Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pod unable to reach itself through a service (unless --cni=true is set) #1568

Closed
arrawatia opened this issue Jun 8, 2017 · 58 comments · Fixed by #1713
Closed

Pod unable to reach itself through a service (unless --cni=true is set) #1568

arrawatia opened this issue Jun 8, 2017 · 58 comments · Fixed by #1713
Assignees
@tstromberg @sharifelgamal
Labels
area/networking networking issues help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug. long-term-support Long-term support issues that can't be fixed in code priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.

Comments

@arrawatia
Copy link

arrawatia commented Jun 8, 2017
edited
Loading

Minikube version (use minikube version):
minikube version: v0.16.0 and k8s version v1.6.4
(But I tried v0.17.1 and v0.19.1 too)
Environment:

  • OS (e.g. from /etc/os-release):
  • VM Driver :
    Virtualbox
  • ISO version :
    minikube-v1.0.6.iso
  • Install tools:
    curl -Lo minikube https://storage.googleapis.com/minikube/releases/v0.16.0/minikube-darwin-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/
  • Others:

What happened:
If a pod has a service which points to the pod, the pod cannot reach itself through the service IP. Other pods can reach the service and the pod itself can reach other services. This means all components (especially clustered & distributed systems) which expect to talk to themselves for leader election fail to startup properly.

What you expected to happen:
I expect the pod to be able to reach itself.

How to reproduce it (as minimally and precisely as possible):
It happens with all our services and pods but I can reproduce it with kube-system pods too.

Get service IP : kubectl describe svc kube-dns --namespace kube-system | grep IP:. I get 10.0.0.10
Get endpoint IP: kubectl describe svc kube-dns --namespace kube-system | grep Endpoints. I get 172.17.0.3

Exec into the pod:
kubectl --namespace kube-system exec -it kube-dns-v20-54536 sh

Run the following :
Using the service IP hangs

Name: kubernetes-dashboard.kube-system.svc.cluster.local
Address 1: 10.0.0.212 kubernetes-dashboard.kube-system.svc.cluster.local
/ # nslookup kubernetes-dashboard.kube-system.svc.cluster.local 10.0.0.10
Server: 10.0.0.10
^C

Using the endoint IP works

/ # nslookup kubernetes-dashboard.kube-system.svc.cluster.local 172.17.0.3
Server: 172.17.0.3
Address 1: 172.17.0.3 kube-dns-v20-54536

Name: kubernetes-dashboard.kube-system.svc.cluster.local
Address 1: 10.0.0.212 kubernetes-dashboard.kube-system.svc.cluster.local

Accessing a different service IP works. Using the kubernetes-dashboard IP from the last command
/ # telnet 10.0.0.212 80
get
HTTP/1.1 400 Bad Request
Content-Type: text/plain
Connection: close

400 Bad RequestConnection closed by foreign host

Anything else do we need to know:
minikube v0.17.1 works with K8S 1.5.3
I tried the following and it worked. So, I suspect it has something to do with upgrading minikube to v0.17.1 and K8S to v1.6.4

curl -Lo minikube https://storage.googleapis.com/minikube/releases/v0.17.1/minikube-darwin-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/
rm -rf ~/.minikube
minikube start --kubernetes-version 1.5.3 --cpus 4 --memory 6096 --v=8 --logtostderr
@aaron-prindle aaron-prindle added the kind/bug Categorizes issue or PR as related to a bug. label Jun 9, 2017
@ursuad
Copy link

ursuad commented Jun 15, 2017
edited
Loading

It seems it's related to this: kubernetes/kubernetes#19930 and this kubernetes/kubernetes#20475

@ursuad
Copy link

ursuad commented Jun 15, 2017

For me, this helped to fix it kubernetes/kubernetes#20475 (comment)

So you can do:

minikube ssh
sudo ip link set docker0 promisc on

Maybe this fix can be merged directly in minikube so people won;t need to do custom things?

@arrawatia
Copy link
Author

@ursuad It worked for me too (minikube 0.19.1 and k8s v1.6.4). Thanks a lot for your help. :)

@ursuad
Copy link

ursuad commented Jun 20, 2017

@arrawatia No problem, but maybe you should leave this issue open, so we'll have a longer term fix merged in minkube.
This is a bug, and my fix is just a workaround.

@arrawatia arrawatia reopened this Jun 20, 2017
@rajasaur
Copy link

Not sure if there is a page to capture minikube gotchas. @ursuad's suggestion should be there

@yonatane
Copy link

Use Headless Service as a workaround (clusterIP: None). StatefulSets that talk to themselves like Kafka use headless services anyway.
This might still be considered a bug though.

@ursuad
Copy link

ursuad commented Jun 26, 2017
edited
Loading

@kubernetes/sig-minikube

@r2d4
Copy link
Contributor

r2d4 commented Jun 26, 2017

I'll take a look at this

@r2d4 r2d4 self-assigned this Jun 26, 2017
@medyagh
Copy link
Member

medyagh commented Jul 13, 2017

@r2d4 I am pretty sure this is same as this #1690

@medyagh
Copy link
Member

medyagh commented Jul 13, 2017

@arrawatia can you try with minikube with k8s 1.5.1 I am almost certain it will work in 1.5.1
I have that problem ! #1690

@medyagh medyagh mentioned this issue Jul 13, 2017
Closed
r2d4 added a commit to r2d4/minikube that referenced this issue Jul 18, 2017
@r2d4
Use kubenet, add ebtables support
8175c17 
Fixes kubernetes#1568
@r2d4 r2d4 mentioned this issue Jul 18, 2017
Merged
@wstrange
Copy link

wstrange commented Aug 30, 2017
edited
Loading

Seeing this issue on minikube 0.21.0 and kube 1.70 and 1.7.2

The workaround posted by @ursuad seems to solve the issue for me

@r2d4
Copy link
Contributor

r2d4 commented Aug 30, 2017

I'm going to open this up again, since we ended up reverting the kubenet change.

