Docker Community Forums

Share and learn in the Docker community.

Swarm port not accessible on SLES host


(Philu1) #1

Hi,

We are running SuSE Linux Enterprise (SLES) 12 SP 2 and the standard Docker distribution 17.09.1 ce provided SuSE’s Containers_Module_12_x86_64 package.
We have containers running locally on the host with mapped ports and everything works fine.

When we attempt to run the containers as a service under swarm, the service starts up fine but the mapped ports are not exposed on the localhost.
We have attempted this with very simple services and gotten the same results (including the docker tutorial).
Example:
Commands:
docker swarm init
docker service create --name my-web --publish published=8080,target=8080 --replicas 1 nginx

Both successful.
Result from docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
ze88zz31le31 my-web replicated 1/1 nginx:latest *:8080->80/tcp

Result attempting to attach to localhost:8080 where nginx should be accessible
curl localhost:8080
curl: (7) Failed to connect to localhost port 8080: Connection refused

Here is a snip of logs that contain an error related to iptables (note that docker appears able to modify iptables per additional info below):
2018-10-18T19:25:19.287893-04:00 dockerd[1828]: time=“2018-10-18T19:25:19.287650051-04:00” level=info msg=“NetworkDB stats - netID:lxy5sbaswro9qxqa0vt6uq7ob leaving:false netPeers:1 entries:4 Queue qLen:0 netMsg/s:0”
2018-10-18T19:30:19.487727-04:00 dockerd[1828]: time=“2018-10-18T19:30:19.487514638-04:00” level=info msg=“NetworkDB stats - netID:lxy5sbaswro9qxqa0vt6uq7ob leaving:false netPeers:1 entries:4 Queue qLen:0 netMsg/s:0”
2018-10-18T19:31:47.425687-04:00 dockerd[1828]: time=“2018-10-18T19:31:47-04:00” level=info msg=“SUSE:secrets :: enabled”
2018-10-18T19:31:47.540558-04:00 dockerd[1828]: time=“2018-10-18T19:31:47-04:00” level=error msg=“setting up rule failed, [-t mangle -D PREROUTING -p tcp --dport 8080 -j MARK --set-mark 262]: (iptables failed: iptables --wait -t mangle -D PREROUTING -p tcp --dport 8080 -j MARK --set-mark 262: iptables: No chain/target/match by that name.
2018-10-18T19:31:47.540979-04:00 dockerd[1828]: (exit status 1))”
2018-10-18T19:31:47.545054-04:00 dockerd[1828]: time=“2018-10-18T19:31:47.542668859-04:00” level=error msg=“Failed to delete firewall mark rule in sbox ingress (ingress): reexec failed: exit status 5”
2018-10-18T19:31:47.745356-04:00 kernel: [548403.162337] [2768(dockerd)]: gsch_umount_hook_fn(/var/run/docker/netns/cf5394f87151,2) doing
2

Research on forums seems to indicate that this might be a potential missing dependency in our SLES.
We are not running SuSEfirewall2 and iptables appears to be populated correctly:
sudo iptables-save | grep DOCKER
: DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i docker_gwbridge -j RETURN
: DOCKER - [0:0]
: DOCKER-ISOLATION - [0:0]
: DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker_gwbridge -j DOCKER
-A DOCKER-ISOLATION -i docker_gwbridge -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o docker_gwbridge -j DROP
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN

I have tried enabling ipv4 forwarding as recommended in a forum, with no seeming effect.
The docker swarm management ports are available when swarm is running:
netstat -nlp | grep 7946
tcp 0 0 :::7946 :::* LISTEN 1828/dockerd
udp 0 0 :::7946 :::* 1828/dockerd
netstat -nlp | grep 4789
udp 0 0 0.0.0.0:4789 0.0.0.0:* -

I’m at a bit of a dead-end.

Any help would be appreciated.


(Philu1) #2

I have now gone through a restart of Docker and Swarm and watched the logs during startup. I found what appear to be the errors at the root of the problem - confirming that it looks like IPVS is required to run Swarm networking:

2018-10-19T12:23:29.447004-04:00 dockerd[21642]: time="2018-10-19T12:23:29.446754417-04:00" level=warning msg="Running modprobe ip_vs failed with message: `modprobe: WARNING: Module ip_vs not found.`, error: exit status 1"
2018-10-19T12:23:29.449931-04:00 dockerd[21642]: time="2018-10-19T12:23:29.449047777-04:00" level=error msg="Could not get ipvs family information from the kernel. It is possible that ipvs is not enabled in your kernel. Native loadbalancing will not work until this is fixed."

SuSE include IPVS in its HA package which seems quite heavy-weight when ip_vs is the one missing dependency. Is anyone familiar with the IPVS dependency by Docker? Is this specific to SuSE’s Docker distribution (would I avoid it if I just downloaded and deployed the latest CE build)? Is IPVS itself relatively self-contained to deploy?

Thanks again.