moby: Docker Swarm on Windows 2019 ingress routing not working on some systems
Description
I create a simple stack to run IIS. It is not reachable through ingress routing on my VM, either via localhost or from a remote machine.
Steps to reproduce the issue: Deploy the following stack:
version: '3.3'
networks:
mynet:
driver: overlay
attachable: true
services:
iis:
image: mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019
networks:
- mynet
ports:
- "8000:80"
Then:
docker stack deploy -c .\iis.yml iis
Describe the results you received: From another machine try to access port 8000 -> fails with unable to connect
Describe the results you expected: Able to connect to IIS on port 8000.
Additional information you deem important (e.g. issue happens only occasionally): This same testcase works on two other environments I have tried:
- Windows 2019 running under vmware
- Windows 2019 running under VirtualBox
This VM runs under KVM. Whether that is the reason I am not sure.
Also, if I just run the IIS container not in the Swarm so it uses the NAT network it works:
docker run -p 8000:80 mcr.microsoft.com/windows/servercore/iis
Thus, it does not appear to be firewall related (and firewall is disabled on this box).
Looking for next steps or diagnostics to understand what is going wrong.
Also – is it a documented limitation on Windows that ingress routing is not accessible via localhost on a Swarm node? Means I cannot run a Docker registry in the Swarm and access it via localhost on Swarm nodes – it works on Linux.
Output of docker version:
Client:
Version: 18.09.3
API version: 1.39
Go version: go1.10.8
Git commit: 142dfcedca
Built: 02/28/2019 06:33:17
OS/Arch: windows/amd64
Experimental: false
Server:
Engine:
Version: 18.09.3
API version: 1.39 (minimum version 1.24)
Go version: go1.10.8
Git commit: 142dfcedca
Built: 02/28/2019 06:31:15
OS/Arch: windows/amd64
Experimental: false
Output of docker info:
Containers: 3
Running: 1
Paused: 0
Stopped: 2
Images: 4
Server Version: 18.09.3
Storage Driver: windowsfilter
Windows:
Logging Driver: json-file
Plugins:
Volume: local
Network: ics l2bridge l2tunnel nat null overlay transparent
Log: awslogs etwlogs fluentd gelf json-file local logentries splunk syslog
Swarm: active
NodeID: 63hma7e6j05oufpra909ami07
Is Manager: true
ClusterID: ljqnmsarwwujbmtnevq2xbb6l
Managers: 3
Nodes: 3
Default Address Pool: 10.0.0.0/8
SubnetSize: 24
Orchestration:
Task History Retention Limit: 5
Raft:
Snapshot Interval: 10000
Number of Old Snapshots to Retain: 0
Heartbeat Tick: 1
Election Tick: 10
Dispatcher:
Heartbeat Period: 5 seconds
CA Configuration:
Expiry Duration: 3 months
Force Rotate: 0
Autolock Managers: false
Root Rotation In Progress: false
Node Address: 9.28.238.149
Manager Addresses:
9.28.238.142:2377
9.28.238.144:2377
9.28.238.149:2377
Default Isolation: process
Kernel Version: 10.0 17763 (17763.1.amd64fre.rs5_release.180914-1434)
Operating System: Windows Server 2019 Datacenter Version 1809 (OS Build 17763.316)
OSType: windows
Architecture: x86_64
CPUs: 8
Total Memory: 12GiB
Name: octopus1
ID: 6MCE:SRL5:J2UB:3SD4:VFGD:SDHZ:QRCG:HZND:EDZQ:WBKT:ANEH:T3VO
Docker Root Dir: C:\ProgramData\docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Additional environment details (AWS, VirtualBox, physical, etc.):
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 3
- Comments: 25 (4 by maintainers)
@bjork-dev I don’t know about Windows Server 2022. But Microsoft has really dropped the ball on anything Docker related. any sort of enterprise support now goes straight through Mirantis, so probably with some paid support one can get some better support.
@FrankAtHexagon unfortunately Microsoft looks to be constantly breaking swatm compatibility Last know good state is Win 2019 with https://support.microsoft.com/en-us/topic/october-20-2020-kb4580390-os-build-17763-1554-preview-ac4799c9-838f-8665-a968-0f19b6cb1049
Look https://github.com/moby/moby/issues/40998 and https://github.com/moby/moby/issues/41354
Windows Server 2019 running Docker/Swarm, ingress network was working fine until this was installed:
2020-05 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB4551853)
This broke something with the ingress network such that no traffic could enter through any exposed/published ports.
Uninstalling this update made it all work again.
How to customize the ingress network: https://docs.docker.com/network/overlay/#customize-the-default-ingress-network
See also: https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/advanced#bind-a-network-to-a-specific-network-interface
First I did ‘docker network inspect ingress’ to see the subnet/gateway settings. Then remove it and recreate. Here is an example using the com.docker.network.windowsshim.interface option to specify the interface:
Also the network configuration is used on all nodes so better hope you have the same named NIC everywhere
You have to restart the Docker service for this to take effect.