thoraxe/docker-registry-service

## docker-registry-service
Name:                   docker-registry
Labels:                 docker-registry=default
Selector:               docker-registry=default
IP:                     172.30.17.85
Port:                   <unnamed>       5000/TCP
Endpoints:              10.1.0.2:5000
Session Affinity:       None
No events.

## iptables-after-master-restart
I stopped all the services running on the node (master, sdn-master, sdn-node, node) and restarted iptables and then restarted master, sdn-master, sdn-node (which brings up node).

Here's the resulting iptables rules:

# Generated by iptables-save v1.4.21 on Sun Apr 26 17:17:08 2015
*nat
:PREROUTING ACCEPT [4:329]
:INPUT ACCEPT [3:189]
:OUTPUT ACCEPT [19:1229]
:POSTROUTING ACCEPT [19:1229]
:DOCKER - [0:0]
:KUBE-PORTALS-CONTAINER - [0:0]
:KUBE-PORTALS-HOST - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -j KUBE-PORTALS-CONTAINER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -j KUBE-PORTALS-HOST
-A POSTROUTING -s 10.1.0.0/24 ! -o lbr0 -j MASQUERADE
-A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -j MASQUERADE
-A POSTROUTING -s 10.1.0.3/32 -d 10.1.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 10.1.0.3/32 -d 10.1.0.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A DOCKER ! -i lbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.1.0.3:80
-A DOCKER ! -i lbr0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.1.0.3:443
COMMIT
# Completed on Sun Apr 26 17:17:08 2015
# Generated by iptables-save v1.4.21 on Sun Apr 26 17:17:08 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1473:448345]
:DOCKER - [0:0]
:OS_FIREWALL_ALLOW - [0:0]
-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 vxlan incoming" -j ACCEPT
-A INPUT -i lbr0 -m comment --comment "traffic from docker" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j OS_FIREWALL_ALLOW
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o lbr0 -j DOCKER
-A FORWARD -o lbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lbr0 ! -o lbr0 -j ACCEPT
-A FORWARD -i lbr0 -o lbr0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A DOCKER -d 10.1.0.3/32 ! -i lbr0 -o lbr0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 10.1.0.3/32 ! -i lbr0 -o lbr0 -p tcp -m tcp --dport 443 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 4001 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 10250 -j ACCEPT
COMMIT
# Completed on Sun Apr 26 17:17:08 2015

## iptables-before-master-restart
# Generated by iptables-save v1.4.21 on Sun Apr 26 17:14:07 2015
*nat
:PREROUTING ACCEPT [15:1807]
:INPUT ACCEPT [7:447]
:OUTPUT ACCEPT [242:15338]
:POSTROUTING ACCEPT [242:15338]
:DOCKER - [0:0]
:KUBE-PORTALS-CONTAINER - [0:0]
:KUBE-PORTALS-HOST - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -j KUBE-PORTALS-CONTAINER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -j KUBE-PORTALS-HOST
-A POSTROUTING -s 10.1.0.0/24 ! -o lbr0 -j MASQUERADE
-A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -j MASQUERADE
-A POSTROUTING -s 10.1.0.4/32 -d 10.1.0.4/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 10.1.0.4/32 -d 10.1.0.4/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER ! -i lbr0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.1.0.4:443
-A DOCKER ! -i lbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.1.0.4:80
-A KUBE-PORTALS-CONTAINER -d 172.30.17.2/32 -p tcp -m comment --comment "default/kubernetes:" -m tcp --dport 443 -j REDIRECT --to-ports 51291
-A KUBE-PORTALS-CONTAINER -d 172.30.17.1/32 -p tcp -m comment --comment "default/kubernetes-ro:" -m tcp --dport 80 -j REDIRECT --to-ports 52252
-A KUBE-PORTALS-CONTAINER -d 172.30.17.109/32 -p tcp -m comment --comment "default/router:" -m tcp --dport 80 -j REDIRECT --to-ports 58492
-A KUBE-PORTALS-CONTAINER -d 172.30.17.85/32 -p tcp -m comment --comment "default/docker-registry:" -m tcp --dport 5000 -j REDIRECT --to-ports 46151
-A KUBE-PORTALS-HOST -d 172.30.17.2/32 -p tcp -m comment --comment "default/kubernetes:" -m tcp --dport 443 -j DNAT --to-destination 192.168.133.2:51291
-A KUBE-PORTALS-HOST -d 172.30.17.1/32 -p tcp -m comment --comment "default/kubernetes-ro:" -m tcp --dport 80 -j DNAT --to-destination 192.168.133.2:52252
-A KUBE-PORTALS-HOST -d 172.30.17.109/32 -p tcp -m comment --comment "default/router:" -m tcp --dport 80 -j DNAT --to-destination 192.168.133.2:58492
-A KUBE-PORTALS-HOST -d 172.30.17.85/32 -p tcp -m comment --comment "default/docker-registry:" -m tcp --dport 5000 -j DNAT --to-destination 192.168.133.2:46151
COMMIT
# Completed on Sun Apr 26 17:14:07 2015
# Generated by iptables-save v1.4.21 on Sun Apr 26 17:14:07 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [38801:15909757]
:DOCKER - [0:0]
:OS_FIREWALL_ALLOW - [0:0]
-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 vxlan incoming" -j ACCEPT
-A INPUT -i lbr0 -m comment --comment "traffic from docker" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j OS_FIREWALL_ALLOW
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o lbr0 -j DOCKER
-A FORWARD -o lbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lbr0 ! -o lbr0 -j ACCEPT
-A FORWARD -i lbr0 -o lbr0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A DOCKER -d 10.1.0.4/32 ! -i lbr0 -o lbr0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 10.1.0.4/32 ! -i lbr0 -o lbr0 -p tcp -m tcp --dport 80 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 4001 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 10250 -j ACCEPT
COMMIT
# Completed on Sun Apr 26 17:14:07 2015

