[
https://issues.apache.org/jira/browse/MESOS-4823?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15200311#comment-15200311
]
Alex Pollitt commented on MESOS-4823:
-------------------------------------
Avinash: I think you are conflating issues here. CNI is 100% agnostic to layer
4 (and above). If your container is connected to a CNI network then it will
have a uniquely identifiable IP address within that network, and every service
it exposes is available on that IP address. There is nothing going on at layer
4 that make the service not addressable from the outside world. For a CNI
overlay network the thing that makes the service not addressable from the
outside world is the layer 3 address (nothing to do with layer 4). So I think
that Dan's comment above is spot on.
There are a variety of ways you can get traffic in/out of an overlay network.
iptables port mapping is just one way, and as Dan says, is dependent on the CNI
network implementation.
For full disclosure, I work on Project Calico, which can operate in overlay
mode or non-overlay mode as a CNI plugin. The iptables approach to port
mapping, if implemented in such a way that it doesn't clash with Calico's own
use of iptables, should work for getting traffic in/out of a Calico overlay
network. But it will not work for a bunch of other CNI network
implementations.
This is a thorny problem to solve generically. I've seen people do it with
iptables port mapping, with SDN specific solutions, with HA Proxy, and with
things like kubeproxy (in Kubernetes land). But I haven't seen a one size fits
all solution yet because there is such a broad range of CNI network
implementations.
(By the way, I am just down the road from Mesosphere HQ, so if it would be
helpful to get in front of a whiteboard to help with any of this CNI stuff then
just let me know.)
> Implement port forwarding in `network/cni` isolator
> ---------------------------------------------------
>
> Key: MESOS-4823
> URL: https://issues.apache.org/jira/browse/MESOS-4823
> Project: Mesos
> Issue Type: Task
> Components: containerization
> Environment: linux
> Reporter: Avinash Sridharan
> Assignee: Avinash Sridharan
> Priority: Critical
> Labels: mesosphere
>
> Most docker and appc images wish to expose ports that micro-services are
> listening on, to the outside world. When containers are running on bridged
> (or ptp) networking this can be achieved by installing port forwarding rules
> on the agent (using iptables). This can be done in the `network/cni`
> isolator.
> The reason we would like this functionality to be implemented in the
> `network/cni` isolator, and not a CNI plugin, is that the specifications
> currently do not support specifying port forwarding rules. Further, to
> install these rules the isolator needs two pieces of information, the exposed
> ports and the IP address associated with the container. Bother are available
> to the isolator.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
