[newbie] Dynamic ports are exposed on the host

coliny · December 12, 2017, 5:37pm

Hi,

I have rancher install on a single host with a number of services which all define internal port bindings. I also have a single loadbalancer which forwards 80/443 to the relevant services. This works wonderfully.

However, I was somewhat horrified to discover that every ‘internal’ port is mapped to a dynamic port on the host (obviously) but that is also accessible to the outside world.

Specifically, if my internal container has an IP of 10.42.1.1 and a dynamic port of 63321 then visiting host:63321 bypasses the loadbalancer and takes you through to port 80.

Is this expected? I assumed that Rancher would update iptables to prevent accessing these?

What have I missed?

Thanks!

coliny · December 12, 2017, 5:49pm

Ah, I think I found it.

I mistakenly assumed I had to add a port mapping for each exposed port, but leave the ‘public’ port blank.

If I remove the mapping completely then the loadbalancer still works but there are no dynamic ports bound to 0.0.0.0.

Topic		Replies	Views
Dynamic ports for loadbalanced multiple container one same hosts? Rancher 1.x	0	843	April 13, 2016
Load balancer on dynamic ports (worked before 1.2 .....) Rancher 1.x	4	1951	February 16, 2017
[newbie] Confused about internal loadbalancer Rancher 1.x	0	827	December 12, 2017
Dynamically capturing Rancher LB Ports	0	819	October 13, 2016
Rancher 2.x - Port and IP Confusion Rancher	5	2626	July 18, 2018

[newbie] Dynamic ports are exposed on the host

Related topics