Within our appliance, we reserve private network address spaces for internal routing between the docker images. In some instances, you might be using the same subnet we use for the docker, docker_gwbridge, and ingress network. The reserved subnets are 172.17.0.0/16, 172.18.0.0/16, and 10.255.0.0/16.
This will cause the web interface to be unreachable, and that launchers will not authenticate. You can change the configuration using the following commands.
(Note; to enter these commands you have to enter the "maintenance menu". To do this, please refer to the following KB article; https://support.loginvsi.com/hc/en-us/articles/360001278860-4-Maintenance-Menu)
Steps for changing the ingress IP range. Default is 10.255.0.0/16.
# remove the gateway service
docker service rm VSI_gateway
#remove the docker ingress network
docker network rm ingress #yes we're sure
# check that docker ingress network is not in the list
docker network ls
#if it's still in the list, try removing it again, if that also fails restart the docker daemon: service restart docker
#create the new ingress network with a different subnet ip
docker network create --ingress --driver overlay --subnet 203.0.113.0/24 --gateway 203.0.113.1 ingress
# start the loginvsi daemon to get the start the gateway again
loginvsid start
It can take a moment for the web interface to be reachable again, so please be patient.
Steps for changing the docker bridge IP range. Default is 172.17.0.0/16.
#stop login service
loginvsid stop
#stop docker
service docker stop
#modify docker daemon.json and add bridge ip with subnet mask. example "bip": "10.19.0.0/16",
nano /etc/docker/daemon.json
#start docker
service docker start
#start login service
loginvsid start
Steps for changing the docker_gwbridge IP range. Default is 172.18.0.0/16.
Note - if changing the docker_gwbridge subnet, the appliance guard url (default: 172.18.0.1:8080) in the /loginvsi/.env file must also be in the same subnet.
#stop docker containers
loginvsid stop
#disconnect ingress-sbox endpoint
docker network disconnect -f docker_gwbridge gateway_ingress-sbox
#remove docker_gwbridge network
docker network rm docker_gwbridge
#create new docker_gwbridge network with different subnet
docker network create --subnet 172.20.0.0/16 --gateway 172.20.0.1 -o com.docker.network.bridge.enable_icc=false -o com.docker.network.bridge.enable_ip_masquerade=true -o com.docker.network.bridge.name=docker_gwbridge docker_gwbridge
#restart docker
service docker restart
#start docker containers
loginvsid start
Comments
1 comment
The above appears to be incorrect, the new subnet specified should have a usable IP:
Using a .0 last octet above results in the docker service failing to start
Please sign in to leave a comment.