gefyra-run: container port not accessible on public ip #745
Description
What happened?
Symptoms
- when I start my container via gefyra-run, port 21000 in only accessibly via localhost, 127.0.0.1, 192.168.48.1 and 192.168.48.2, but NOT on host's public IP; curl just hangs.
- when I start the same container via docker-run (with all the extra docker options manually added which gefyra-run would usually add) port is accessible also on public IP.
- when I disable host firewall, then gefyra-run-started container becomes accessible via public IP.
- no differences observed on ip-table config between gefyra-run and docker-run
- no differences observed on docker-inspect between gefyra-run and docker-run
- docker-engine 19.03.11-ol (latest open source version)
RCA
The difference seems to be that the cargo container changes the container's default gateway during startup:
sudo ip netns exec $pid ip route add default via 192.168.48.149
This is done via patchContainerGateway.sh.
We suspect that this default route causes the response to be routed into the cluster.
Work-around (or solution?)
As soon as we add an explicit route for the public ip address via gefyra-network gateway:
sudo ip netns exec $pid ip route add $PUBLIC_IP via 192.168.48.1
the gefyra-run started container becomes accessible.
Double-check: when route is removed:
sudo ip netns exec $pid ip route del $PUBLIC_IP
container is again only accessible via local interfaces.
What did you expect to happen?
container should be accessible from outside / on public IP address
Please provide the output of gefyra check.
.
How can we reproduce it (as minimally and precisely as possible)?
.
What Kubernetes setup are you working with?
.
OS version
No response
Anything else we need to know?
No response