If a service has session affinity set as client IP, then the connection is blocked

[lk-1984]

• I have tried with the latest version of Docker Desktop
• I have tried disabling enabled experimental features
• I have uploaded Diagnostics
• Diagnostics ID: 453E7F67-F030-47AC-82FE-DD3CE9491071/20220614072914

Actual behavior

A service is deployed with session affinity set as ClientIP and it is not reachable.

Expected behavior

A service is deployed with session affinity set as ClientIP and it is reachable.

Information

• Windows Version: 20H2, 19042.17.06
• Docker Desktop Version: 4.8.2 (79419)
• WSL2 or Hyper-V backend? WSL2
• Are you running inside a virtualized Windows e.g. on a cloud server or a VM: No.

On other kubernetes or openshift there are no issues with this.

Output of & "C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" check

Microsoft Windows [Version 10.0.19042.1706]
(c) Microsoft Corporation. All rights reserved.

C:\Users\snipsnipsnip>"C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" check
Starting diagnostics

[PASS] DD0027: is there available disk space on the host?
[PASS] DD0028: is there available VM disk space?
[PASS] DD0031: does the Docker API work?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0011: are the LinuxKit services running?
[PASS] DD0016: is the LinuxKit VM running?
[PASS] DD0001: is the application running?
[SKIP] DD0018: does the host support virtualization?
[PASS] DD0002: does the bootloader have virtualization enabled?
[PASS] DD0017: can a VM be started?
[PASS] DD0024: is WSL installed?
[PASS] DD0021: is the WSL 2 Windows Feature enabled?
[PASS] DD0022: is the Virtual Machine Platform Windows Feature enabled?
[PASS] DD0025: are WSL distros installed?
[PASS] DD0026: is the WSL LxssManager service running?
[PASS] DD0029: is the WSL 2 Linux filesystem corrupt?
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0003: is the Docker CLI working?
[PASS] DD0013: is the $PATH ok?
[FAIL] DD0005: is the user in the docker-users group? The user name could not be found.
[PASS] DD0007: is the backend responding?
[PASS] DD0014: are the backend processes running?
[PASS] DD0008: is the native API responding?
[PASS] DD0009: is the vpnkit API responding?
[PASS] DD0010: is the Docker API proxy responding?
[PASS] DD0006: is the Docker Desktop Service responding?
[FAIL] DD0012: is the VM networking working? network checks failed: failed to ping host: exit status 1
[2022-06-14T07:53:43.649787100Z][com.docker.diagnose.exe][I] ipc.NewClient: 3c43280b-diagnose-network -> \\.\pipe\dockerDiagnosticd diagnosticsd
[common/pkg/diagkit/gather/diagnose.runIsVMNetworkingOK()
[       common/pkg/diagkit/gather/diagnose/network.go:34 +0xdd
[common/pkg/diagkit/gather/diagnose.(*test).GetResult(0x1711960)
[       common/pkg/diagkit/gather/diagnose/test.go:46 +0x43
[common/pkg/diagkit/gather/diagnose.Run.func1(0x1711960)
[       common/pkg/diagkit/gather/diagnose/run.go:17 +0x5a
[common/pkg/diagkit/gather/diagnose.walkOnce.func1(0x2?, 0x1711960)
[       common/pkg/diagkit/gather/diagnose/run.go:140 +0x77
[common/pkg/diagkit/gather/diagnose.walkDepthFirst(0x1, 0x1711960, 0xc0006c1730)
[       common/pkg/diagkit/gather/diagnose/run.go:146 +0x36
[common/pkg/diagkit/gather/diagnose.walkDepthFirst(0x0, 0xcb00000012?, 0xc0006c1730)
[       common/pkg/diagkit/gather/diagnose/run.go:149 +0x73
[common/pkg/diagkit/gather/diagnose.walkOnce(0x10da960?, 0xc00035f890)
[       common/pkg/diagkit/gather/diagnose/run.go:135 +0xcc
[common/pkg/diagkit/gather/diagnose.Run(0x1711f60, 0x10d4300?, {0xc00035fb20, 0x1, 0x1})
[       common/pkg/diagkit/gather/diagnose/run.go:16 +0x1cb
[main.checkCmd({0xc00007c3d0?, 0xc00007c3d0?, 0x4?}, {0x0, 0x0})
[       common/cmd/com.docker.diagnose/main.go:132 +0x105
[main.main()
[       common/cmd/com.docker.diagnose/main.go:98 +0x27f
[2022-06-14T07:53:43.649787100Z][com.docker.diagnose.exe][I] (f0bc719d) 3c43280b-diagnose-network C->S diagnosticsd POST /check-network-connectivity: {"ips":["172.25.64.1","172.24.32.1","172.21.128.1","10.144.83.200","172.18.128.1","172.18.160.1"]}
[2022-06-14T07:53:44.205374400Z][com.docker.diagnose.exe][W] (f0bc719d) 3c43280b-diagnose-network C<-S 549e9299-diagnosticsd POST /check-network-connectivity (555.5873ms): failed to ping host: exit status 1

