Docker Swarm Service Can Not Be Reached on Different Node After Period

Question

Problem

I have a service running in Docker Swarm in an overlay network, which I start like this:

docker service create \
  --name db-master \
  --label type=database \
  --constraint "engine.labels.type == database" \
  --network starnet \
  --mount type=bind,source=/var/lib/mysql,target=/var/lib/mysql \
  -e MYSQL_ALLOW_EMPTY_PASSWORD=yes \
  percona:5.6.32

The service starts fine, and is reachable as expected from inside a different service, running on a different node in the swarm -- only if "All traffic" is opened on the security group (I'm on AWS).

The db-master service above can not be reached from the other service on the other node if only the necessary ports (2377, 4789, 7946) are open.

Details of my Setup

• I have the following ports open in the subnet on both UDP and TCP: 2377, 4789, 7946
• Running ubuntu 16.04 LTS
• Running Docker 1.12.2

What I've Tried

• Opening port 3306, just for giggles
• Opening all TCP ports
• Opening all UDP ports
• Opening ICMP

The Kicker

Despite the opening of all UDP and TCP ports not making any difference, if I open up "All traffic", it starts working immediately.

Obviously this points to something not being open between the nodes, but seeing as how I've tried opening up all UDP and TCP ports both separately and together, I'm struggling to figure out what this could be.

Answer 1

Turns out that as well as the documented ports, you will also need to open up a custom protocol called ECP (protocol 50 as a "Custom protocol" in an AWS security group).

Had to file a bug report to get the answer, but at least it'll be added to the documentation now :)