I want to set up a Rancher server and 3 nodes, all on EC2 instances.
I have already set up a classic ELB in front of the server, and it is reachable over https via the public internet.
When trying to add the nodes (hosts), the ui is asking for a “base url” that the nodes will use to reach to the master.
It is proposing the https url/alias for my elb (e.g. https://mycustomaddress.foo.com) that I use to view the ui.
However, when inside an (another) existing instance:
curl https://mycustomaddress.foo.com
fails.
Should I use the private IP of the instance on which Rancher server resides?
Depends on your needs, if you don’t need external exposure you can point the DNS to ELB and have the private addresses in the ELB. If you want to use external addresses, you will need to make sure the security group allows access to it from the nodes trying to register. (so curl should succeed)
Also, when setting up ELB, please make sure all requirements are met as described here: http://rancher.com/docs/rancher/v1.6/en/installing-rancher/installing-server/#elb (especially websockets)
If I use as registration url the following:
http://<private_ip_of_rancher_server>:8080
wouldn’t that cause issues when the private IP changes?
or does it remain the same forever throughout the lifecycle of an ec2 instance?
No, the IP would not be a good option as it will be used for host registration but also almost all infrastructure services connect to that URL (CATTLE_URL environment variable). If this changes, you will need to re-create all infrastructure containers to let it pick up the new URL. Also, in general, a component as important as API (or for some, UI) should be discoverable by name, not a static IP.
Here is where the issue lies:
although I had placed the ELB in a security group that allowed all traffic from within the VPC (i.e. All traffic from source 10.0.0.0/0) the https://mycustomaddress.foo.com/ was not reachable from the agents given that when they end up hitting the aforementioned url, it was done so via a public IP.
The solution is to allow all traffic on 443 + 80 to the ELB from all sources (given that one cannot know in advance what will be the public IPs that will be assigned to the rancher hosts created via the UI).