
Totally not working...

cytown opened this issue · 15 comments

cytown commented

My ingress network is, and gw is

Then I run this command:
docker-ingress-routing-daemon --ingress-gateway-ips --install --services proxy_proxy

Next, scale service proxy_proxy to 1, and check, found it still report to access log...

If I run:
docker-ingress-routing-daemon --ingress-gateway-ips --install --services proxy_proxy

It will freeze all docker process...

Anything wrong? Or is it a issue?

 docker version
Client: Docker Engine - Community
 Version:           23.0.1
 API version:       1.42
 Go version:        go1.19.5
 Git commit:        a5ee5b1
 Built:             Thu Feb  9 19:51:00 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
  Version:          23.0.1
  API version:      1.42 (minimum version 1.12)
  Go version:       go1.19.5
  Git commit:       bc3805a
  Built:            Thu Feb  9 19:48:42 2023
  OS/Arch:          linux/amd64
  Experimental:     false
  Version:          1.6.18
  GitCommit:        2456e983eb9e37e47538f59ea18f2043c9a73640
  Version:          1.1.4
  GitCommit:        v1.1.4-0-g5fd4c4d
  Version:          0.19.0
  GitCommit:        de40ad0

Hi @cytown thanks for trying DIRD. Your first command is certainly not correct, as is not an IP that Docker will choose for load balancing. Your second command may be correct, but to confirm this you should run ./docker-ingress-routing-daemon without any arguments on your load balancer node(s) and see what IP(s) are printed.

Also, after that, if you do not use the --preexisting option you must scale down your service to zero and scale it up again after launching DIRD; otherwise you will experience a freeze on traffic to pre-existing containers.

Please let me know if this helps.

Hi @cytown thanks for trying DIRD. Your first command is certainly not correct, as is not an IP that Docker will choose for load balancing. Your second command may be correct, but to confirm this you should run ./docker-ingress-routing-daemon without any arguments on your load balancer node(s) and see what IP(s) are printed.

Also, after that, if you do not use the --preexisting option you must scale down your service to zero and scale it up again after launching DIRD; otherwise you will experience a freeze on traffic to pre-existing containers.

Please let me know if this helps.

Hi @struanb, for your reference, the command without any arguments just return:

Detected ingress subnet and node IP:
- Ingress subnet:
- This node's ingress network IP:

As I mentioned before, if I use in arguments, it will freeze all docker process...

Ok thanks for confirming, but did you also try --preexisting?

Also, after that, if you do not use the --preexisting option you must scale down your service to zero and scale it up again after launching DIRD; otherwise you will experience a freeze on traffic to pre-existing containers.

Ok thanks for confirming, but did you also try --preexisting?

Also, after that, if you do not use the --preexisting option you must scale down your service to zero and scale it up again after launching DIRD; otherwise you will experience a freeze on traffic to pre-existing containers.

Hi @struanb , yes, specified will freeze everything in docker, even with preexisting argument.

Ok thanks for confirming. I need to know more about your network now. Please forgive the large number of questions. They're essential to understanding your setup.

How many nodes are in your swarm? Please provide names (or pseudonyms) and ingress network IP for each, so we can refer to these nodes.

Which nodes are your service containers running on? Just the node with the IP, or any others?

What services are you running apart from proxy_proxy? If any, do any of these services also publish on any ports?

Are you experiencing the freeze only on the proxy_proxy service or on any other services?

Please note, if you have more than one node, then you need to run DIRD on every node (at least those running your service containers).

Also if you are accessing your service through more than one load balancer node, you also need to run DIRD on all those nodes too, and the command line you run should reflect the IPs of all load balancer nodes (not just consistently.

Looking forward to your response.

Ok thanks for confirming. I need to know more about your network now. Please forgive the large number of questions. They're essential to understanding your setup.

How many nodes are in your swarm? Please provide names (or pseudonyms) and ingress network IP for each, so we can refer to these nodes.

only 1 node:

# docker node ls
2aywbykgaaou2cwgcg3talej1 *   xxxxx      Ready     Active         Leader           23.0.1

Which nodes are your service containers running on? Just the node with the IP, or any others?

What services are you running apart from proxy_proxy? If any, do any of these services also publish on any ports?

I have portainer swarm installed, the version is: portainer/portainer-ce:2.17.1 & portainer/agent:2.17.1, and postgresql, redis, pgadmin.

Are you experiencing the freeze only on the proxy_proxy service or on any other services?

portainer and pgadmin were freezed, not test others.

Please note, if you have more than one node, then you need to run DIRD on every node (at least those running your service containers).

Also if you are accessing your service through more than one load balancer node, you also need to run DIRD on all those nodes too, and the command line you run should reflect the IPs of all load balancer nodes (not just consistently.

Looking forward to your response.

Please check the above answers.

@struanb any progress???

Apologies @cytown I didn't receive GitHub's alert to your earlier comment only this last one.

Can you try adding the --tcp-ports <ports> argument to the DIRD command line, replacing <ports> with the port(s) published by the proxy_proxy service.

If that doesn't help, please also supply full list of ports published by your services, ie output of docker service ls and docker ps as this is detail I'm still missing in understanding your setup.


@struanb Thank you so much for this, it really works!!! Adding the tcp-ports argument did send the real ip to service and without infect other services.

Thanks for your such great project again.

That's great news! I'm very glad we've been able to sort this.

It seems the documentation is in definite need of update to clarify the need for these extra arguments in heterogeneous setups like yours. I'm going to leave this issue open for now until that update is done.

I've updated the language in the README, which I hope you agree is clearer about the whitelisting options, and will now close this issue.

@struanb Found another issue:(

When I use more than one node, the load balance seems freeze or broken, only the node which point to will work.

It means: is the ingress ip of each node, the proxy service running on and, the firewall directed all http request to, when I make and running:

docker-ingress-routing-daemon --ingress-gateway-ips 10.0.0.x --install --services gly-proxy_proxy --tcp-ports 80,443 --preexisting

Then the ingress load balancer seems wrong, and when I visit the url, it will freeze all traffic to, and works fine for

If I visit, the balancer will work just fine, but the client ip will be

Any idea for this???

It looks like there's an x in your IP list.

Based on the ingress IPs you've listed, I think you should probably be running the following command, and please make sure you run it on every node:

docker-ingress-routing-daemon --ingress-gateway-ips,,,, --install --services gly-proxy_proxy --tcp-ports 80,443 --preexisting

(You may need to run docker-ingress-routing-daemon --uninstall first).

It looks like there's an x in your IP list.

Based on the ingress IPs you've listed, I think you should probably be running the following command, and please make sure you run it on every node:

docker-ingress-routing-daemon --ingress-gateway-ips,,,, --install --services gly-proxy_proxy --tcp-ports 80,443 --preexisting

(You may need to run docker-ingress-routing-daemon --uninstall first).

I have tried this command for, and still the same issue, and direct visit will balance to 2 and 3 with visit ip as

I doubt run command for 5-6 will help...

Anyway, I will try this later.

It looks like there's an x in your IP list.

Based on the ingress IPs you've listed, I think you should probably be running the following command, and please make sure you run it on every node:

docker-ingress-routing-daemon --ingress-gateway-ips,,,, --install --services gly-proxy_proxy --tcp-ports 80,443 --preexisting

(You may need to run docker-ingress-routing-daemon --uninstall first).

It works like charm!!! Thank you.