Bug 49275 - Multicontainer apps use arbitrary network, no bridged connection on network bridge IP (BIP) change
Multicontainer apps use arbitrary network, no bridged connection on network b...
Status: NEW
Product: UCS
Classification: Unclassified
Component: App Center
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: App Center maintainers
App Center maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-10 18:11 CEST by Hendrik Peter
Modified: 2019-07-10 10:50 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.091
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019031221000308
Bug group (optional):
Max CVSS v3 score:


Attachments
Appcenter Log (621.34 KB, text/x-log)
2019-04-10 18:11 CEST, Hendrik Peter
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Hendrik Peter univentionstaff 2019-04-10 18:11:20 CEST
Created attachment 9964 [details]
Appcenter Log

See also Bug #49055

"""Single container apps are started via the docker cli. The network that daemon uses is configured by UCRv docker/daemon/default/opts/bip, our default is 172.17.42.1/16.

All singlecontainer apps connect to the default docker bridge, see # docker network ls

Multicontainer apps are started via docker-compose, which does not take this network configuration into account. Starting such an app creates a new docker network with a completely different network."""

---

All multicontainer apps have a correctly bridged network connection on installation. The bridge will also work correctly for new Apps, if the UCRv docker/daemon/default/opts/bip is modified before installation.

Unfortunately though, the bridge will break for existing multicontainer apps, if the mentioned UCRv is changed after their proper installation. The multicontainers will still be able to reach each other in their separate network and reach the localhost, but won't be able to reach anything outside. 
This is a problem, if an App is installed on a member server and the LDAP server needs to be reached for authentications.

The following actions WON'T resolve the problem:
System reboot
Container restart through App-Settings (Stop -> Start)
App reinstallation (Uninstall -> Reboot -> Install)


---

Keypoints appcenter.log:
 Install rocketchat: L1771 (19-04-10 16:45:29)
 Uninstall rocketchat: L2705 (19-04-10 17:23:29)
 Reinstall rocketchat: L3376 (19-04-10 17:33:03)
Comment 1 Christina Scheinig univentionstaff 2019-04-11 11:57:19 CEST
How to reproduce:
install guacamole on a member: → default works.

Change ip: ucr set docker/daemon/default/opts/bip='172.22.43.1/16'
reboot
docker logs shows:
11:34:59.949 [http-nio-8080-exec-9] ERROR o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect Error
11:34:59.952 [http-nio-8080-exec-9] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN "cn=guaca-68944094,cn=memberserver,cn=computers,dc=schein,dc=ig"
11:34:59.953 [http-nio-8080-exec-9] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.0.212, 172.18.0.1] for user "cscheini" failed.

change IP back
ucr set docker/daemon/default/opts/bip='172.17.42.1/16'
reboot
App is still not working with the same error message:
11:42:30.030 [http-nio-8080-exec-10] ERROR o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect Error
11:42:30.034 [http-nio-8080-exec-9] ERROR o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect Error
11:42:30.039 [http-nio-8080-exec-9] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN "cn=guaca-68944094,cn=memberserver,cn=computers,dc=schein,dc=ig"
11:42:30.041 [http-nio-8080-exec-9] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.0.212, 172.18.0.1] for user "cscheini" failed.
11:42:30.041 [http-nio-8080-exec-10] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN "cn=guaca-68944094,cn=memberserver,cn=computers,dc=schein,dc=ig"
11:42:30.043 [http-nio-8080-exec-10] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.0.212, 172.18.0.1] for user "cscheini" failed.
remove app and install with a new IP.
guacamlole does not work, with the same message
2-Apr-2019 12:23:20.561 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 11695 ms
12:25:21.946 [http-nio-8080-exec-9] ERROR o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect Error
12:25:21.948 [http-nio-8080-exec-9] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN "cn=guaca-05687084,cn=memberserver,cn=computers,dc=schein,dc=ig"
12:25:21.949 [http-nio-8080-exec-9] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.0.212, 172.18.0.1] for user "cscheini" failed.
12:25:21.956 [http-nio-8080-exec-10] ERROR o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect Error
12:25:21.960 [http-nio-8080-exec-10] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN "cn=guaca-05687084,cn=memberserver,cn=computers,dc=schein,dc=ig"
12:25:21.961 [http-nio-8080-exec-10] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.0.212, 172.18.0.1] for user "cscheini" failed.