Subnet connectivity issues

Overview

Changing the ingress IP range

Changing the docker bridge IP range

Changing the docker_gwbridge IP range

Overview

Within Login Enterprise, we reserve private network address spaces for internal routing between the docker images. In some instances, you might be using the same subnet we use for the docker bridge (172.17.0.1/16), docker_gwbridge (192.168.126.1/24), and ingress network (192.168.127.1/24).

This will cause the web interface to be unreachable, and the launchers will not authenticate. You can change the configuration using the following commands.

To enter these commands, you must enter the Linux Bash shell via the maintenance menu. For more information, see the Maintenance menu.

Changing the ingress IP range

To set the ingress IP range, you need to choose both your reserved subnet and an IP address within that subnet. The default network is 192.168.126.0/24. The default IP address (shown as "gateway" below) is 192.168.126.1. For this example, we will change the network to 172.23.0.1/16.

# stop LoginVSI
loginvsid stop
# remove the gateway service
docker service rm VSI_gateway
#remove the docker ingress network
docker network rm ingress  #yes we're sure
# check that docker ingress network is not in the list
docker network ls
#if it's still in the list, try removing it again, if that also fails restart the docker daemon: service restart docker
#create the new ingress network with a different subnet ip
docker network create --ingress --driver overlay --subnet 172.23.0.1/16 --gateway 172.23.0.1/16 ingress
# start the loginvsi daemon to get the start the gateway again
loginvsid start

It can take a moment for the web interface to be reachable again, so please be patient.

Changing the docker bridge IP range

To set the docker bridge network, you need to specify the IP address you want to use for the docker0 interface, along with the subnet size. To confirm the current address, run "ifconfig docker0".

The default is 172.17.0.1/16. In this example, we will change it to 172.23.0.1/16.

#stop login service
loginvsid stop

#stop docker
service docker stop

#modify docker daemon.json and add bridge ip with subnet mask. example "bip": "172.23.0.1/16",
nano /etc/docker/daemon.json

#start docker
service docker start

#start login service
loginvsid start

Note that the content of the daemon.json file should look like this:

{
"log-driver": "json-file",
  "log-opts": {"max-size": "100m", "max-file": "3"},
"bip": "172.23.0.1/16"
}

Changing the docker_gwbridge IP range

To set the docker_gwbridge IP range, you need to choose both your reserved subnet and an IP address within that subnet. The default network is 192.168.126.0/24. The default IP address (shown as "gateway" below) is 192.168.126.1. In the example below, we will change it to 172.20.0.1/16.

Note that if changing the docker_gwbridge subnet, the APPLIANCE_GUARD_URL (default: 192.168.126.1:8080) in the /loginvsi/.env file must match the docker_gwbridge address.

#stop docker containers
loginvsid stop

#disconnect ingress-sbox endpoint
docker network disconnect -f docker_gwbridge gateway_ingress-sbox

#remove docker_gwbridge network
docker network rm docker_gwbridge

#create new docker_gwbridge network with different subnet
docker network create --subnet 172.20.0.0/16 --gateway 172.20.0.1 -o com.docker.network.bridge.enable_icc=false -o com.docker.network.bridge.enable_ip_masquerade=true -o com.docker.network.bridge.name=docker_gwbridge docker_gwbridge

#restart docker
service docker restart

#start docker containers
loginvsid start