Subnet connectivity issues

Within our appliance, we reserve private network address spaces for internal routing between the docker images. In some instances, you might be using the same subnet we use for the docker bridge (172.17.0.1/16), docker_gwbridge (172.18.0.0/16), and ingress network (10.255.0.0/16).

This will cause the web interface to be unreachable, and that launchers will not authenticate. You can change the configuration using the following commands.

(Note; to enter these commands you have to enter Linux Bash shell via the "maintenance menu". To do this, please refer to the following KB article; https://support.loginvsi.com/hc/en-us/articles/360001278860-4-Maintenance-Menu)

Steps for changing the ingress IP range.

You will need to choose both your reserved subnet and an IP address within that subnet.  Default network is 10.255.0.0/16. The default IP address (shown as "gateway" below) is 10.255.0.1.

# stop LoginVSI
loginvsid stop
# remove the gateway service
docker service rm VSI_gateway
#remove the docker ingress network
docker network rm ingress  #yes we're sure
# check that docker ingress network is not in the list
docker network ls
#if it's still in the list, try removing it again, if that also fails restart the docker daemon: service restart docker
#create the new ingress network with a different subnet ip
docker network create --ingress --driver overlay --subnet 203.0.113.0/24 --gateway 203.0.113.1 ingress
# start the loginvsi daemon to get the start the gateway again
loginvsid start

It can take a moment for the web interface to be reachable again, so please be patient.

 

Steps for changing the docker bridge IP range.

To set the docker bridge network, you actually need to specify the IP address you want to use for the docker0 interface, along with the subnet size.  You can run "ifconfig docker0" to confirm the current address.

Default is 172.17.0.1/16.

#stop login service
loginvsid stop

#stop docker
service docker stop

#modify docker daemon.json and add bridge ip with subnet mask. example "bip": "172.23.0.1/16",
nano /etc/docker/daemon.json

#start docker
service docker start

#start login service
loginvsid start

Notes - The content of the daemon.json file should look like:

{
"log-driver": "json-file",
  "log-opts": {"max-size": "100m", "max-file": "3"},
"bip": "172.23.0.1/16"
}

Credit to Vance Cozier for spending time with us to improve this documentation.

Steps for changing the docker_gwbridge IP range.

You will need to choose both your reserved subnet and an IP address within that subnet.  Default network is 172.18.0.0/16. The default IP address (shown as "gateway" below) is 172.18.0.1.

Note - if changing the docker_gwbridge subnet, the appliance guard url (default: 172.18.0.1:8080) in the /loginvsi/.env file must also be in the same subnet.

#stop docker containers
loginvsid stop

#disconnect ingress-sbox endpoint
docker network disconnect -f docker_gwbridge gateway_ingress-sbox

#remove docker_gwbridge network
docker network rm docker_gwbridge

#create new docker_gwbridge network with different subnet
docker network create --subnet 172.20.0.0/16 --gateway 172.20.0.1 -o com.docker.network.bridge.enable_icc=false -o com.docker.network.bridge.enable_ip_masquerade=true -o com.docker.network.bridge.name=docker_gwbridge docker_gwbridge

#restart docker
service docker restart

#start docker containers
loginvsid start