Open alinbalutoiu opened 6 years ago
feiskyer
commented
6 years ago By the way, docker EE preview works, while docker CE won't work.
Docker EE preview could be installed via
Install-Module DockerProvider
Install-Package -Name Docker -ProviderName DockerProvider -RequiredVersion preview
alinbalutoiu
commented
6 years ago @feiskyer have you tested it out and it works?
I have Windows Server 1803 with latest updates, it still doesn't work, you can see the docker version below, installed as you recommended:
PS C:\Users\Administrator> docker version
Client:
Version: 17.10.0-ee-preview-3
API version: 1.33
Go version: go1.8.4
Git commit: 1649af8
Built: Fri Oct 6 17:52:28 2017
OS/Arch: windows/amd64
Server:
Version: 17.10.0-ee-preview-3
API version: 1.34 (minimum version 1.24)
Go version: go1.8.4
Git commit: b8571fd
Built: Fri Oct 6 18:01:48 2017
OS/Arch: windows/amd64
Experimental: false
PS C:\Users\Administrator> docker exec 7399822ce02f ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : 7399822ce02f
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : localdomain
Ethernet adapter vEthernet (test_endpoint):
Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
Physical Address. . . . . . . . . : 00-15-5D-B9-31-DD
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::895:69fb:8dac:8cdf%17(Preferred)
IPv4 Address. . . . . . . . . . . : 172.18.224.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 172.18.224.1
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Disabled
PS C:\Users\Administrator> docker exec 54d5d989df89 ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : 7399822ce02f
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter vEthernet (test_endpoint):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
Physical Address. . . . . . . . . : 00-15-5D-B9-31-DD
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::895:69fb:8dac:8cdf%17(Preferred)
IPv4 Address. . . . . . . . . . . : 172.18.224.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 172.18.224.1
NetBIOS over Tcpip. . . . . . . . : Disabled
PS C:\Users\Administrator> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
54d5d989df89 microsoft/nanoserver:1803 "cmd" 56 seconds ago Up 54 seconds vigorous_bohr
7399822ce02f microsoft/nanoserver:1803 "cmd" 3 minutes ago Up 3 minutes cocky_brown
PS C:\Users\Administrator>The second container still doesn't have the DNS set. Again, this is outside of kubernetes, you have all the steps on how to reproduce in the first message. Any other ideas? Thanks!
madhanrm
commented
6 years ago Call Attach-HNSEndpoint -ContainerID $cid2 -CompartmentID $cmp -EndpointID $eid, again with the new containerId to complete the workflow required for sharing endpoints across 2 containers.
When network is managed by docker (when you do not use none), you can see a second HotAttachEndpoint (https://github.com/Microsoft/hcsshim/blob/master/hnsendpoint.go#L38) being invoked. For every attach call on an endpoint with a container ID, HNS replicates the necessary registry keys to the container, which would include the DNS Server settings as well.
This is a requirement if someone is managing network outside of docker or if cni is used. You can have a look at the PR (https://github.com/containernetworking/plugins/pull/85).
Let me know if you have more questions.
alinbalutoiu
commented
6 years ago That is an issue then. This commit makes kubelet to call only once to get the POD IP and not for every container: https://github.com/kubernetes/kubernetes/pull/64189 I also explicitly asked in this comment (https://github.com/kubernetes/kubernetes/pull/64189#issuecomment-391631585) about the reason of calling for every single container but it seemed that it should not be the case for that.
I did not see any issue since there was also someone else from the azure-cni team complaining about multiple add/del requests: https://github.com/kubernetes/kubernetes/issues/57253 so that PR fixes some of their issue, but apparently that generates other issues.
They also commented in the code that it is a temporary workaround: https://github.com/Azure/azure-container-networking/blob/master/cni/network/network_windows.go#L15-L19
In the end, in kubelet the call to "ADD" will be replaced with "GET" when the new CNI version gets released.
For the docker thing you pasted the link to HotAttachEndpoint from hcsshim not from docker.
I don't really understand how everything else is shared (IP/Gateway/MAC etc.) but the DNS is not. And that happens without a second call to HotAttachEndpoint. What does "necessary registry keys" include besides DNS? Why HNS requires a second call to HotAttachEndpoint and cannot do it from the first time?
dineshgovindasamy
commented
6 years ago @alinbalutoiu @madhanrm
For 1709 and 1803 we didnt have the Namespace support in Windows which we are bringing in RS5. So we need this second call to replicate the DNS registry key to the Workload container. This is a platform requirement and removing this will break DNS for the workload containers. IP/Gateway/MAC is set separately than DNS.
In Rs5 once we move the namespace model, we will update CRI and CNI to add endpoints and add it to the namespace.
