This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1289116 - vdsm creates network problems for VM with docker container
vdsm creates network problems for VM with docker container
Product: vdsm
Classification: oVirt
Component: General (Show other bugs)
x86_64 Linux
medium Severity medium (vote)
: ovirt-4.1.1
: ---
Assigned To: Petr Horáček
Meni Yakove
Depends On:
  Show dependency treegraph
Reported: 2015-12-07 08:28 EST by Thomas Hamel
Modified: 2017-02-20 07:21 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-02-20 07:21:33 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Network
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt‑4.1+

Attachments (Terms of Use)
bridge details (5.14 KB, text/plain)
2015-12-08 03:55 EST, Thomas Hamel
no flags Details
Network overview (61.75 KB, image/jpeg)
2015-12-08 03:56 EST, Thomas Hamel
no flags Details
vdsm log (408.87 KB, application/octet-stream)
2015-12-08 03:57 EST, Thomas Hamel
no flags Details

  None (edit)
Description Thomas Hamel 2015-12-07 08:28:18 EST
Description of problem:

A docker container in a VM is having network problems when running in a vsdm environment.
Packets from external servers are reaching the network interface eth0 of the VM but are not properly NATted to the docker0 bridge.
Some packets are lost in the natting process from eth0 to docker0.

When the same VM (setup via PXE) with a docker container is running on a host with KVM, these network problems are not present.

The iptables configurations for the filter and nat tables are identical in both VM's.

Version-Release number of selected component (if applicable):

Software versions of the host with vdsm:

OS Version:         RHEL - 7 - 1.1503.el7.centos.2.8
Kernel Version:     3.10.0 - 229.20.1.el7.x86_64
KVM Version:        2.3.0 - 29.1.el7
LIBVIRT Version:    libvirt-1.2.8-16.el7_1.5
VDSM Version:       vdsm-4.17.12-0.el7.centos
SPICE Version:      0.12.4 - 9.el7_1.3

Software version of the host running KVM:

[root@E7 /]# uname -a
Linux E7.test.local 3.10.0-229.20.1.el7.x86_64 #1 SMP Tue Nov 3 19:10:07 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

[root@E7 /]# rpm -qa | grep qemu-kvm

[root@E7 /]# rpm -qa | grep libvirt

How reproducible:


Initiate a TCP session to a host.

Steps to Reproduce:
1. Install a VM.
2. Install docker within the VM.
3. Initiate a TCP session to a host.

Actual results:

Packets are lost in the NATting between the eth0 interface of the VM and the docker0 bridge in the VM.

Expected results:

No packets are lost.

Additional info:
Comment 1 Dan Kenigsberg 2015-12-08 01:51:14 EST
Can you share vdsm.log of the VM statup (since VM.create to Up state)?

Can you share your `brctl show` as well as your bridge's connectivity to the outside world?

Can you try installing vdsm-hook-macspoof.rpm and configuring it on you VM interface? (Cf. to learn how) Just to rule out a set of other issues.
Comment 2 Thomas Hamel 2015-12-08 03:55 EST
Created attachment 1103484 [details]
bridge details
Comment 3 Thomas Hamel 2015-12-08 03:56 EST
Created attachment 1103485 [details]
Network overview
Comment 4 Thomas Hamel 2015-12-08 03:57 EST
Created attachment 1103487 [details]
vdsm log
Comment 5 Thomas Hamel 2015-12-08 04:00:27 EST
I installed vdsm-hook-macspoof at the host and did the config change in the engine, also created the macspoof key at the VM.

There is no change in the behaviour, still packets lost.
Comment 6 Dan Kenigsberg 2015-12-09 04:43:05 EST
thanks, Thomas. Can you provide more information about your guest OS and applications (versions, which containers)?

Federico, have you noticed anything like this during your integration work ?
Comment 7 Thomas Hamel 2015-12-09 05:14:51 EST
We are running CentOS 7.1 x86_64 with the latest updates on all components:

- Host
- VM
- Docker container

The CentOS 7.1 of the VM and the container are minimal installations.