[FAIL] DD0032: do Docker networks overlap with host IPs? network kind has subnet 172.18.0.0/16 which overlaps with host IP 172.18.128.1
[SKIP] DD0030: is the image access management authorized?
[PASS] DD0033: does the host have Internet access?

Please investigate the following 3 issues:

1 : The test: is the user in the docker-users group?
    Failed with: The user name could not be found.

The current user must be member of the docker-users group. Press the Win + R keys to open Run, type lusrmgr.msc into Run, followed by Enter to open Local Users and Groups.

2 : The test: is the VM networking working?
    Failed with: network checks failed: failed to ping host: exit status 1

VM seems to have a network connectivity issue. Please check your host firewall and anti-virus settings in case they are blocking the VM.

3 : The test: do Docker networks overlap with host IPs?
    Failed with: network kind has subnet 172.18.0.0/16 which overlaps with host IP 172.18.128.1

If the subnet used by a Docker network overlaps with an IP used by the host, then containers
won't be able to contact the overlapping IP addresses.

Please try configuring the IP address range used by networks: in your docker-compose.yml.
See https://docs.docker.com/compose/compose-file/compose-file-v2/#ipv4_address-ipv6_address

Steps to reproduce the behavior

FAIL:

1. Install latest docker desktop for windows
2. Install WSL2
3. Enable docker and kubernetes at docker desktop
4. Install helm and create a helm chart
5. Add sessionAffinity: ClientIP to the service.yaml
6. Install helm chart
7. Deploy a pod with curl
8. Use curl to access the service

service.yaml:

apiVersion: v1
kind: Service
metadata:
  name: {{ include "debug.fullname" . }}
  labels:
    {{- include "debug.labels" . | nindent 4 }}
spec:
  type: {{ .Values.service.type }}
  ports:
    - port: {{ .Values.service.port }}
      targetPort: http
      protocol: TCP
      name: http
  selector:
    {{- include "debug.selectorLabels" . | nindent 4 }}
  sessionAffinity: ClientIP

WORKS:

Uninstall the helm chart and remove the added sessionAffinity, and then install the helm chart again. Use curl again to access the service.

service.yaml:

apiVersion: v1
kind: Service
metadata:
  name: {{ include "debug.fullname" . }}
  labels:
    {{- include "debug.labels" . | nindent 4 }}
spec:
  type: {{ .Values.service.type }}
  ports:
    - port: {{ .Values.service.port }}
      targetPort: http
      protocol: TCP
      name: http
  selector:
    {{- include "debug.selectorLabels" . | nindent 4 }}

[lk-1984]

I fixed the issues by for example removing the overlapping docker network, but no help.

[lk-1984]

Same with 4.9.0.

[lk-1984]

This can be closed. The root cause is the missing kernel parameter at WSL kernel.

https://medium.com/@gamunu/wsl-kubernetes-service-with-session-affinity-e98265433c8e

microsoft/WSL#7124

[docker-robott]

Issues go stale after 90 days of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30 days of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle stale

[Rainson12]

this should be noted on knowing issues or something since as soon as any container has sessionAffinity: ClientIP the pods wont be able to communicate with eachother.

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

/lifecycle locked