On 03/12/2018 12:31 PM, Olivier Sallou wrote: > Hi, > > I tried to setup CNI bridge + mesos port mapper with unified container, > following doc > http://mesos.apache.org/documentation/latest/cni/#a-port-mapper-plugin > > This partially works (example with container ip 192.0.0.2 and port > mapping 22 => 31000) > > - my container starts and get a local assigned IP 192.0.0.2 > > - I can access directly to the port of the container: ssh 192.0.0.2 > > - I can access via the *local* gateway: ssh 192.0.0.1 -p 31000 > > > However, I cannot access the container via the IP of my server: ssh > 131.x.y.z -p 31000 > > > In iptables rules, I do not see any mesos related chain. I see no > specific CHAIN nor comment in iptables (iptables -L) Additional info, using -t nat option, I can see iptables chain.
Chain MESOS-TEST-PORT-MAPPER (2 references) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:31000 /* container_id: 3a4e0070-7fe2-4807-a643-27ff9608e882 */ to:192.168.0.2:22 In fact I could make it worked, using *external* ip address of my server. One of iptable rules set by mesos prevent routing to localhost, that's why my previous tests failed > > > Is it an expected behavior (port mapping maps ports but only via local > bridge gateway), or should mesos add routes to local mesos bridge to > allow remote access to the mapped ports? > > > I have iptables 1.6.0 and linux kernel 4.4. > > > > I used config from documentation > > bridge.conf > > > { > "name": "cni-test", > "type": "bridge", > "bridge": "mesos-cni0", > "isGateway": true, > "ipMasq": true, > "ipam": { > "type": "host-local", > "subnet": "192.168.0.0/16", > "routes": [ > { "dst": > "0.0.0.0/0" } > ] > } > } > > > and portmapper.conf > > { > "name" : "port-mapper-test", > "type" : "mesos-cni-port-mapper", > "excludeDevices" : ["mesos-cni0"], > "chain": "MESOS-TEST-PORT-MAPPER", > "delegate": { > "type": "bridge", > "bridge": "mesos-cni0", > "isGateway": true, > "ipMasq": true, > "ipam": { > "type": "host-local", > "subnet": "192.168.0.0/16", > "routes": [ > { "dst": > "0.0.0.0/0" } > ] > } > } > } > > Thanks > > > Olivier > -- Olivier Sallou Univ Rennes, Inria, CNRS, IRISA Irisa, Campus de Beaulieu F-35042 RENNES - FRANCE Tel: 02.99.84.71.95 gpg key id: 4096R/326D8438 (keyring.debian.org) Key fingerprint = 5FB4 6F83 D3B9 5204 6335 D26D 78DC 68DB 326D 8438