Manage Interfaces

Guido_Steiner · October 19, 2016, 4:53pm

I have two Nic on my Hosts. After I configured eth1 I noticed that OpenSSH to the console changed to this interface.

Container I started are only reachable over eth1. Container in a stack are reachable over both nic’s. Possible iptables?

So two question:

How can I controll on which ports SSH is running for the console?
How can I controll on which network a container is reachable?

Regards
Guido

sjiveson · October 20, 2016, 2:16pm

I think you’re saying that containers you manually start are only reachable over one interface but ones Rancher starts are reachable over both? Not sure about why that might be unless you are specifying an address when you map ports through.

You can do this by specifying a host address when port mapping (-p with docker run, ports: with compose).

In my experience SSH listens on all interfaces by default, as an example from a host I run:

$ ss -ltn |grep 22
LISTEN     0      128          *:22                       *:*
LISTEN     0      128         :::22                      :::*

You have a few options around how you might control this;

The easy option I suppose is to switch to a persistent console and then configure SSHd in the usual way
I also wonder if it’s possible to use the default busybox console and use write_files to overwrite the /etc/ssh/sshd_config file, in a similar way to what is described here for ntp.conf: http://docs.rancher.com/os/configuration/write-files/

Guido_Steiner · October 20, 2016, 3:28pm

Looks like to me that rancher/os-console:v0.6.1 runs with --net=host since it dosn’t show any ports:
[rancher@RancherOS ~]$ sudo system-docker port console
[rancher@RancherOS ~]$

Well with publishing port I can’t controll on which interface a container is reachable. Guess I will now play a little with docker network create -d mcvlan.

Thanks for helping

sjiveson · October 20, 2016, 4:08pm

The console container is a bit ‘weird’ and I wouldn’t rely on the output of that command to be valid. The console container clearly does use port 22.

I’m not sure if that was a typo or what but I said the complete opposite you can control the interface if you are mapping ports with -p or ports:. For instance to export port 80 on the host on address 10.11.12.99 and map it to port 8080 on a container:

docker run ... -p 10.11.12.99:80:8080 ...

Topic		Replies	Views
Bind Rancher managed network to a specific eth interface on the host?	0	1386	September 30, 2016
Is it possible to select on which network interface open ports? Rancher 1.x	2	991	February 23, 2016
RancherOS Networking RancherOS	6	4861	October 26, 2016
Accessing Rancher on multiple interfaces Rancher 2.x	5	1013	March 19, 2021
Containers / RancherVMs with additional, bridged network interfaces Rancher 1.x	2	1198	July 23, 2015

Manage Interfaces

Related Topics