I found that I am able to communicate directly with containers on the managed network simply by adding any one of the hosts as a gateway to the network
ip route add 10.42.0.0/16 via <my rancher node>
Is this a supported feature/use case? Or is this something that happens to work that may be removed/broken in the future?
(obviously if I continue to use it, I’d do it by advertising the route, not manually adding it)
It looks like maybe this would break in a multi-environment setup:
Under Rancher’s network, a container will be assigned both a Docker bridge IP (172.17.0.0/16) and a Rancher managed IP (10.42.0.0/16) on the default docker0 bridge. Containers within the same environment are then routable and reachable via the managed network.
Can someone confirm?
This is a bug, not a feature, and will be fixed. The host should only route traffic that is coming from local containers.
The “supported” way would be with a container that’s job is to explicitly route, or something like the OpenVPN catalog templates that already exist.
I am looking at https://github.com/rancher/rancher/issues/4324
I tried to reproduce this issue but have not been successful. I have hosts on AWS, added route as you mentioned but I am not able to ping. Could you please share your steps to reproduce this issue?
Ok, I have been able to reproduce it locally on my laptop using Virtual Machines.
@vincent Although this is a bug, but I do need a convenient way like this to access containers in managed network.
I think we should not simply add a iptables rule to ban this.
We need a config option to enable/disable communicate with managed network.
I have multi rancher hosts, after execute
ip route add 10.42.0.0/16 via <rancher node x>, I can only access containers on rancher node x, cant access containers on rancher node y, z … I found the vxlan container did not forward packets to other hosts.
I want to access any container in managed network via any rancher host.
How can I achieve this? Please help!
I found the answer myself. Execute
iptables -t nat -A POSTROUTING -j MASQUERADE on vxlan container.