On 03/31/2016 06:43 PM, Peter Steele wrote: > I've created an EC2 AMI for AWS that essentially represents a CentOS > 7 "hypervisor" image. I deploy instances of these in AWS and create > an number of libvirt based lxc containers on each of these instances. > The containers run fine within a single host and have no problem > communicating with themselves as well as with their host, and vice > versa. However, containers hosted in one EC2 instance cannot > communicate with containers hosted in another EC2 instance. > > We've tried various tweaks with our Amazon VPC but have been unable > to find a way to solve this networking issue. If I use something like > VMware or KVM and create VMs using this same hypervisor image, the > containers running under these VMs can communicate with with each > other, even across different hosts. What is the <interface> config of your nested containers? Do they each get a public IP address?

> > My real question is has anyone tried deploying EC2 images that host > containers and have figured out how to successfully communicate > between containers on different hosts? > No experience with EC2, sorry.

You say they can talk among containers on the same host, and with their own host (I guess you mean the virtual machine that is hosting the containers), but not to containers on another host. Can the containers communicate outside of the host at all? If not, perhaps the problem is iptables rules for the bridge device the containers are using - try running this command: sysctl net.bridge.bridge-nf-call-iptables If that returns: net.bridge.bridge-nf-call-iptables = 1 then run this command and see if the containers can now communicate with the outside: sysctl -w net.bridge.bridge-nf-call-iptables=0

Well, if they've allowed your virtual machine to acquire multiple IP addresses, then it would make sense that they would allow them to actually use those IP addresses. I'm actually more inclined to think that the packets simply aren't getting out of the virtual machine (or the responses aren't getting back in).

Interesting. That functionality was moved out of the kernel's bridge module into br_netfilter some time back, but that was done later than the kernel 3.10 that is used by CentOS 7. Are you running some later kernel version? If your kernel doesn't have a message in dmesg that looks like this: bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this. and the bridge driver is loaded, then that key should be available. Of course if you don't have it, that's equivalent to having it set to 0, so you should be okay regardless of why it's missing.

I wouldn't be too quick to judgement. First take a look at tcpdump on the bridge interface that the containers are attached to, and on the ethernet device that connects the bridge to the rest of Amazon's infrastructure. If you see packets from the container's IP going out but not coming back in, check the iptables rules (again - firewalld uses iptables to setup its filtering) for a REJECT or DISCARD rule that has an incrementing count. I use something like this to narrow down the list I need to check: while true; do iptables -v -S -Z | grep -v '^Zeroing' | grep -v "c 0 0" | grep -e '-c'; echo '**************'; sleep 1; If you don't see any REJECT or DISCARD rules being triggered, then maybe the problem is that AWS is providing an IP address to your container's MAC, but isn't actually allowing traffic from that MAC out onto the network.

On 04/12/2016 01:37 PM, Peter Steele wrote: > On 04/11/2016 11:33 AM, Laine Stump wrote: I wouldn't be too quick to > judgement. First take a look at tcpdump on the bridge interface that > the containers are attached to, and on the ethernet device that > connects the bridge to the rest of Amazon's infrastructure. If you > see packets from the container's IP going out but not coming back in, > check the iptables rules (again - firewalld uses iptables to setup > its filtering) for a REJECT or DISCARD rule that has an incrementing > count. I use something like this to narrow down the list I need to > check: >> >> while true; do iptables -v -S -Z | grep -v '^Zeroing' | grep -v "c 0 >> 0" | grep -e '-c'; echo '**************'; sleep 1; >> >> If you don't see any REJECT or DISCARD rules being triggered, then >> maybe the problem is that AWS is providing an IP address to your >> container's MAC, but isn't actually allowing traffic from that MAC >> out onto the network. >> > I'll get this test setup. Unfortunately I'm not particularly > knowledgeable with iptables; we don't use it in our product so I've > never had to deal with it. I think you are right though about what's > happening--AWS doesn't recognize the MAC addresses for containers > running under another instance. > I did this test and there were no REJECT or DISCARD rules being triggered. I did discover something interesting though. I had two AWS instances running with some libvirt containers on each. I did a ping from one AWS instance to an IP assigned to a container on another AWS instance. The ping failed, and when I checked the source host's arp table the mac address that was recorded for the container being pinged was that of the container's host instance's br0 interface, not the mac address of the container's eth0 interface. Doing the same test on premise using KVM based instances, when a ping was run from one VM to a container hosted on another VM, the arp table of the source VM contained the mac address of the eth0 interface bound to the container, not the mac address of its host VM. This indicates to me that AWS thinks all of the IP addresses that have been allocated to an instance will be bound to that instance and it doesn't try to go any further than that. I'm not exactly sure how to get AWS to route these addresses properly, but it doesn't seem to be an issue with libvirt per se. Peter