## services
[root@ose3-master ~]# osc get service
NAME              LABELS                                    SELECTOR                  IP              PORT(S)
docker-registry   docker-registry=default                   docker-registry=default   172.30.17.85    5000/TCP
kubernetes        component=apiserver,provider=kubernetes   <none>                    172.30.17.2     443/TCP
kubernetes-ro     component=apiserver,provider=kubernetes   <none>                    172.30.17.1     80/TCP
router            router=router                             router=router             172.30.17.109   80/TCP
	Name: docker-registry
	Labels: docker-registry=default
	Selector: docker-registry=default
	IP: 172.30.17.85
	Port: <unnamed> 5000/TCP
	Endpoints: 10.1.0.2:5000
	Session Affinity: None
	No events.
	I stopped all the services running on the node (master, sdn-master, sdn-node, node) and restarted iptables and then restarted master, sdn-master, sdn-node (which brings up node).

	Here's the resulting iptables rules:

	# Generated by iptables-save v1.4.21 on Sun Apr 26 17:17:08 2015
	*nat
	:PREROUTING ACCEPT [4:329]
	:INPUT ACCEPT [3:189]
	:OUTPUT ACCEPT [19:1229]
	:POSTROUTING ACCEPT [19:1229]
	:DOCKER - [0:0]
	:KUBE-PORTALS-CONTAINER - [0:0]
	:KUBE-PORTALS-HOST - [0:0]
	-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
	-A PREROUTING -j KUBE-PORTALS-CONTAINER
	-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
	-A OUTPUT -j KUBE-PORTALS-HOST
	-A POSTROUTING -s 10.1.0.0/24 ! -o lbr0 -j MASQUERADE
	-A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -j MASQUERADE
	-A POSTROUTING -s 10.1.0.3/32 -d 10.1.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
	-A POSTROUTING -s 10.1.0.3/32 -d 10.1.0.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
	-A DOCKER ! -i lbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.1.0.3:80
	-A DOCKER ! -i lbr0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.1.0.3:443
	COMMIT
	# Completed on Sun Apr 26 17:17:08 2015
	# Generated by iptables-save v1.4.21 on Sun Apr 26 17:17:08 2015
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [1473:448345]
	:DOCKER - [0:0]
	:OS_FIREWALL_ALLOW - [0:0]
	-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 vxlan incoming" -j ACCEPT
	-A INPUT -i lbr0 -m comment --comment "traffic from docker" -j ACCEPT
	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p icmp -j ACCEPT
	-A INPUT -i lo -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
	-A INPUT -j OS_FIREWALL_ALLOW
	-A INPUT -j REJECT --reject-with icmp-host-prohibited
	-A FORWARD -o lbr0 -j DOCKER
	-A FORWARD -o lbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A FORWARD -i lbr0 ! -o lbr0 -j ACCEPT
	-A FORWARD -i lbr0 -o lbr0 -j ACCEPT
	-A FORWARD -j REJECT --reject-with icmp-host-prohibited
	-A DOCKER -d 10.1.0.3/32 ! -i lbr0 -o lbr0 -p tcp -m tcp --dport 80 -j ACCEPT
	-A DOCKER -d 10.1.0.3/32 ! -i lbr0 -o lbr0 -p tcp -m tcp --dport 443 -j ACCEPT
	-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 4001 -j ACCEPT
	-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
	-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 10250 -j ACCEPT
	COMMIT
	# Completed on Sun Apr 26 17:17:08 2015
	# Generated by iptables-save v1.4.21 on Sun Apr 26 17:14:07 2015
	*nat
	:PREROUTING ACCEPT [15:1807]
	:INPUT ACCEPT [7:447]
	:OUTPUT ACCEPT [242:15338]
	:POSTROUTING ACCEPT [242:15338]
	:DOCKER - [0:0]
	:KUBE-PORTALS-CONTAINER - [0:0]
	:KUBE-PORTALS-HOST - [0:0]
