OpenStack Routing for VMs running Docker Containers. Is there a smarter way of doing this?
When I run Docker within a VM, I'm required to explicitly set routing so that I can access the docker container by using the floating IP address and the exposed Docker port. My machine is a lab machine with only one physical NIC. Therefore this NIC is used to access OpenStack itself and its VMs.
Question: Editing the iptables manually is very cumbersome and error prone and therefore I'm wondering if you can think of a smarter, a more generic, way of doing this? Note: This machine is for testing only and not exposed to the Internet and therefore lax security wouldn't be an issue.
- Installed Ubuntu 12.04
Made below network setting
$ apt-get install bridge-utils
$ nano /etc/network/interfaces
Content of /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet manual
up ip address add 0/0 dev $IFACE
up ip link set $IFACE up
down ip link set $IFACE down
# Bridge for OpenStack to work with single NIC
auto br-openstack
iface br-openstack inet static
bridge_ports eth0
bridge_stp off
bridge_fd 0
address 10.20.24.10
netmask 255.255.248.0
broadcast 10.20.31.255
gateway 10.20.24.1
dns-nameservers 10.20.24.1
dns-search my.company.com
up ifconfig $IFACE promisc
*Configure forwarding
# sysctl net.ipv4.ip_forward=1
# iptables -t nat -A POSTROUTING -o br-openstack -j MASQUERADE
*Created VM and installed Apache *Edited iptables as VM listens on IP 10.11.12.2:8080. Command was executed on DevStack host machine!
# iptables -t nat -A PREROUTING -i br-openstack -p tcp --dport 8080 -j DNAT --to-destination 10.11.12.2
Note: With above settings, I can run the VM and access its Apache HTTP Server on port 8080 with either 10.11.12.2:8080 or with 10.20.24.15:8080, which is the VM's floating IP address.
*Installed Docker on the VM *Run a Docker container, which runs Apache HTTP Server on port 80. Used command below to expose the port.
# docker run -p 80:8080 -d mbentley/ubuntu-tomcat7
*Edited ipatables to be able to access the Docker container on port 80.
This command is executed on the DevStack machine!
# iptables -t nat -A PREROUTING -i br-openstack -p tcp --dport 80 -j DNAT --to-destination 10.11.12.2
This command is executed on the VM!
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 172.17.42.2:80
Note: The docker container is now accessible via the floating IP address on port 80.
Side note: I tried my best to format this post consistently but somehow this WYSIWYG editor didn't allow me to.