Changing the docker bridge IP range
Changing the docker_gwbridge IP range
Changing the Docker Default Address Pool
Overview
Within Login Enterprise, we reserve private network address spaces for internal routing between the docker images. In some instances, you might be using the same subnet we use for the docker bridge (172.17.0.1/16), docker_gwbridge (192.168.126.1/24), and ingress network (192.168.127.1/24). This will cause the web interface to be unreachable, and the launchers will not authenticate. You need to change the subnet(s) that Docker uses so they do not conflict with your own.
Docker also automatically allocates internal networks using networks 10.0.0.0/24 to 10.0.3.0/24. These networks are completely internal and do not conflict with external networks using the same ranges, except for one situation: if your external DNS server is on one of those subnets, the Docker container will be unable to do DNS lookups. Currently, the only time a Docker container needs to do an external DNS lookup is when you are attempting to update the web drivers. You will get the error “Failed to check for update. Please try again later.” And the Container logs for LoginnEnterprise will report “Resource temporarily unavailable.” You will need to change the Default Address Pool so that it does not conflict with your DNS server.
You can change the configuration using the following commands.
To enter these commands, you must enter the Linux Bash shell via the maintenance menu. For more information, see the Maintenance menu.
Changing the ingress IP range
To set the ingress IP range, you need to choose both your reserved subnet and an IP address within that subnet. The default network is 192.168.126.0/24. The default IP address (shown as "gateway" below) is 192.168.126.1. For this example, we will change the network to 172.23.0.1/16.
# stop LoginVSI
loginvsid stop
# remove the gateway service
docker service rm VSI_gateway
#remove the docker ingress network
docker network rm ingress #yes we're sure
# check that docker ingress network is not in the list
docker network ls
#if it's still in the list, try removing it again, if that also fails restart the docker daemon: service restart docker
#create the new ingress network with a different subnet ip
docker network create --ingress --driver overlay --subnet 172.23.0.1/16 --gateway 172.23.0.1/16 ingress
# start the loginvsi daemon to get the start the gateway again
loginvsid start
It can take a moment for the web interface to be reachable again, so please be patient.
Changing the docker bridge IP range
To set the docker bridge network, you need to specify the IP address you want to use for the docker0 interface, along with the subnet size. To confirm the current address, run "ifconfig docker0".
The default is 172.17.0.1/16. In this example, we will change it to 172.23.0.1/16.
#stop login service
loginvsid stop
#stop docker
service docker stop
#modify docker daemon.json and add bridge ip with subnet mask. example "bip": "172.23.0.1/16",
nano /etc/docker/daemon.json
#start docker
service docker start
#start login service
loginvsid start
Note that the content of the daemon.json file should look like this:
{
"log-driver": "json-file",
"log-opts": {"max-size": "100m", "max-file": "3"},
"bip": "172.23.0.1/16"
}
Changing the docker_gwbridge IP range
To set the docker_gwbridge IP range, you need to choose both your reserved subnet and an IP address within that subnet. The default network is 192.168.126.0/24. The default IP address (shown as "gateway" below) is 192.168.126.1. In the example below, we will change it to 172.20.0.1/16.
Note that if changing the docker_gwbridge subnet, the APPLIANCE_GUARD_URL (default: 192.168.126.1:8080) in the /loginvsi/.env file must match the docker_gwbridge address.
#stop docker containers
loginvsid stop
#disconnect ingress-sbox endpoint
docker network disconnect -f docker_gwbridge gateway_ingress-sbox
#remove docker_gwbridge network
docker network rm docker_gwbridge
#create new docker_gwbridge network with different subnet
docker network create --subnet 172.20.0.0/16 --gateway 172.20.0.1 -o com.docker.network.bridge.enable_icc=false -o com.docker.network.bridge.enable_ip_masquerade=true -o com.docker.network.bridge.name=docker_gwbridge docker_gwbridge
#restart docker
service docker restart
#start docker containers
loginvsid start
Changing the Docker Default Address Pool
Docker automatically chooses a set of 24-bit (Class C) subnets for internal networking. By default, Docker uses 10.0.0.0/16 (every possible network under 10.0), and Login Enterprise currently has 4 internal networks, 10.0.0.0 through 10.0.3.0. You need to identify a contiguous range of addresses that Docker can partition into 24-bit subnets, that do not conflict with the network that your DNS server is on. A 22-bit netmask is sufficient for the 4 networks LE needs as of version 5.14. However, to give us room to grow, we recommend a 20-bit subnet at a minimum. For instance, if you want to configure a 20-bit subnet starting at 10.0.128.0, which would cause Docker to allocate 10.0.128.0 through 10.0.131.0, you can run this command:
loginvsid stop
docker swarm init --default-addr-pool 10.0.128.0/20 --force-new-cluster
loginvsid start