[DCOS_OSS-992] Docker 1.13.1 does not work with virtual networking Created: 19/Apr/17  Updated: 09/Nov/18  Resolved: 26/May/17

Status: Resolved
Project: DC/OS
Component/s: networking
Affects Version/s: DC/OS 1.9.0
Fix Version/s: DC/OS 1.9.1, DC/OS 1.10.0

Type: Bug Priority: Medium
Reporter: jordanjennings Assignee: Deepak Goel
Resolution: Done  
Labels: networking
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates DCOS_OSS-980 docker 1.12+ breaks virtual network Resolved
Sprint: Networking Team 1.10 Sprint 4

 Description   

The DC/OS documentation says Docker 1.13 is supported, however it looks like they changed the default iptables configuration as of 1.13 for improved security, which unfortunately breaks virtual networking.

As of 1.13 the docker daemon sets iptables --policy FORWARD DROP, so when incoming packets reach the vtep1024 interface they are just dropped instead of being forwarded on to the d-dcos interface.

There's some discussion about it here:

https://github.com/moby/moby/issues/23987

And Kubernetes reports the same issue with Docker 1.13 (just for reference):

https://github.com/kubernetes/kubernetes/issues/40182

The installation where I saw this problem was using DC/OS 1.9 on CentOS 7.3 with Docker 1.13.1.

Luckily, Docker 1.12.6 works without any issues. Maybe this can be resolved with a documentation update saying that only docker 1.11 and 1.12 are supported with virtual networking.



 Comments   
Comment by Avinash Sridharan (Inactive) [ 12/May/17 ]

Deepak Goel should we close this since its marked as a duplicate of DCOS_OOS-980?

Generated at Sun May 22 09:40:48 CDT 2022 using JIRA 7.8.4#78004-sha1:5704c55c9196a87d91490cbb295eb482fa3e65cf.