	-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
	-A PREROUTING -j KUBE-PORTALS-CONTAINER
	-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
	-A OUTPUT -j KUBE-PORTALS-HOST
	-A POSTROUTING -s 10.1.0.0/24 ! -o lbr0 -j MASQUERADE
	-A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -j MASQUERADE
	-A POSTROUTING -s 10.1.0.4/32 -d 10.1.0.4/32 -p tcp -m tcp --dport 443 -j MASQUERADE
	-A POSTROUTING -s 10.1.0.4/32 -d 10.1.0.4/32 -p tcp -m tcp --dport 80 -j MASQUERADE
	-A DOCKER ! -i lbr0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.1.0.4:443
	-A DOCKER ! -i lbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.1.0.4:80
	-A KUBE-PORTALS-CONTAINER -d 172.30.17.2/32 -p tcp -m comment --comment "default/kubernetes:" -m tcp --dport 443 -j REDIRECT --to-ports 51291
	-A KUBE-PORTALS-CONTAINER -d 172.30.17.1/32 -p tcp -m comment --comment "default/kubernetes-ro:" -m tcp --dport 80 -j REDIRECT --to-ports 52252
	-A KUBE-PORTALS-CONTAINER -d 172.30.17.109/32 -p tcp -m comment --comment "default/router:" -m tcp --dport 80 -j REDIRECT --to-ports 58492
	-A KUBE-PORTALS-CONTAINER -d 172.30.17.85/32 -p tcp -m comment --comment "default/docker-registry:" -m tcp --dport 5000 -j REDIRECT --to-ports 46151
	-A KUBE-PORTALS-HOST -d 172.30.17.2/32 -p tcp -m comment --comment "default/kubernetes:" -m tcp --dport 443 -j DNAT --to-destination 192.168.133.2:51291
	-A KUBE-PORTALS-HOST -d 172.30.17.1/32 -p tcp -m comment --comment "default/kubernetes-ro:" -m tcp --dport 80 -j DNAT --to-destination 192.168.133.2:52252
	-A KUBE-PORTALS-HOST -d 172.30.17.109/32 -p tcp -m comment --comment "default/router:" -m tcp --dport 80 -j DNAT --to-destination 192.168.133.2:58492
	-A KUBE-PORTALS-HOST -d 172.30.17.85/32 -p tcp -m comment --comment "default/docker-registry:" -m tcp --dport 5000 -j DNAT --to-destination 192.168.133.2:46151
	COMMIT
	# Completed on Sun Apr 26 17:14:07 2015
	# Generated by iptables-save v1.4.21 on Sun Apr 26 17:14:07 2015
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [38801:15909757]
	:DOCKER - [0:0]
	:OS_FIREWALL_ALLOW - [0:0]
	-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 vxlan incoming" -j ACCEPT
	-A INPUT -i lbr0 -m comment --comment "traffic from docker" -j ACCEPT
	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p icmp -j ACCEPT
	-A INPUT -i lo -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
	-A INPUT -j OS_FIREWALL_ALLOW
	-A INPUT -j REJECT --reject-with icmp-host-prohibited
	-A FORWARD -o lbr0 -j DOCKER
	-A FORWARD -o lbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A FORWARD -i lbr0 ! -o lbr0 -j ACCEPT
	-A FORWARD -i lbr0 -o lbr0 -j ACCEPT
	-A FORWARD -j REJECT --reject-with icmp-host-prohibited
	-A DOCKER -d 10.1.0.4/32 ! -i lbr0 -o lbr0 -p tcp -m tcp --dport 443 -j ACCEPT
	-A DOCKER -d 10.1.0.4/32 ! -i lbr0 -o lbr0 -p tcp -m tcp --dport 80 -j ACCEPT
	-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 4001 -j ACCEPT
	-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
	-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 10250 -j ACCEPT
	COMMIT
	# Completed on Sun Apr 26 17:14:07 2015
	[root@ose3-master ~]# osc get service
	NAME LABELS SELECTOR IP PORT(S)
	docker-registry docker-registry=default docker-registry=default 172.30.17.85 5000/TCP
	kubernetes component=apiserver,provider=kubernetes <none> 172.30.17.2 443/TCP
	kubernetes-ro component=apiserver,provider=kubernetes <none> 172.30.17.1 80/TCP
	router router=router router=router 172.30.17.109 80/TCP