This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IP Conflict with docker/bridge after upgrade to 6.4.2.0

Hi,

We just upgraded an Advanced Authentication Appliance to 6.4.2 and found that it loads with three internal IP addresses:

docker0 : 172.17.0.1

br-48f207: 172.18.0.1

br-ae93ab : 172.19.0.1 (this was not with the previous version)

The last one, 172.19.0.1, conflicts with another services and we've tried, without success, to follow what is indicated in this TID: https://support.microfocus.com/kb/doc.php?id=7023491

Any idea how can we change this subnet?

Regards

  • Suggested Answer

    0  

    Hello José Luis,

    You are correct, there are three bridge networks in 6.4.2:

    docker network ls
    NETWORK ID NAME DRIVER SCOPE
    a802e2d525a9 aaf_default bridge local
    4fc594bd481b bridge bridge local
    75e2569ef806 host host local
    e322f37dfdd5 none null local
    06d816b051b3 risk_rba bridge local

    You can also check this KB article:

    https://support.microfocus.com/kb/doc.php?id=7025021

    For the default bridge you can specify the value BIP in the daemon.json file. For any other user generated bridge networks you can define a subnet pool to pick from (provided the user does not manually specify the subnet). So your /etc/docker/daemon.json would look like:


    { "bip": "10.200.0.1/24", "default-address-pools":[ {"base":"10.201.0.0/16","size":24}, {"base":"10.202.0.0/16","size":24} ] }

    Then according to the previously mentioned article, you have to do:

    Stop AAF/Risk services
    --
    systemctl stop risk-service
    systemctl stop aauth
    4. Restart docker service
    --
    systemctl restart docker
    5. Startup AAF/Risk services
    docker-compose -f /opt/risk/docker-compose.risk.yml down
    systemctl start aauth
    Please take a snapshot or backup before proceeding with these changes, so you can always roll back if there are issues.
    Thanks.
    Regards,
    Luciano Testa
     
  • 0 in reply to   

    Thanks a lot Luciano. We've been able to change some addresses but not the one for aaf_default:

    # docker network inspect aaf_default
    [
        {
            "Name": "aaf_default",
            "Id": "ae93ab4ba85e990792ac84c934ce1aa06dc0a193aa28b73dc6d309cbca2e66bb",
            "Created": "2023-10-09T11:03:09.32850284Z",
            "Scope": "local",
            "Driver": "bridge",
            "EnableIPv6": false,
            "IPAM": {
                "Driver": "default",
                "Options": null,
                "Config": [
                    {
                        "Subnet": "172.19.0.0/16",
                        "Gateway": "172.19.0.1"
                    }
                ]
            },
            "Internal": false,
            "Attachable": true,
            "Ingress": false,
            "ConfigFrom": {
                "Network": ""
            },
            "ConfigOnly": false,
            "Containers": {},
            "Options": {},
            "Labels": {
                "com.docker.compose.network": "default",
                "com.docker.compose.project": "aaf",
                "com.docker.compose.version": "1.25.4"
            }
        }
    ]

    From the following networks, we've been able to change the IP for other bridge networks, but not for aaf_default.

    Regards

  • 0   in reply to 

    Hello José Luis,

    Can you share how the daemon.json looks like now?

    Perhaps you need to add an extra line.

    Thanks.

    Regards,

    Luciano Testa

  • 0 in reply to   

    This is the actual /etc/docker/daemon.json

    {
        "bip": "172.18.0.1/27",
        "log-driver": "json-file",
        "log-opts": {
            "max-size": "10m",
            "max-file": "10"
        },
     "default-address-pools":[
       {"base":"172.18.0.0/25","size":27}
     ],
     "ipv6": true,
        "fixed-cidr-v6": "2001:db8:1::/64"
    }