The docker RPMs in the VM are out of the CentOS-7.1-Extras repository.

We start the container via the command line

    docker run -it centos /bin/bash

When we start the container with the network mode bridging (IP address of the VM is used) instead of nat, we do not face the network problem:

    docker run -it --net=host centos71 /bin/bash

But based on our application we need to run multiple containers within a VM which must be accessible from outside and therefore the bridging option is not an option for us.

I tried a different way of installation at one host:

- Install the CentOS 7.1 via PXE
- Install KVM (qemu-kvm, libvirt & virt-manager RPMs)
- Attach the host into an oVirt cluster
- Migrate an existing VM with a running container to this newly installed host

There the container was able to access the internet.
But after a reboot of this host the problem was present again.
So some part of the KVM installation seemed to do some changes which were reverted after teh reboot.
Comment 8 Thomas Hamel 2015-12-09 05:17:46 EST
In the VM we are running docker 1.8.2:

[root@dc2-ovm1 /]# docker version
 Version:      1.8.2
 API version:  1.20
 Package Version: docker-1.8.2-7.el7.centos.x86_64
 Go version:   go1.4.2
 Git commit:   bb472f0/1.8.2
 OS/Arch:      linux/amd64

 Version:      1.8.2
 API version:  1.20
 Package Version:
 Go version:   go1.4.2
 Git commit:   bb472f0/1.8.2
 OS/Arch:      linux/amd64
Comment 9 Petr Horáček 2017-01-23 06:31:15 EST
Hello, I tried to reproduce your problem, but with no success.

I started CentOS docker container with mapped ports 8000:8000 on CentOS VM and then tried to ping VM:8000 via, but no packets were lost. When I tried to ping outside network from container itself via ICMP ping it was OK as well.

Could you please check if my steps were wrong or the bug is not there anymore?

Have you used some special iptables rules other than Docker port mapping?

Comment 10 Thomas Hamel 2017-01-24 02:17:43 EST

we have not used any port mapping for the Docker container.

In the container we used curl for testing a HTTP access to a server.

E.g. in the container just run 


or any other web site.

I use to run tcpdump in parallel at the docker bridge in the VM and at the outgoing interface of the VM.
There I spotted that acknowledgement packets from the HTTP access are arriving at the VM interface but not forwarded to the docker bridge, so never reaching the Docker container.
Comment 11 Thomas Hamel 2017-01-24 02:20:23 EST
For the Docker container, we haven't modified any iptables rules.
Only what was configured by Docker itself.
Comment 12 Dan Kenigsberg 2017-02-15 04:28:19 EST
We still find it hard to reproduce your condition.

Do you still see it? Have you tried newer versions of docker or ovirt since?

Can you share a sanitized tcpdump, so we could attempt to understand which packets are lost, and when?
Comment 13 Petr Horáček 2017-02-16 16:41:37 EST
Hello again,

I ran `curl` 1000 times (poor Google) while `tcpdump -i eth0 -s 65535 -w eth0_1000.pcap` and `tcpdump -i docker0 -s 65535 -w docker0_1000.pcap` were running. I checked captured traffic (docker0_1000.pcap and eth0_1000.pcap) via Wireshark, some requests myself, the rest via tcp.analysis.lost_segment filter and I was not able to find any lost segments/dropped packets there.

Could you please try the same yourself to see if my test was invalid of if it is just working in my environment?

Thank you very much.
Comment 14 Thomas Hamel 2017-02-17 07:56:25 EST
I just retested with CentOS 7.3 as the OS in the VM (with latest updates).

For docker I installed docker-engine-1.13.1.

Here I can run a wget inside the docker container and pull an ISO image without any packet loss.
Comment 15 Petr Horáček 2017-02-20 07:21:33 EST
Thanks for the response, closing as NOTABUG, please reopen if it appears again.

Note You need to log in before you can comment on or make changes to this bug.