Overlay network ping works, but HTTP requests only work within same swarm node. Hangs as if messages dropped if to other node

humbe76 · August 4, 2022, 7:12pm

Hi…

Hoping it’s ok to ask a Docker Swarm question related to Traefik use here. The core issue seems to me to be related to Docker swarm and not Traefik so I’m hoping it is fitting, and the similar threads I found here seems to be a bit different than mine.

Summary:
On my overlay network, I can ping all containers across Docker nodes, but I can only talk to the local containers using HTTP. Local firewall ufw has been disabled to verify that it is not the cause.

When on the overlay network, shouldn’t I have full network connectivity to the other containers on the network? What is wrong with my setup?

Details:
I’m setting up 3 docker nodes on Ubuntu Jammy stable, and have joined them into a swarm with 3 managers. I don’t have much load but would like to be able to take a node down for maintenance, so I plan to run worker bits on the manager nodes to be able have enough manager nodes to still elect a leader if one is down.

I’m trying to setup Traefik, so I can have each swarm service redirecting of a common top domain, so foobar . mydomain . com and otherservice . mydomain . com both have A records pointing to Traefic service, and Traefic will redirect to correct service through HTTP host header.

I’ve set up a docker network in overlay mode, called traefik-public that I join Traefik and all my services to, so Traefik can talk to them. And here starts the issue.
I’ve only added A record to one of my nodes, and I’ve set a node tag forcing Traefik to run there. I’m using a whoami service as a simplistic web server to verify connectivity. Additionally, I’ve set up an ubuntu installation as a third service, so I have an environment I can install stuff in which is also on the overlay network.

If I let the whoami service run it’s container on the Traefik node, Traefik is working and I can send requests from outside. If I run it on another node, it doesn’t.
From my Ubuntu service, I can curl to tasks.whoami or straight on IP if it’s running on the same host as whoami, else it just hangs as if the network communication is dropped. This is true regardless of whether the whoami service is on Traefik node or not.

Some basics of how I set it up:

docker network create --driver=overlay traefik-public
docker stack deploy -c traefik.yaml traefik

traefik.yaml

version: '3.3'

services:
  traefik:
    image: traefik:v2.8
    command:
      - --api.insecure=true
      - --providers.docker
      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --providers.docker.swarmMode=true
    ports:
      - 80:80
      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    deploy:
      placement:
        constraints:
          - node.labels.traefik-public.has-certificates == true
      labels:
        - traefik.enable=true
        - traefik.docker.network=traefik-public
        - traefik.http.services.traefik-public.loadbalancer.server.port=51242
    networks:
      - traefik-public

  whoami:
    image: "traefik/whoami"
    deploy:
      placement:
        constraints:
          - node.labels.traefik-public.has-certificates == true
      labels:
        - traefik.enable=true
        - traefik.docker.network=traefik-public
        - traefik.http.routers.whoami.rule=Host(`foobar.mydomain.com`)
        - traefik.http.routers.whoami.entrypoints=web
        - traefik.http.routers.whoami.service=whoami
        - traefik.http.services.whoami.loadbalancer.server.port=80
    networks:
      - traefik-public

  debugnix:
    image: "ubuntu"
    tty: true
    command: sh
    deploy:
      placement:
        constraints:
          - node.labels.traefik-public.has-certificates == true
    networks:
      - traefik-public

  debugnix2:
    image: "ubuntu"
    tty: true
    command: sh
    deploy:
      placement:
        constraints:
          - node.labels.traefik-public.has-certificates == false
    networks:
      - traefik-public

networks:
  traefik-public:
    external: true

Results of requests when debugging:

traefik-node# docker container ls | grep debugnix | cut -d' ' -f1 | xargs -o -I {} docker exec -it {} /bin/bash
curl http request to tasks.whoami (real command is recognized as URL and blocked in forum :/)
Hostname: 480c5c46f063
IP: 127.0.0.1
IP: 10.0.6.106
IP: 172.18.0.5
RemoteAddr: 10.0.6.102:53732
GET / HTTP/1.1
Host: tasks.whoami
User-Agent: curl/7.81.0
Accept: */*

