Re: use of bridge / port-mapper, can't access mapped port from remote server

Mon, 12 Mar 2018 06:07:50 -0700 


On 03/12/2018 12:31 PM, Olivier Sallou wrote:
> Hi,
>
> I tried to setup CNI bridge + mesos port mapper with unified container,
> following doc
> http://mesos.apache.org/documentation/latest/cni/#a-port-mapper-plugin
>
> This partially works (example with container ip 192.0.0.2 and port
> mapping 22 => 31000)
>
>  - my container starts and get a local assigned IP 192.0.0.2
>
> - I can access directly to the port of the container: ssh 192.0.0.2
>
> - I can access via the *local* gateway: ssh 192.0.0.1 -p 31000
>
>
> However, I cannot access the container via the IP of my server: ssh
> 131.x.y.z -p 31000
>
>
> In iptables rules, I do not see any mesos related chain. I see no
> specific CHAIN nor comment in iptables (iptables -L)
Additional info, using -t nat option, I can see iptables chain.

Chain MESOS-TEST-PORT-MAPPER (2 references)
target     prot opt source               destination        
DNAT       tcp  --  anywhere             anywhere             tcp
dpt:31000 /* container_id: 3a4e0070-7fe2-4807-a643-27ff9608e882 */
to:192.168.0.2:22


In fact I could make it worked, using *external* ip address of my
server. One of iptable rules set by mesos prevent routing to localhost,
that's why my previous tests failed
>
>
> Is it an expected behavior (port mapping maps ports but only via local
> bridge gateway), or should mesos add routes to local mesos bridge to
> allow remote access to the mapped ports?
>
>
> I have iptables 1.6.0 and linux kernel 4.4.
>
>
>
> I used config from documentation
>
> bridge.conf
>
>
> {
> "name": "cni-test",
> "type": "bridge",
> "bridge": "mesos-cni0",
> "isGateway": true,
> "ipMasq": true,
> "ipam": {
>     "type": "host-local",
>     "subnet": "192.168.0.0/16",
>     "routes": [
>     { "dst":
>       "0.0.0.0/0" }
>     ]
>   }
> }
>
>
> and portmapper.conf
>
> {
>   "name" : "port-mapper-test",
>   "type" : "mesos-cni-port-mapper",
>   "excludeDevices" : ["mesos-cni0"],
>   "chain": "MESOS-TEST-PORT-MAPPER",
>   "delegate": {
>       "type": "bridge",
>       "bridge": "mesos-cni0",
>       "isGateway": true,
>       "ipMasq": true,
>       "ipam": {
>         "type": "host-local",
>         "subnet": "192.168.0.0/16",
>         "routes": [
>         { "dst":
>           "0.0.0.0/0" }
>         ]
>       }
>   }
> }
>
> Thanks
>
>
> Olivier
>

-- 
Olivier Sallou
Univ Rennes, Inria, CNRS, IRISA
Irisa, Campus de Beaulieu
F-35042 RENNES - FRANCE
Tel: 02.99.84.71.95

gpg key id: 4096R/326D8438  (keyring.debian.org)
Key fingerprint = 5FB4 6F83 D3B9 5204 6335  D26D 78DC 68DB 326D 8438

Reply via email to