    And the following the resulting network configuration:

    br-ae93ab Link encap:Ethernet  HWaddr 02:42:A8:6D:F9:7D
              inet addr:172.19.0.1  Bcast:172.19.255.255  Mask:255.255.0.0
              inet6 addr: fe80::42:a8ff:fe6d:f97d/64 Scope:Link
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:0 (0.0 b)  TX bytes:746 (746.0 b)

    br-b5755b Link encap:Ethernet  HWaddr 02:42:D7:85:CA:0C
              inet addr:172.18.0.33  Bcast:172.18.0.63  Mask:255.255.255.224
              inet6 addr: fe80::42:d7ff:fe85:ca0c/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:22 errors:0 dropped:0 overruns:0 frame:0
              TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:920 (920.0 b)  TX bytes:4141 (4.0 Kb)

    docker0   Link encap:Ethernet  HWaddr 02:42:61:FC:8B:98
              inet addr:172.18.0.1  Bcast:172.18.0.31  Mask:255.255.255.224
              inet6 addr: 2001:db8:1::1/64 Scope:Global
              inet6 addr: fe80::1/64 Scope:Link
              inet6 addr: fe80::42:61ff:fefc:8b98/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:62192 errors:0 dropped:0 overruns:0 frame:0
              TX packets:70125 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:193194786 (184.2 Mb)  TX bytes:16821006 (16.0 Mb)

    I tried to add additional "base" lines in the daemon.json file, but without success.

    Regards

  • Suggested Answer

    0   in reply to 

    Hello José Luis, 

    Well, let's try the basics, as per the KB article. Delete the bip value, then do this:

    sed -i 's/"ipv6"/"default-address-pools":[{"base":"192.168.0.0\/16","size":20}],\n "ipv6"/' /etc/docker/daemon.json

     

    Or manually this line to the file: "default-address-pools":[{"base":"192.168.0.0/16","size":20}], 

     

    Then save, restart the services and docker and check again.

    Thanks.

    Regards,

    Luciano Testa

  • 0 in reply to   

    Hi Luciano,

    We did this test and it worked only for docker0 interface.
    The one with the IP 172.19.0.1, which corresponds to the aaf_default network, there is no way to change it. It seems like It's from a different docker.
    The curious thing is that it is just the new IP that appears in this version. Previous versions did not configure it.

    Regards

  • 0   in reply to 

    Hello,

    We will continue doing some tests from our side today and let you know what we found.

    Thanks for your patience.

    Regards,

    Luciano Testa

  • 0 in reply to 

    This is the network configuration after the change from the KB article:

    br-ae93ab Link encap:Ethernet  HWaddr 02:42:C4:41:C7:63
              inet addr:172.19.0.1  Bcast:172.19.255.255  Mask:255.255.0.0
              inet6 addr: fe80::42:c4ff:fe41:c763/64 Scope:Link
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:0 (0.0 b)  TX bytes:1006 (1006.0 b)

    docker0   Link encap:Ethernet  HWaddr 02:42:1E:A5:9C:66
              inet addr:192.168.16.1  Bcast:192.168.31.255  Mask:255.255.240.0
              inet6 addr: fe80::42:1eff:fea5:9c66/64 Scope:Link
              inet6 addr: 2001:db8:1::1/64 Scope:Global
              inet6 addr: fe80::1/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:2720 errors:0 dropped:0 overruns:0 frame:0
              TX packets:3046 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:8577212 (8.1 Mb)  TX bytes:877528 (856.9 Kb)

    eth0      Link encap:Ethernet  HWaddr 00:50:56:80:2E:95
              inet addr:172.16.6.132  Bcast:172.16.255.255  Mask:255.255.0.0
              inet6 addr: fe80::250:56ff:fe80:2e95/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:290386 errors:0 dropped:12 overruns:0 frame:0
              TX packets:10957 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:20403525 (19.4 Mb)  TX bytes:22363769 (21.3 Mb)

    Regards

  • 0 in reply to   

    It seems that we have managed to solve it with the following configuration of the daemon.json file.

    {
    "bip": "172.18.0.1/24",
    "log-driver": "json-file",
    "log-opts": {
    "max-size": "10m",
    "max-file": "10"
    },
    "default-address-pools":[
    {"base":"172.18.0.0/20","size":24}
    ],
    "ipv6": true,
    "fixed-cidr-v6": "2001:db8:1::/64"
    }


    We have seen that depending on the sizes of the pools, certain services do not start well.

    Does anyone know what is the minimum number of networks and IPs that each one must have for the NAAF services to work correctly?

    Regards

  • 0   in reply to 

    Hello,

    That's excellent. I have been also trying several values but no luck so far.

    To be honest, that would be a question for Development. I will try to reach out to them for these values.

    Thanks.

    Regards,

    Luciano Testa