other-node# docker container ls | grep debugnix | cut -d' ' -f1 | xargs -o -I {} docker exec -it {} /bin/bash
root@7c034d32cd0f:/# host -t A tasks.whoami
tasks.whoami has address 10.0.6.106
root@7c034d32cd0f:/# curl http request to tasks.whoami (real command is recognized as URL and blocked in forum :/)
  # Doesn't return. I guess default timeout is infinite and packages are dropped somewhere..
root@7c034d32cd0f:/# ping tasks.whoami
PING tasks.whoami (10.0.6.106) 56(84) bytes of data.
...
--- tasks.whoami ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2054ms
rtt min/avg/max/mdev = 0.213/0.251/0.277/0.027 ms

traefik-node# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ufw-before-logging-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-logging-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-reject-input  all  --  0.0.0.0/0            0.0.0.0/0
ufw-track-input  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER-INGRESS  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-reject-forward  all  --  0.0.0.0/0            0.0.0.0/0
ufw-track-forward  all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ufw-before-logging-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-before-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-after-logging-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-reject-output  all  --  0.0.0.0/0            0.0.0.0/0
ufw-track-output  all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER (3 references)
target     prot opt source               destination

Chain DOCKER-INGRESS (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:8080
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED tcp spt:80
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain ufw-after-forward (1 references)
target     prot opt source               destination

Chain ufw-after-input (1 references)
target     prot opt source               destination

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination

Chain ufw-after-output (1 references)
target     prot opt source               destination

Chain ufw-before-forward (1 references)
target     prot opt source               destination

Chain ufw-before-input (1 references)
target     prot opt source               destination

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination

Chain ufw-before-output (1 references)
target     prot opt source               destination

Chain ufw-reject-forward (1 references)
target     prot opt source               destination

Chain ufw-reject-input (1 references)
target     prot opt source               destination

Chain ufw-reject-output (1 references)
target     prot opt source               destination

Chain ufw-track-forward (1 references)
target     prot opt source               destination

Chain ufw-track-input (1 references)
target     prot opt source               destination

Chain ufw-track-output (1 references)
target     prot opt source               destination

humbe76 · August 4, 2022, 8:10pm

Actually managed to find the root myself… Of similar looking issues I found online people had not managed to setup correct firewall rules or had messed up somewhere or used some custom service, so didn’t find anything matching until I found:

Basically, I had to run

ethtool -K ens160 tx-checksum-ip-generic off

on all my docker nodes, and then it worked… (My device name was a bit different than jmcombs, it’s the name of the main interface connecting the nodes (outside Docker)

I’m trying to set up Docker on an Ubuntu image someone has tried to harden to avoid hacker holes, so I guess it might have added some non-default setting to check checksums… Though it seems strange that Docker swarm should rely on being able to send messages with what I assume is broken checksums. Not that I know anything about that feature, so maybe it’s not what it sounds like…

humbe76 · August 4, 2022, 8:13pm

Actually, not related to the hardened image, but Ubuntu / linux issue on kernel 5.10+ or something:

