Connectivity issue when using Docker-in-Docker approach with Calico

Issue

  • Docker image builds (Docker-in-Docker approach) are randomly failing when accessing external resources
$ docker build .
...
Get:1 http://security.debian.org/debian-security/ jessie/updates/main libssl1.0.0 amd64 1.0.1t-1+deb8u11 [1047 kB]
Get:2 http://deb.debian.org/debian/ jessie/main libkeyutils1 amd64 1.5.9-5+b1 [12.0 kB]
Get:3 http://security.debian.org/debian-security/ jessie/updates/main libkrb5support0 amd64 1.12.1+dfsg-19+deb8u5 [59.5 kB]
Get:4 http://security.debian.org/debian-security/ jessie/updates/main libk5crypto3 amd64 1.12.1+dfsg-19+deb8u5 [115 kB]
Get:5 http://security.debian.org/debian-security/ jessie/updates/main libkrb5-3 amd64 1.12.1+dfsg-19+deb8u5 [303 kB]
Get:6 http://security.debian.org/debian-security/ jessie/updates/main libgssapi-krb5-2 amd64 1.12.1+dfsg-19+deb8u5 [152 kB]
Get:7 http://security.debian.org/debian-security/ jessie/updates/main libidn11 amd64 1.29-1+deb8u3 [137 kB]
Get:8 http://security.debian.org/debian-security/ jessie/updates/main libssh2-1 amd64 1.4.3-4.1+deb8u3 [127 kB]
Get:9 http://security.debian.org/debian-security/ jessie/updates/main libcurl3 amd64 7.38.0-4+deb8u15 [259 kB]
Get:10 http://security.debian.org/debian-security/ jessie/updates/main krb5-locales all 1.12.1+dfsg-19+deb8u5 [2649 kB]
Get:11 http://security.debian.org/debian-security/ jessie/updates/main openssl amd64 1.0.1t-1+deb8u11 [665 kB]
Get:12 http://security.debian.org/debian-security/ jessie/updates/main ca-certificates all 20141019+deb8u4 [185 kB]
Get:13 http://security.debian.org/debian-security/ jessie/updates/main curl amd64 7.38.0-4+deb8u15 [204 kB]
Err http://deb.debian.org/debian/ jessie/main libkeyutils1 amd64 1.5.9-5+b1
  Connection failed
Get:14 http://deb.debian.org/debian/ jessie/main libsasl2-modules-db amd64 2.1.26.dfsg1-13+deb8u1 [67.1 kB]
Get:15 http://deb.debian.org/debian/ jessie/main libsasl2-modules-db amd64 2.1.26.dfsg1-13+deb8u1 [67.1 kB]
Get:16 http://deb.debian.org/debian/ jessie/main libsasl2-2 amd64 2.1.26.dfsg1-13+deb8u1 [105 kB]
Get:17 http://deb.debian.org/debian/ jessie/main libldap-2.4-2 amd64 2.4.40+dfsg-1+deb8u4 [218 kB]
Get:18 http://deb.debian.org/debian/ jessie/main librtmp1 amd64 2.4+20150115.gita107cef-1+deb8u1 [60.0 kB]
Get:19 http://deb.debian.org/debian/ jessie/main libsasl2-modules amd64 2.1.26.dfsg1-13+deb8u1 [101 kB]
Fetched 6456 kB in 8min 6s (13.3 kB/s)
E: Failed to fetch http://deb.debian.org/debian/pool/main/k/keyutils/libkeyutils1_1.5.9-5+b1_amd64.deb  Connection failed

Environment

Related Issue

Explanation

The default maximum transmission unit (MTU) value of Calico might have been changed to 1440 if you have upgraded from a version prior to v3.1 of Calico,
while the Docker bridge (docker0) MTU is 1500 by default.
That may lead to network connectivity issues/instabilities.

Resolution

The MTU needs to be the same between the docker0 and calico network interfaces.
The MTU value depends on your environment and setup.
See the Calico guide.

Possible solutions:

  • Change the default MTU value of the docker0 bridge to match the Calico MTU. See the Docker guide.
  • Change the default MTU value of Calico to match the default docker0 bridge.
    If using kops, the Calico configuration is located in the calico-config configmap as the property veth_mtu.
    After updating it, you need to rotate all Calico containers.
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.