kobolog
commented
7 years ago Do you mean that adding a backend service with container's IP for an IPVS virtual service effectively blocks inter-container communications with that container?
Open asridharan opened 7 years ago
kobolog
commented
7 years ago Do you mean that adding a backend service with container's IP for an IPVS virtual service effectively blocks inter-container communications with that container?
scsnow
commented
7 years ago I noticed, that IPVS doesn't work in separate namespace, i.e. when gorb container is created using --net mybridge. Then if I put backend containers to the same net and define service <gorb_container_ip>:80 -> [<backend_container_1_ip>:80, <backend_container_2_ip>:80], I got connection refused if I do nc -v <gorb_container_ip>:80.
Everything works as expected if I create gorb container with --net host.
kobolog
commented
6 years ago I'm still not sure I understand the issue here. Are you trying to access an IPVS service from inside a container that is attached to the same bridge as one of the backends?
When I create a backend service with IPVS for a given container, other containers on the same bridge are unable to talk to this container. Reason is due to partially open TCP connection, since all traffic from and to the IPVS service is supposed to go through the host network namespace, but for container to container communication some of the traffic might get switched through the bridge itself.
Does gorb setup iptables SNAT to avoid this situation?