github.com/moby/moby

Upgrade to 20.10 breaks swarm network

opened 03:02PM - 10 Dec 20 UTC

oneumyvakin

area/networking area/swarm version/20.10

**Description**  **Steps to reproduce the issue:** 1. Install Docker 19.03 on Ubuntu 20 or CentOS 8 2. Init Swarm 3. Start some services by docker stack deploy 4. Upgrade docker from 19.03 to 20.10 **Describe the results you received:** Containers of services can't start there is error in logs ``` Dec 10 06:21:03 dockerd[3160859]: time="2020-12-10T06:21:03.150920367Z" level=error msg="fatal task error" error="starting container failed: container 9f93a21ac2e3be11a65c91f3cfde555a415eea47c636bef432d5d2e4b08afff4: endpoint create on GW Network failed: failed to create endpoint gateway_f8cabe848464 on network docker_gwbridge: network 28d599d44202f2acdc85e42437332ddb41a81bd7f0622bc0724761ec9b49082a does not exist" module=node/agent/taskmanager node.id=u7qdqny1doho69k3nariuo1ru service.id=vhtg6aoyt360k7mluiwmshqf0 task.id=aqgsfcw88m5kujnrly74o4wh4 ``` **Describe the results you expected:** containers are running **Additional information you deem important (e.g. issue happens only occasionally):** we have two installations with this issue which happened after upgrade to 20.10 recreating services didn't help re-initing swarm didn't help ``` # docker network list NETWORK ID NAME DRIVER SCOPE e45b9b63c4ae bridge bridge local 28d599d44202 docker_gwbridge bridge local 2aa80dc0cc04 host host local w9rpuika2x0d ingress overlay swarm 62f0fb2fdf28 none null local ``` **Output of `docker version`:** ``` Client: Docker Engine - Community Version: 20.10.0 API version: 1.41 Go version: go1.13.15 Git commit: 7287ab3 Built: Tue Dec 8 18:59:40 2020 OS/Arch: linux/amd64 Context: default Experimental: true Server: Docker Engine - Community Engine: Version: 20.10.0 API version: 1.41 (minimum version 1.12) Go version: go1.13.15 Git commit: eeddea2 Built: Tue Dec 8 18:57:45 2020 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.4.3 GitCommit: 269548fa27e0089a8b8278fc4fc781d7f65a939b runc: Version: 1.0.0-rc92 GitCommit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff docker-init: Version: 0.19.0 GitCommit: de40ad0 ``` **Output of `docker info`:** ``` Client: Context: default Debug Mode: false Plugins: app: Docker App (Docker Inc., v0.9.1-beta3) buildx: Build with BuildKit (Docker Inc., v0.4.2-docker) Server: Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 12 Server Version: 20.10.0 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Native Overlay Diff: true Logging Driver: json-file Cgroup Driver: cgroupfs Cgroup Version: 1 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: active NodeID: u7qdqny1doho69k3nariuo1ru Is Manager: true ClusterID: rdq2vi44m2lkz34tdow1dvip4 Managers: 1 Nodes: 1 Default Address Pool: 10.0.0.0/8 SubnetSize: 24 Data Path Port: 4789 Orchestration: Task History Retention Limit: 5 Raft: Snapshot Interval: 10000 Number of Old Snapshots to Retain: 0 Heartbeat Tick: 1 Election Tick: 10 Dispatcher: Heartbeat Period: 5 seconds CA Configuration: Expiry Duration: 3 months Force Rotate: 0 Autolock Managers: false Root Rotation In Progress: false Node Address: 127.0.0.1 Manager Addresses: 127.0.0.1:2377 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc Default Runtime: runc Init Binary: docker-init containerd version: 269548fa27e0089a8b8278fc4fc781d7f65a939b runc version: ff819c7e9184c13b7c2607fe6c30ae19403a7aff init version: de40ad0 Security Options: apparmor seccomp Profile: default Kernel Version: 5.4.0-56-generic Operating System: Ubuntu 20.04.1 LTS OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 7.749GiB Name: cloud.filesanctuary.net ID: JBWW:XVUE:3XW4:OQYT:HJHK:OSRV:PFHK:PFZP:S3DV:HPZ7:NYWD:OWQO Docker Root Dir: /var/lib/docker Debug Mode: false Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false WARNING: No swap limit support WARNING: No blkio weight support WARNING: No blkio weight_device support ```

daijie · October 24, 2022, 11:06am

You save me!
I spent a whole day to struggle with this problem