Why does the container receive ip (docker0) gateway instead of client ip?

Question

I launched the coreos-vagrant system image and container with Nginx. Why does Nginx get the ip of the gateway and not the real ip of the client?

Example of Nginx log:

172.17.8.1 - - [17/Aug/2016:09:18:25 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.27 04.84 Safari/537.36" "-"

At the same time, home ubuntu ip addresses are displayed correctly.

Tried to run with different flags --iptables=false and --userland-proxy=false . I compared the docker network settings on Ubuntu and CoreOS, I did not notice the differences.

PS I understand in CoreOS requests to the container go through the default gateway, which changes the address of the sender. Now the question is - what should be corrected in the routing rules, so that this would not happen?

PS Added information on tcpdump and ip route show table main A more complete description: https://gist.github.com/batazor/3d1695645b0c9abb7649b1281cbf4f7f

ip route show table main

CoreOS

 default via 10.0.2.2 dev eth0 proto dhcp src 10.0.2.15 metric 1024 10.0.2.0/24 dev eth0 proto kernel scope link src 10.0.2.15 10.0.2.2 dev eth0 proto dhcp scope link src 10.0.2.15 metric 1024 172.17.8.0/24 dev eth1 proto kernel scope link src 172.17.8.101 172.18.0.0/16 dev docker0 proto kernel scope link src 172.18.0.1

Nginx container

 default via 172.18.0.1 dev eth0 172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.3

TCPdump

ping from CoreOS to Nginx Container

 14:18:08.984025 IP 172.18.0.1 > 73440c96b5d9: ICMP echo request, id 20328, seq 1, length 64 14:18:08.984049 IP 73440c96b5d9 > 172.18.0.1: ICMP echo reply, id 20328, seq 1, length 64

From the Ubuntu host curl ip_virtualbox_coreos:ip_nginx

tcpdump -i eth1

 13:58:15.165408 IP 172.17.8.1.46004 > core-01.ddi-tcp-1: Flags [S], seq 2732400208, win 29200, options [mss 1460,sackOK,TS val 10312063 ecr 0,nop,wscale 7], length 0 13:58:15.165564 IP core-01.ddi-tcp-1 > 172.17.8.1.46004: Flags [S.], seq 3456357314, ack 2732400209, win 28960, options [mss 1460,sackOK,TS val 5941835 ecr 10312063,nop,wscale 7], length 0 13:58:15.165902 IP 172.17.8.1.46004 > core-01.ddi-tcp-1: Flags [.], ack 1, win 229, options [nop,nop,TS val 10312063 ecr 5941835], length 0 13:58:15.166046 IP 172.17.8.1.46004 > core-01.ddi-tcp-1: Flags [P.], seq 1:82, ack 1, win 229, options [nop,nop,TS val 10312063 ecr 5941835], length 81 13:58:15.166071 IP core-01.ddi-tcp-1 > 172.17.8.1.46004: Flags [.], ack 82, win 227, options [nop,nop,TS val 5941836 ecr 10312063], length 0 13:58:15.166218 IP core-01.ddi-tcp-1 > 172.17.8.1.46004: Flags [P.], seq 1:239, ack 82, win 227, options [nop,nop,TS val 5941836 ecr 10312063], length 238 13:58:15.166264 IP core-01.ddi-tcp-1 > 172.17.8.1.46004: Flags [P.], seq 239:851, ack 82, win 227, options [nop,nop,TS val 5941836 ecr 10312063], length 612 13:58:15.166558 IP 172.17.8.1.46004 > core-01.ddi-tcp-1: Flags [.], ack 239, win 237, options [nop,nop,TS val 10312064 ecr 5941836], length 0 13:58:15.166570 IP 172.17.8.1.46004 > core-01.ddi-tcp-1: Flags [.], ack 851, win 247, options [nop,nop,TS val 10312064 ecr 5941836], length 0

