to
allow remote access to the mapped ports?
I have iptables 1.6.0 and linux kernel 4.4.
I used config from documentation
bridge.conf
{
"name": "cni-test",
"type": "bridge",
"bridge": "mesos-cni0",
"isGateway": true,
"ipMasq": true,
"ipam": {
"type": "host-local",
"subnet": "192.168.0.0/16",
"routes": [
{ "dst":
"0.0.0.0/0" }
]
}
}
and portmapper.conf
{
"name" : "port-mapper-test",
"type" : "mesos-cni-port-mapper",
"excludeDevices" : ["mesos-cni0"],
"chain": "MESOS-TEST-PORT-MAPPER",
"delegate": {
"type": "bridge",
"bridge": "mesos-cni0",
"isGateway": true,
"ipMasq": true,
"ipam": {
"type": "host-local",
"subnet": "192.168.0.0/16",
"routes": [
{ "dst":
"0.0.0.0/0" }
]
}
}
}
Thanks
Olivier
--
gpg key id: 4096R/326D8438 (keyring.debian.org)
Key fingerprint = 5FB4 6F83 D3B9 5204 6335 D26D 78DC 68DB 326D 8438