Can we revert the other PR? This will break Windows Container DNS.
daschott
commented
6 years ago @alinbalutoiu is this still an issue after the revert? If not, can we close it, or are you waiting for the new namespace support in RS5?
alinbalutoiu
commented
6 years ago @daschott This is still an issue on Windows which was discovered after the commit which made kubelet not to call the CNI for every container. I haven't tested on RS5, but it should be fixed if it is not required to explicitly call Attach-HNSEndpoint for the new containers after they are created in the same namespace as the original container.
Would it be possible to have a list with known issues for each Windows version?
michmike
commented
6 years ago we discussed this in sig-windows today and would love an update from @dineshgovindasamy or @daschott
daschott
commented
6 years ago @alinbalutoiu @michmike @dineshgovindasamy If I understand correctly, the main concern is this: "I should not have to call Attach-HNSEndpoint for new containers in the same namespace because CNI spec states there should only be one call".
The response is here. Namespaces are not a first-class citizen on any Windows version prior to Windows Server 2019. We operate on an endpoint basis, and we need an additional CNI call to replicate DNS registry keys. If you remove this call, then it becomes an issue as the new container won't have any DNS registry keys set.
We are doing work right now to enable containerD support on Windows Server 2019, which would allow us to remove the multiple calls. However, as long as Windows Server version 1803 is supported on Kubernetes we cannot remove the CNI calls without adding conditionals for Windows versions to the CNI workflows. According to our devs, keeping the current code is the lesser of two evils in terms of maintainability & code complexity.
Are there any scenarios or features which are broken as a result of the current code?
dantingl
commented
5 years ago I hit this problem on Windows 1809. And Attach-HNSEndpoint does not work.
Invoke-HNSRequest : @{Error=The parameter is incorrect. ; ErrorCode=2147942487; Success=False}
+ return Invoke-HNSRequest -Method POST -Type endpoints -Data (Conv ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-HNSRequest ```
Environment details:
Windows server 1803 with all the updates installed.
Any docker version, for this test using 17-11.0-ce-rc3.
Default docker network, nothing extra created, nothing extra installed, plain Windows server 1803 with Containers feature installed.
Steps to reproduce:
test_endpointsHNS Endpoint with DNS Server set:$EndpointData = convertto-json $endpoint Invoke-HNSRequest -Method POST -Type endpoints -Data $EndpointData
docker run --net=none -it microsoft/nanoserver:1803 cmd
PS C:> $cid="df7f369331b5633876f22f47ca604ec6d1d1ab912b20fd43c9bc8db262a3c9a7" PS C:> $eid="5a1b06c6-773b-4889-ba63-e56d6008df4b" PS C:> $cmp=2 PS C:> Attach-HNSEndpoint -ContainerID $cid -CompartmentID $cmp -EndpointID $eid
C:>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : df7f369331b5 Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : localdomain
Ethernet adapter vEthernet (test_endpoint):
Connection-specific DNS Suffix . : localdomain Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2 Physical Address. . . . . . . . . : 00-15-5D-B9-31-6F DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::a44d:c463:592a:3de0%17(Preferred) IPv4 Address. . . . . . . . . . . : 172.18.224.10(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.240.0 Default Gateway . . . . . . . . . : 172.18.224.1 DNS Servers . . . . . . . . . . . : 8.8.8.8 NetBIOS over Tcpip. . . . . . . . : Disabled
PS C:> docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES df7f369331b5 microsoft/nanoserver:1803 "cmd" 13 minutes ago Up 13 minutes goofy_boyd PS C:> docker run --net=container:df7f369331b5 -it microsoft/nanoserver:1803 cmd
PS C:> docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9e19087e0049 microsoft/nanoserver:1803 "cmd" 12 minutes ago Up 12 minutes trusting_carson df7f369331b5 microsoft/nanoserver:1803 "cmd" 14 minutes ago Up 14 minutes goofy_boyd PS C:> docker exec df7f369331b5 ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : df7f369331b5 Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : localdomain
Ethernet adapter vEthernet (test_endpoint):
Connection-specific DNS Suffix . : localdomain Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2 Physical Address. . . . . . . . . : 00-15-5D-B9-31-6F DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::a44d:c463:592a:3de0%17(Preferred) IPv4 Address. . . . . . . . . . . : 172.18.224.10(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.240.0 Default Gateway . . . . . . . . . : 172.18.224.1 DNS Servers . . . . . . . . . . . : 8.8.8.8 NetBIOS over Tcpip. . . . . . . . : Disabled PS C:> docker exec 9e19087e0049 ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : df7f369331b5 Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter vEthernet (test_endpoint):
Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2 Physical Address. . . . . . . . . : 00-15-5D-B9-31-6F DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::a44d:c463:592a:3de0%17(Preferred) IPv4 Address. . . . . . . . . . . : 172.18.224.10(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.240.0 Default Gateway . . . . . . . . . : 172.18.224.1 NetBIOS over Tcpip. . . . . . . . : Disabled
PS C:> ipconfig /allcompartments /all
Windows IP Configuration
============================================================================== Network Information for Compartment 1 (ACTIVE)