tcpdump -i docker0

 13:57:36.192668 IP 172.17.8.1.45990 > 172.18.0.3.http: Flags [S], seq 2796265064, win 29200, options [mss 1460,sackOK,TS val 10302320 ecr 0,nop,wscale 7], length 0 13:57:36.192763 IP 172.18.0.3.http > 172.17.8.1.45990: Flags [S.], seq 1432538445, ack 2796265065, win 28960, options [mss 1460,sackOK,TS val 5902862 ecr 10302320,nop,wscale 7], length 0 13:57:36.193383 IP 172.17.8.1.45990 > 172.18.0.3.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 10302320 ecr 5902862], length 0 13:57:36.193730 IP 172.17.8.1.45990 > 172.18.0.3.http: Flags [P.], seq 1:82, ack 1, win 229, options [nop,nop,TS val 10302320 ecr 5902862], length 81: HTTP: GET / HTTP/1.1 13:57:36.193748 IP 172.18.0.3.http > 172.17.8.1.45990: Flags [.], ack 82, win 227, options [nop,nop,TS val 5902863 ecr 10302320], length 0 13:57:36.193897 IP 172.18.0.3.http > 172.17.8.1.45990: Flags [P.], seq 1:239, ack 82, win 227, options [nop,nop,TS val 5902864 ecr 10302320], length 238: HTTP: HTTP/1.1 200 OK 13:57:36.194087 IP 172.17.8.1.45990 > 172.18.0.3.http: Flags [.], ack 239, win 237, options [nop,nop,TS val 10302321 ecr 5902864], length 0 13:57:36.194100 IP 172.18.0.3.http > 172.17.8.1.45990: Flags [P.], seq 239:851, ack 82, win 227, options [nop,nop,TS val 5902864 ecr 10302321], length 612: HTTP 13:57:36.195635 IP 172.17.8.1.45990 > 172.18.0.3.http: Flags [.], ack 851, win 247, options [nop,nop,TS val 10302321 ecr 5902864], length 0 13:57:36.195869 IP 172.17.8.1.45990 > 172.18.0.3.http: Flags [F.], seq 82, ack 851, win 247, options [nop,nop,TS val 10302321 ecr 5902864], length 0 13:57:36.195914 IP 172.18.0.3.http > 172.17.8.1.45990: Flags [F.], seq 851, ack 83, win 227, options [nop,nop,TS val 5902866 ecr 10302321], length 0 13:57:36.196099 IP 172.17.8.1.45990 > 172.18.0.3.http: Flags [.], ack 852, win 247, options [nop,nop,TS val 10302321 ecr 5902866], length 0

From Nginx Container tcpdump -i eth0

 14:00:05.379097 IP 172.17.8.1.46016 > 73440c96b5d9.http: Flags [S], seq 1048090505, win 29200, options [mss 1460,sackOK,TS val 10339617 ecr 0,nop,wscale 7], length 0 14:00:05.379167 IP 73440c96b5d9.http > 172.17.8.1.46016: Flags [S.], seq 3922645363, ack 1048090506, win 28960, options [mss 1460,sackOK,TS val 6052049 ecr 10339617,nop,wscale 7], length 0 14:00:05.379658 IP 172.17.8.1.46016 > 73440c96b5d9.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 10339617 ecr 6052049], length 0 14:00:05.379664 IP 172.17.8.1.46016 > 73440c96b5d9.http: Flags [P.], seq 1:82, ack 1, win 229, options [nop,nop,TS val 10339617 ecr 6052049], length 81 14:00:05.379711 IP 73440c96b5d9.http > 172.17.8.1.46016: Flags [.], ack 82, win 227, options [nop,nop,TS val 6052049 ecr 10339617], length 0 14:00:05.380200 IP 73440c96b5d9.http > 172.17.8.1.46016: Flags [P.], seq 1:239, ack 82, win 227, options [nop,nop,TS val 6052050 ecr 10339617], length 238 14:00:05.380265 IP 73440c96b5d9.http > 172.17.8.1.46016: Flags [P.], seq 239:851, ack 82, win 227, options [nop,nop,TS val 6052050 ecr 10339617], length 612 14:00:05.380696 IP 172.17.8.1.46016 > 73440c96b5d9.http: Flags [.], ack 239, win 237, options [nop,nop,TS val 10339617 ecr 6052050], length 0 14:00:05.380702 IP 172.17.8.1.46016 > 73440c96b5d9.http: Flags [.], ack 851, win 247, options [nop,nop,TS val 10339617 ecr 6052050], length 0 14:00:05.380834 IP 172.17.8.1.46016 > 73440c96b5d9.http: Flags [F.], seq 82, ack 851, win 247, options [nop,nop,TS val 10339617 ecr 6052050], length 0 14:00:05.380969 IP 73440c96b5d9.http > 172.17.8.1.46016: Flags [F.], seq 851, ack 83, win 227, options [nop,nop,TS val 6052051 ecr 10339617], length 0 14:00:05.381648 IP 172.17.8.1.46016 > 73440c96b5d9.http: Flags [.], ack 852, win 247, options [nop,nop,TS val 10339617 ecr 6052051], length 0 14:00:05.791231 IP 73440c96b5d9.46719 > 10.0.2.3.domain: 27086+ PTR? 1.8.17.172.in-addr.arpa. (41) 14:00:05.801673 IP 10.0.2.3.domain > 73440c96b5d9.46719: 27086 NXDomain 0/0/0 (41)

Igor Chubin Igor Chubin 2,968 7 silver marks 16 bronze marks · Answer 1 · 2016-08-17T12:49:35

Use tcpdump determine what happens to the queries.
Check if this only applies to HTTP requests or all traffic (for example, ICMP).
Depending on the results obtained in 1 and 2, you need to configure the corresponding subsystems (specify the results in the question and I will add what to do next).

Why does the container receive ip (docker0) gateway instead of client ip?

1 answer 1

More articles: