"Host IP" in load balancer configuration not working

In the new UI for configuring a load balancer, there is a “Show host IP address options” link which reveals a “Host IP” field for port rules. However, this field seems to do nothing; filling in a value here apparently does not result in anything going into the compose YAML, and when going back in to edit the LB the fields are all blank again.

I have the Rancher agent running on the same host as my Rancher server, and I would like to run a load balancer on this host as well, but on a different IP address to the web frontend for the Rancher server; however, since by default the NAT rules for the LB intercept all outgoing 443 connections, the agent is no longer able to connect to the Rancher server, as it ends up connecting to the load balancer instead.

Help! :blush:

@mithrandi - What version of Rancher are you using? There are two issues you are talking about:

  1. When Editing, the HostIP field is missing and blank (this I was able to reproduce and will enter a issue in our bug database, also if you save at this point, the hostip that was there before will be removed)
  2. After creating a new load balancer, the HostIP is not showing up in the yaml or saving (this I was actually not able to reproduce.)

I was able to go View config and see the hostip saved in the docker-compose.yml. It is Port section and will look something like:

ports: -

Also when I clicked on the service to see it’s detail and went to the Port tab, the host IP was showing there as well.
I will enter an issue for the edit, but like I said cannot reproduce the other issue.

I’m using Rancher 1.3.0 currently, but had the same problem with 1.2.2. The port section is as you described, but note that Rancher load balancers do not use Docker port publishing at all, so this value is essentially irrelevant; instead of setting up a port to be published by Docker, custom iptables NAT rules are installed in the CATTLE_OUTPUT table (among other places) for the load balancer, and an IP address selector is not included in the rules. For example:

Chain CATTLE_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
10623  637K DNAT       tcp  --  *      *              tcp dpt:443 ADDRTYPE match dst-type LOCAL to:

Inspecting the load balancer container in Docker shows no published ports:

$ docker inspect -f '{{ .NetworkSettings.Ports }}' r-Web-web-lb-1-d1982feb 

However, I just noticed that the rules in CATTLE_PREROUTING do have an IP address selector:

   13   760 MARK       tcp  --  !docker0 *        tcp dpt:443 MARK set 0x1068
   13   760 DNAT       tcp  --  !docker0 *        tcp dpt:443 to:
    0     0 DNAT       tcp  --  *      *        tcp dpt:443 to:

So I guess this is actually a bug in the networking layer?

I went ahead and created an issue for the networking part since I have a better explanation of the cause of my problems than when I started: https://github.com/rancher/rancher/issues/7349