Validating overlay network when docker swarm running on Centos VMs on vSphere

I got a chance to revisit my docker swarm deployment this week after a bit of a break. I was a little curious about my setup because when I spoke to some of our ‘Project Hatchway‘ engineers, I was told that I should be able to launch a single instance of Nginx in Docker Swarm (“docker service create –replicas 1 -p 8080:80 –name web nginx”) and I should be able to access the web service using the following command from any swarm node – “curl 127.0.0.1:8080”. This was not what I was seeing. When I launched the Nginx service, the curl command was successful on the container host where the service was running, but on every other host/node in the swarm cluster, I got a “Failed connect/connection refused”. So why wasn’t it working?

Eventually I traced it to yet another firewall issue on the container hosts/swarm nodes (using Centos 7). It seems that the overlay network needed some ports opened to work as well. These are the ports that I figured out needed to be opened on the firewall of my swarm nodes:

  • 7946/tcp – port for “control plane” discovery communication
  • 7946/udp – port for “control plane”  discovery communication
  • 4789/udp – port for “data plane” overlay network traffic

I used the following command on Centos 7 to modify the firewall:

[root@centos-swarm-master ~]# firewall-cmd --zone=public --add-port=7946/tcp --permanent
[root@centos-swarm-master ~]# firewall-cmd --zone=public --add-port=7946/udp --permanent
[root@centos-swarm-master ~]# firewall-cmd --zone=public --add-port=4789/udp --permanent
[root@centos-swarm-master ~]# firewall-cmd --reload

To verify that the changes took place, I used the following command:

[root@centos-swarm-master ~]# firewall-cmd --list-all
public (active)
 target: default
 icmp-block-inversion: no
 interfaces: ens192
 sources:
 services: dhcpv6-client ssh
 ports: 2379/tcp 4789/udp 2377/tcp 7946/udp 7946/tcp 2380/tcp
 protocols:
 masquerade: no
 forward-ports:
 sourceports:
 icmp-blocks:
 rich rules:

The other ports related to Swarm, which is discussed here, and ETCD, which is for vFile (which I haven’t yet blogged about – watch this space). With these ports opened, we have allowed our docker overlay network to communicate between Swarm nodes. Now if I launch a single replica for the Nginx web service and retry the curl test on  different nodes, lets see what happens:

[root@centos-swarm-master ~]# docker service ls
 ID           NAME                 MODE       REPLICAS IMAGE                PORTS
 rxspku5i98cc vFileServerSharedVol replicated 1/1      luomiao/samba-debian *:30000->445/tcp

[root@centos-swarm-master ~]# docker service create --replicas 1 -p 8080:80 --name web nginx
 xvtzr79sb0fdut85yssxd7z1n
 overall progress: 1 out of 1 tasks
 1/1: running [==================================================>]
 verify: Service converged
 
[root@centos-swarm-master ~]# docker service ls
 ID           NAME                 MODE       REPLICAS IMAGE                PORTS
 rxspku5i98cc vFileServerSharedVol replicated 1/1      luomiao/samba-debian *:30000->445/tcp
 xvtzr79sb0fd web                  replicated 1/1      nginx:latest         *:8080->80/tcp

[root@centos-swarm-master ~]# curl 127.0.0.1:8080
 <!DOCTYPE html>
 <html>
 <head>
 <title>Welcome to nginx!</title>
 <style>
  body {
  width: 35em;
  margin: 0 auto;
  font-family: Tahoma, Verdana, Arial, sans-serif;
  }
 </style>
 </head>
 <body>
 <h1>Welcome to nginx!</h1>
 <p>If you see this page, the nginx web server is successfully installed and
 working. Further configuration is required.</p>

<p>For online documentation and support please refer to
 <a href="http://nginx.org/">nginx.org</a>.<br/>
 Commercial support is available at
 <a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
 </body>
 </html>
 [root@centos-swarm-master ~]#

Let’s switch to a worker node, and retry the same test.

[root@centos-swarm-w1 ~]# curl 127.0.0.1:8080
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
 body {
 width: 35em;
 margin: 0 auto;
 font-family: Tahoma, Verdana, Arial, sans-serif;
 }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@centos-swarm-w1 ~]#

Success! Now that my overlay network is working successfully, I can reach a single instance of a service working on docker swarm from any of the nodes in the cluster.