Data path traffic separation option in swarm mode#32615
Data path traffic separation option in swarm mode#32615fcrisciani wants to merge 3 commits intomoby:masterfrom
Conversation
AkihiroSuda
added
status/1-design-review
status/needs-vendoring
and removed
status/0-triage
labels
daemon/cluster/cluster.go
Outdated
There was a problem hiding this comment.
I think you no longer need this function
There was a problem hiding this comment.
I take it back, this is actually needed when libnetwork retrieves the addresss from the clusterProvider
daemon/cluster/listen_addr.go
Outdated
There was a problem hiding this comment.
I would handle the empty case right away and avoid the extra indentation here with
if dataPathAddr == "" {
return "", nil
}
contrib/completion/zsh/_docker
Outdated
There was a problem hiding this comment.
I'd make IP uppercase (in "Data path ip...") to be consistent with other descriptions.
contrib/completion/zsh/_docker
Outdated
There was a problem hiding this comment.
I'd make IP uppercase (in "Data path ip...") to be consistent with other descriptions.
There was a problem hiding this comment.
Please clarify in the documentation that this is an address that's used by other nodes, rather than one used for local binding.
There was a problem hiding this comment.
done, let me know if now is clearer
daemon/cluster/listen_addr.go
Outdated
There was a problem hiding this comment.
These conditions could be folded into the outer if.
if ip := net.ParseIP(input); ip != nil && (isUnspecifiedValid || !ip.IsUnspecified()) {
return ip, nil
}Or perhaps something like this:
ip := net.ParseIP(input)
if ip == nil {
return nil, errBadNetworkIdentifier
}
if ip.IsUnspecified() && !isUnspecifiedValid{
return nil, errBadNetworkIdentifier
}
return return ip, nilThere was a problem hiding this comment.
Perhaps we could also check that a --datapath-addr argument with a port number is rejected.
cli/command/swarm/opts.go
Outdated
There was a problem hiding this comment.
Wondering if this should be data-path-addr. Not sure either way but wanted to bring it up for discussion.
There was a problem hiding this comment.
changed to data-path-addr
There was a problem hiding this comment.
The usage info here should match what's printed by swarm init --help. I believe the flags are sorted alphabetically in swarm init --help.
There was a problem hiding this comment.
The usage info here should match what's printed by swarm join --help. I believe the flags are sorted alphabetically in swarm join --help.
There was a problem hiding this comment.
Maybe this log message should exclude Data-addr if it's an empty string, for better readability.
Unrelated to this change, but the space between Remote-addr and =%s is inconsistent with the other fields.
There was a problem hiding this comment.
Oh, I see the defer now. That's kind of ugly. If a defer is going to inspect the value of err, the function should use a "named return":
func (ep *endpoint) sbJoin(sb *sandbox, options ...EndpointOption) (err error) {Then returning an error will automatically assign it to err.
There was a problem hiding this comment.
This is part of another change brought in by the vendoring.
It is to make sure the existing defer function which performs the cleanup in case of err != nil is being executed.
There was a problem hiding this comment.
Yes, I considered the named returned but I decided to not go for that change because I did not want to add refactoring changes to the fix, to speed up review. And to avoid any collateral bugs for changes not strictly needed, because that function has some delicate logic. After the next stable release is out, I will consider refactoring that.
Vendor libnetwork changes for --data-path-addr flag Signed-off-by: Flavio Crisciani <[email protected]>
This new flag will allow the configuration of an interface that can be used for data path traffic to be isolated from control plane traffic. This flag is simply percolated down to libnetwork and will be used by all the global scope drivers (today overlay) Signed-off-by: Flavio Crisciani <[email protected]>
Signed-off-by: Flavio Crisciani <[email protected]>
| case "$cur" in | ||
| -*) | ||
| COMPREPLY=( $( compgen -W "--advertise-addr --autolock --availability --cert-expiry --dispatcher-heartbeat --external-ca --force-new-cluster --help --listen-addr --max-snapshots --snapshot-interval --task-history-limit" -- "$cur" ) ) | ||
| COMPREPLY=( $( compgen -W "--advertise-addr --datapath-addr --autolock --availability --cert-expiry --dispatcher-heartbeat --external-ca --force-new-cluster --help --listen-addr --max-snapshots --snapshot-interval --task-history-limit" -- "$cur" ) ) |
There was a problem hiding this comment.
Needs to be updated to --data-path-addr
| case "$cur" in | ||
| -*) | ||
| COMPREPLY=( $( compgen -W "--advertise-addr --availability --help --listen-addr --token" -- "$cur" ) ) | ||
| COMPREPLY=( $( compgen -W "--advertise-addr --datapath-addr --availability --help --listen-addr --token" -- "$cur" ) ) |
There was a problem hiding this comment.
Needs to be updated to --data-path-addr
| ### `--data-path-addr` | ||
|
|
||
| This flag specifies the address that global scope drivers are going to publish towards | ||
| other workers in order to reach the containers running on this worker node. |
There was a problem hiding this comment.
I assume this would apply to managers as well (by default, containers can be scheduled to managers as well as workers), so "workers" should be "nodes" and "worker node" should be "node".
Instead of "going to publish", how about "will publish"?
Maybe "global scope drivers" should be "global scope network drivers", for clarity?
| d1 := s.AddDaemon(c, false, false) | ||
|
|
||
| out, err = d1.Cmd("swarm", "join", "--availability=drain", "--token", token, d.ListenAddr) | ||
| fmt.Printf("** token:%s, listen:%s\n", token, d.ListenAddr) |
There was a problem hiding this comment.
Please remove the Printf before merging.
| errBadNetworkIdentifier = errors.New("must specify a valid IP address or interface name") | ||
| errBadListenAddr = errors.New("listen address must be an IP address or network interface (with optional port number)") | ||
| errBadAdvertiseAddr = errors.New("advertise address must be a non-zero IP address or network interface (with optional port number)") | ||
| errBadDataPathAddr = errors.New("data path address must be a non-zero IP address or network interface") |
There was a problem hiding this comment.
can you add (without a port number) to this, like errBadDefaultAdvertiseAddr?
fcrisciani
force-pushed
the
data_path
branch
2 times, most recently
from
06a7fe7 to
fb25eed
Compare
|
will close this one because does not reflect the commits update |
5 participants
- What I did
In SWARM mode is now possible to pass a new flag to specify which is the interface to use for data path traffic. This will allow to separate data traffic (container to container pkts) from control traffic (grpc between workers and managers)
- How I did it
Introduced a new flag --datapath-addr in the docker swarm init and docker swarm join
- How to verify it
Create a swarm cluster on hosts with at least 2 interfaces, one will be dedicated for the management and will be the one that will be used in the --advertise-addr, the other instead will be the one for the --datapath-addr flag.
Second step is to create an overlay network
Third step is to launch containers on different workers using the overlay network.
At this point the traffic between the containers on different workers will happen on the interface identified by the --datapath-addr
- Description for the changelog
Data path traffic separation option in swarm mode
- A picture of a cute animal (not mandatory but encouraged)
