I've managed to get the new AutoInstall method up and running, with MAAS and docker up and running, but I've noticed an odd routing problem.
To start off with I have two VLANS:
VLAN10: workstation traffic
IP space: 10.10.0.0/24
VLAN20: Node traffic
IP space 10.20.0.0/24
I'll explain the problem with three systems:
Workstation:
eth0 interface: 10.10.0.11
Server:
bond0 interface is the parent to:
vlan10 interface: 10.10.0.2
vlan20 interface: 10.20.0.1
Node:
eno1 interface: 10.20.0.3
eno1.10 interface: 10.10.0.22 (DHCP assigned from a server in VLAN10)
I am able to ping back and forth between the workstation and the server.
I am able to ping back and forth between the server and the node.
I am able to ping back and forth between the workstation and the 10.10.0.22 address on the node
I am **not** able to ping back and forth between the workstation and the 10.20.0.3 address on the node
The routing table on the server is straight forward:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.10.0.1 0.0.0.0 UG 100 0 0 vlan10
10.10.0.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan10
10.10.0.1 0.0.0.0 255.255.255.255 UH 100 0 0 vlan10
10.20.0.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan20
--- cut docker rules out ---
The routing table on the nodes are also straight forward
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.10.0.1 0.0.0.0 UG 100 0 0 eno1.10
10.10.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1.10
10.10.0.1 0.0.0.0 255.255.255.255 UH 100 0 0 eno1.10
10.20.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1
--- cut docker rules out ---
The routing table on the workstation currently has a manual entry for 10.10.0.0/24 gw 10.10.0.2
I have checked and:
cat /proc/sys/net/ipv4/ip_forward
1
I run tcpdump -i bond0 icmp on the server and:
Ping from the workstation to the node, I see the icmp packets from 10.10.0.11 coming in, but nothing else
Ping from the node to the workstation, I see the icmp packets from 10.20.0.3 coming in, but nothing else
I think it's something on the server, the iptables setup by Docker doesn't seem to be blocking it:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
I'm missing something, I just have no idea what.
Bookmarks