@r2d4 r2d4 reopened this Aug 30, 2017
@r2d4
Copy link
Contributor

r2d4 commented Aug 30, 2017

ref #1742

@wstrange
Copy link

wstrange commented Sep 7, 2017

Just updating the status for minikube 0.22.0 - the issue is still present

@r2d4 r2d4 mentioned this issue Sep 14, 2017
Closed
@minrk minrk mentioned this issue Sep 28, 2017
Closed
@sandeepbhojwani sandeepbhojwani mentioned this issue Oct 9, 2017
Closed
@ursuad ursuad mentioned this issue Oct 24, 2017
Closed
@chancez
Copy link
Member

chancez commented Nov 8, 2017

Still seeing this in minikube v0.23.0

@guilhermeblanco
Copy link

... and v0.24.0...

@manikantag
Copy link

... and v0.24.1

@YassineHk
Copy link

the same problem here 🤦

minikube version: v1.11.0

@medyagh medyagh modified the milestones: v1.12.0, v1.13.0-candidate Jul 8, 2020
@medyagh medyagh mentioned this issue Jul 13, 2020
Closed
@medyagh medyagh modified the milestones: v1.13.0, v1.14.0-candidate Jul 27, 2020
@tstromberg
Copy link
Contributor

Fixing this by default appears to incur a ~30% performance penalty for startup, which makes me quite wary of imposing it on the users who do not care about CNI.

At a minimum though, we should document that it is possible to now say --cni=true to make this work.

@tstromberg tstromberg added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. and removed priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Aug 30, 2020
@tstromberg tstromberg removed this from the v1.13.0 milestone Aug 30, 2020
@tstromberg tstromberg added the long-term-support Long-term support issues that can't be fixed in code label Aug 30, 2020
@tstromberg tstromberg changed the title Pod unable to reach itself through a service (fix via default CNI) Pod unable to reach itself through a service (unless --cni=true is set) Aug 30, 2020
@azhao155
Copy link
Contributor

Have tested this with docker driver, running a service of two pods with simple nginx binary. Able to get response using service dns name ..svc.cluster.local from the pods.
Since docker driver will enable cni by default, so using docker driver won't encounter this issue.

@azhao155
Copy link
Contributor

Also tested on kvm driver, doesn't encounter this issue when ping <service_name>..svc.cluster.local.

@azhao155
Copy link
Contributor

./out/minikube start

create nginx service

kubectl apply -f template/nginx.yaml
kubectl expose deployment my-nginx

ssh into pods

kubectl get pods
Output:
NAMESPACE NAME READY STATUS RESTARTS AGE
default my-nginx-5b56ccd65f-hpktn 1/1 Running 0 45s
default my-nginx-5b56ccd65f-zqc72 1/1 Running 0 45s

kubectl exec -it my-nginx-5b56ccd65f-hpktn -- /bin/bash
curl my-nginx.default.svc.cluster.local

<title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style>

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.

Thank you for using nginx.

@azhao155
Copy link
Contributor

azhao155 commented Nov 22, 2020
edited
Loading

Nginx template:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-nginx
spec:
selector:
matchLabels:
run: my-nginx
replicas: 2
template:
metadata:
labels:
run: my-nginx
spec:
containers:
- name: my-nginx
image: nginx
ports:
- containerPort: 80

@medyagh
Copy link
Member

medyagh commented Nov 24, 2020

thanks @azhao155 for confirming this issue doesnt happen anymore.

closing please feel free to re-open if still see this problem

@medyagh medyagh closed this as completed Nov 24, 2020
@abrennan89 abrennan89 mentioned this issue Aug 16, 2021
Closed
@belfo
Copy link

belfo commented Jan 17, 2022

@medyagh @azhao155
I'm trying using driver=none but that don't work.
Could you help?

@afbjorklund
Copy link
Collaborator

@belfo : please open a new issue.

@belfo belfo mentioned this issue Jan 18, 2022
Open
@Dan0x54
Copy link

Dan0x54 commented Feb 18, 2022

I'm finding @azhao155's test works when the replicas are set to two but the test fails if I run
kubectl scale deploy/my-nginx --replicas=1 (or set the replicas manually in the YAML). It works if the service is headless. Is this the expected behaviour? I'm using the docker driver btw.

minikube version: v1.24.0
commit: 76b94fb3c4e8ac5062daf70d60cf03ddcc0a741b

This was referenced Apr 16, 2022
Closed
Merged
@chrismatix chrismatix mentioned this issue May 26, 2022
Merged
@pchambre
Copy link

pchambre commented Nov 3, 2022

Still seeing this issue on Minikube 1.27 using hyperkit.

--cni=true set up the CNI, but still did not allow a Pod to connect to itself through a service.

sudo ip link set docker0 promisc in the Minikube VM did fix the behavior.

@jgoeres
Copy link

jgoeres commented Jun 7, 2023

Also seeing this on 1.28 with Hyper-V driver.
The workaround (sudo ip link set docker0 promisc on) fixes it, but is rather inconvenient.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tstromberg tstromberg

@sharifelgamal sharifelgamal

Labels
area/networking networking issues help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug. long-term-support Long-term support issues that can't be fixed in code priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use kubenet, add ebtables support r2d4/minikube