Magnum

CNI networking stops working on Fedora Atomic 26

Bug #1708454 reported by Mohammed Naser on 2017-08-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Magnum	Fix Released	Undecided	Spyros Trigazis

Bug Description

It seems that all CNI networking stops working when using Fedora Atomic 26. Upon further investigation, the issue seems to stem from Fedora Atomic 26 running Docker 1.13 rather than 1.12 which changed the default behaviour of the iptables policy for FORWARD. It used to automatically set it to ACCEPT but was switched to leave it as DROP which breaks all CNI

Examples of issues would be:
- Pods not responding from other machines over network
- NodePorts not working (timing out)

This is the Docker commit that caused this issue:
https://github.com/moby/moby/pull/28257

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-03: Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/490478

Changed in magnum:
assignee:	nobody → Mohammed Naser (mnaser)
status:	New → In Progress

OpenStack Infra (hudson-openstack) on 2017-08-09

Changed in magnum:
assignee:	Mohammed Naser (mnaser) → Spyros Trigazis (strigazi)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-10: Change abandoned on magnum (master)

Change abandoned by Mohammed Naser (<email address hidden>) on branch: master
Review: https://review.openstack.org/490478
Reason: This has been moved into 492390.

OpenStack Infra (hudson-openstack) on 2017-08-10

Changed in magnum:
assignee:	Spyros Trigazis (strigazi) → Mohammed Naser (mnaser)

OpenStack Infra (hudson-openstack) on 2017-08-13

Changed in magnum:
assignee:	Mohammed Naser (mnaser) → Spyros Trigazis (strigazi)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-21: Fix merged to magnum (master)

Reviewed: https://review.openstack.org/492390
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=4fb91cc109a9e636abb309e614341f25bf26c7b8
Submitter: Jenkins
Branch: master

commit 4fb91cc109a9e636abb309e614341f25bf26c7b8
Author: Spyros Trigazis <email address hidden>
Date: Thu Aug 10 08:24:42 2017 +0200

tests: Use swarm-mode for api tests

    * Swarm-mode is the fastest cluster to deploy since it doesn't
      require to pull anything from outside.
    * Add the output nodes for swarm-mode too.
    * Disable copy logs (I think a better practice is to copy logs
      on demand).
    * Don't run test_create_list_sign_delete_clusters, because it is
      very unstable on the CI.

Partially-Implements: blueprint swarm-mode-support

2nd commit message:

Update to Fedora Atomic 26

This patch moves the current master to test against Fedora Atomic 26,
in addition, it switches to downloading from Fedora mirrors.

2nd-Change-Id: I9a97c0eb78b2c9d10e8be1501babb19e73ee70c1

3rd commit message:

Set default iptables FORWARD policy to ACCEPT

    With the release of Docker 1.13 which is available in Fedora
    Atomic 26, it no longer sets the policy of the FORWARD chain
    to ACCEPT[1]. Therefore, CNI networking such as Flannel will
    cease to work.

    This patch sets the policy to ACCEPT so that traffic can work
    once again for deployments which are based on Docker versions
    which are newer than 1.13

[1]: https://github.com/moby/moby/pull/28257

3rd-Change-Id: I1457602748619f38f87542fc01a2996ee80e58b7
Closes-Bug: #1708454

Co-Authored-By: Mohammed Naser <email address hidden>
Change-Id: I86d4dcc94fff622be4ee2acc8dd60ed81bc5d433