Clean Docker-preview install on Server 1709 does not correctly configure NAT

[gh2k]

Expected behavior

Installing Docker on Windows Server 1709 should install a Windows NAT mapping.

Actual behavior

Installing Docker on Windows Server 1709 does not create a Windows NAT mapping.

Information

On a fresh Server 1709 VM I installed: Windows Updates, Hyper-V and Docker preview.

After this, running Debug-Containerhost.ps1 reports that Windows NAT should exist, and doesn't:

 [-] A Windows NAT is configured if a Docker NAT network exists 552ms                                            
   Expected {0} to be greater than or equal to {1}                                                               
   226:        $winnatCount | Should Not BeLessThan $natCount                                                    
   at <ScriptBlock>, <No file>: line 226                                  

There is a NAT network created by default:

NETWORK ID          NAME                DRIVER              SCOPE                                      
6414f33b75dc        nat                 nat                 local                                                
ba885f554590        none                null                local                      

Further to this, swarm ingress routing does not work. For example, after running the commands:

docker network create -d overlay test
docker service create --name whoami --publish 8080:8080 --network test stefanscherer/whoami:1709
# for testing
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled false

should result in a service listening on the server's LAN IP on port 8080. It doesn't.

Additionally: As described by @kevinbosman in this comment: #1255 (comment) - Attempting to add the NAT mapping manually results in a 'duplicate name exists' error

Steps to reproduce the behavior

1. Install a fresh Server 1709 VM - (resulting in:)

Major  Minor  Build  Revision                                                                                    
-----  -----  -----  --------                                                                                    
10     0      16299  0                                                  

2. Install latest updates using sconfig
3. Install hyper-v: Add-WindowsFeature Hyper-V -IncludeManagementTools -Restart
4. Install docker preview:

Install-Module DockerProvider
Install-Package Docker -ProviderName DockerProvider -RequiredVersion preview

5. Restart the computer
6. Run Debug-Containerhost.ps1

You should see the error:

 [-] A Windows NAT is configured if a Docker NAT network exists 552ms                                            
   Expected {0} to be greater than or equal to {1}                                                               
   226:        $winnatCount | Should Not BeLessThan $natCount                                                    
   at <ScriptBlock>, <No file>: line 226                                  

[thepill]

I could experience similar problems with a new 1709 machine and the latest docker preview edition.

[gh2k]

Has anyone got this working? I've been trying for quite some time to get overlay mesh networking functional on Server 1709 with no success whatsoever.

[MalletMark]

I have it working with a slightly different premise. I installed 1709 directly into a spare laptop rather than running it as a VM in order to avoid any need for nested virtualization.

Otherwise if all you want is to use the ingress routing mesh to work I found that it was not necessary to set the network when creating the service. I used the following command

docker service create --replicas 6 --name <serviceName> --publish 8080:80 <dockerRepo>/<dockerImage>

This allowed me to access the container on the exposed port of either of my 2 nodes. When testing, make sure to clear cache after every WebRequest Invoke and you will see that it is pulling a different container across all available containers on multiple nodes. In my case my image was an aspnetcore2.0 webapi with a method to display the "machine name" in which it will always display the 'containername -> hostname'. Because of this I can see that the routing mesh is working as intended. Keep in mind I am connecting to these containers from outside the swarm using :8080 and have not been able to test from within the swarm using the hostname/containername.

[wijnandhonselaar]

I'm running my development machine with Win 10 Enterprise (1709) and experiencing the same issues. Using either Docker 7.12.0-ce-win47 or Docker 18.02.0-c3rc2.

Upon starting a service every node logs: HNS failed with error : An adapter was not found.

[amandeepdhindsa]

Same error HNS failed with error : An adapter was not found.
When deploying docker stack on Windows Server 1709 with ingress network in Swarm mode. Services gets created but docker is unable to launch the containers and replicated says 0/x . Kindly advise
Client:
Version: 17.06.2-ee-6
API version: 1.30
Go version: go1.8.3
Git commit: e75fdb8
Built: Mon Nov 27 22:46:09 2017
OS/Arch: windows/amd64

Server:
Version: 17.06.2-ee-6
API version: 1.30 (minimum version 1.24)
Go version: go1.8.3
Git commit: e75fdb8
Built: Mon Nov 27 22:55:16 2017
OS/Arch: windows/amd64
Experimental: true

[gh2k]

This seems to be working for me with 17.10.0-ee-preview-3

[jmlane]

I'm having the same NAT issues on 17.12.0-ce-win47 on Windows 10 1709 and a fresh install of Docker did not resolve it.

[kdrblkbs]

hello @gh2k, i stumbled across your forum post https://forums.docker.com/t/containers-cant-ping-over-overlay-network-on-windows/40199 and #1334, while desperately trying to determine why the docker overlay network does not work in a cross platform swarm setup. Is the NAT issue you are addressing here the source of these problems?
Regards.

[gh2k]

Hi @kdrblkbs - It sounds like you've been following the same path as me. I've spent weeks pulling my hair out about this stuff, assuming that I've Just Not Been Getting It. - All the instructions suggest it should Just Work, but I've not found any examples/walkthroughs of someone setting this up. Nevertheless, I've had some progress...

I've spent so long looking at this that I've lost touch with exactly what's worked and what hasn't. Currently I know the following:

• You'll get nowhere if your Windows node has >1 network adapter (this can be annoying in certain Vagrant environments as you can't assign a static IP to the primary adapter) (Ingress VMSwitch bound to wrong ethernet adapter #1399 )
• You need to be running the latest preview of Docker ee on Windows Server 1709.

Given the above, I have a Vagrant environment running Windows 1709 and Linux with overlay networking mostly working. Containers can access each other over the overlay network via vip, and ingress routing works. However, Windows containers can't access the internet unless I manually add them to the 'nat' network, and I can't do this if they're running as services because the 'nat' network doesn't have swarm scope. I've worked around this for my environment, so that it's OK for my Windows containers don't have to have access to the internet... But it's an ugly hack.

In case it helps, I'm running my Windows VM based on the 1709_docker build in https://github.com/StefanScherer/packer-windows, and my symbols/gentoo-docker vagrant box for the Linux VM.

I'm hoping that the upcoming Windows 1803 will make this process simpler... ¯\_(ツ)_/¯

[kdrblkbs]

thanks a lot for sharing your findings @gh2k

[mback2k]

For me with 17.10.0-ee-preview-3 it seems to be the other way around. My Docker VM Switch is attached to my public interface, so my containers can reach the internet, but not the private/internal interface, so they cannot reach other containers in the cross-plattform Swarm cluster.

To me it looks like Docker on Windows Server does not support multiple interfaces (internet and intranet) at the moment.

Update: It seems like it is possible to bind networks to specific interfaces, please see the following link for a possible solutions which worked for my case: https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/container-networking#bind-a-network-to-a-specific-network-interface

[rn]

This issue tracker is for the Docker for Windows application, which runs on Windows 10. So, I'm closing this issue. To get help with Docker on Windows Server please see http://success.docker.com/article/where-to-get-help-with-windows.
Thanks

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked