Routing Managed Network

bengerman · March 31, 2016, 6:23pm

I found that I am able to communicate directly with containers on the managed network simply by adding any one of the hosts as a gateway to the network ip route add 10.42.0.0/16 via <my rancher node>
Is this a supported feature/use case? Or is this something that happens to work that may be removed/broken in the future?
(obviously if I continue to use it, I’d do it by advertising the route, not manually adding it)

It looks like maybe this would break in a multi-environment setup:

Under Rancher’s network, a container will be assigned both a Docker bridge IP (172.17.0.0/16) and a Rancher managed IP (10.42.0.0/16) on the default docker0 bridge. Containers within the same environment are then routable and reachable via the managed network.

Can someone confirm?

Eduardo_Terzella · April 5, 2016, 11:06pm

Hello,

I have the same doubts.

vincent · April 6, 2016, 3:33am

This is a bug, not a feature, and will be fixed. The host should only route traffic that is coming from local containers.

The “supported” way would be with a container that’s job is to explicitly route, or something like the OpenVPN catalog templates that already exist.

leodotcloud · October 20, 2016, 1:38am

@bengerman
I am looking at https://github.com/rancher/rancher/issues/4324

I tried to reproduce this issue but have not been successful. I have hosts on AWS, added route as you mentioned but I am not able to ping. Could you please share your steps to reproduce this issue?

leodotcloud · October 20, 2016, 2:11am

Ok, I have been able to reproduce it locally on my laptop using Virtual Machines.

chshawkn · July 5, 2017, 10:01am

@vincent Although this is a bug, but I do need a convenient way like this to access containers in managed network.
I think we should not simply add a iptables rule to ban this.
We need a config option to enable/disable communicate with managed network.

I have multi rancher hosts, after execute ip route add 10.42.0.0/16 via <rancher node x>, I can only access containers on rancher node x, cant access containers on rancher node y, z … I found the vxlan container did not forward packets to other hosts.

I want to access any container in managed network via any rancher host.
How can I achieve this? Please help!

chshawkn · July 5, 2017, 3:09pm

I found the answer myself. Execute iptables -t nat -A POSTROUTING -j MASQUERADE on vxlan container.

Topic		Replies	Views
How to bridge the overlay network with the hosts network? Rancher 1.x	2	1921	October 5, 2015
Externally routing the overlay network Rancher 1.x	2	1222	August 30, 2016
Network Configuration, Routing, DNS Rancher 1.x	4	2096	May 5, 2017
Routing containers through a different gateway Rancher 1.x	1	843	November 6, 2017
Port mapping to Rancher network Rancher 1.x	21	7628	May 24, 2016

Routing Managed Network

Related Topics