[ https://issues.apache.org/jira/browse/MESOS-4823?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15200311#comment-15200311 ]
Alex Pollitt commented on MESOS-4823: ------------------------------------- Avinash: I think you are conflating issues here. CNI is 100% agnostic to layer 4 (and above). If your container is connected to a CNI network then it will have a uniquely identifiable IP address within that network, and every service it exposes is available on that IP address. There is nothing going on at layer 4 that make the service not addressable from the outside world. For a CNI overlay network the thing that makes the service not addressable from the outside world is the layer 3 address (nothing to do with layer 4). So I think that Dan's comment above is spot on. There are a variety of ways you can get traffic in/out of an overlay network. iptables port mapping is just one way, and as Dan says, is dependent on the CNI network implementation. For full disclosure, I work on Project Calico, which can operate in overlay mode or non-overlay mode as a CNI plugin. The iptables approach to port mapping, if implemented in such a way that it doesn't clash with Calico's own use of iptables, should work for getting traffic in/out of a Calico overlay network. But it will not work for a bunch of other CNI network implementations. This is a thorny problem to solve generically. I've seen people do it with iptables port mapping, with SDN specific solutions, with HA Proxy, and with things like kubeproxy (in Kubernetes land). But I haven't seen a one size fits all solution yet because there is such a broad range of CNI network implementations. (By the way, I am just down the road from Mesosphere HQ, so if it would be helpful to get in front of a whiteboard to help with any of this CNI stuff then just let me know.) > Implement port forwarding in `network/cni` isolator > --------------------------------------------------- > > Key: MESOS-4823 > URL: https://issues.apache.org/jira/browse/MESOS-4823 > Project: Mesos > Issue Type: Task > Components: containerization > Environment: linux > Reporter: Avinash Sridharan > Assignee: Avinash Sridharan > Priority: Critical > Labels: mesosphere > > Most docker and appc images wish to expose ports that micro-services are > listening on, to the outside world. When containers are running on bridged > (or ptp) networking this can be achieved by installing port forwarding rules > on the agent (using iptables). This can be done in the `network/cni` > isolator. > The reason we would like this functionality to be implemented in the > `network/cni` isolator, and not a CNI plugin, is that the specifications > currently do not support specifying port forwarding rules. Further, to > install these rules the isolator needs two pieces of information, the exposed > ports and the IP address associated with the container. Bother are available > to the isolator. -- This message was sent by Atlassian JIRA (v6.3.4#6332)