gefyra-run: container port not accessible on public ip

[crkurz]

What happened?

Symptoms

• when I start my container via gefyra-run, port 21000 in only accessibly via localhost, 127.0.0.1, 192.168.48.1 and 192.168.48.2, but NOT on host's public IP; curl just hangs.
• when I start the same container via docker-run (with all the extra docker options manually added which gefyra-run would usually add) port is accessible also on public IP.
• when I disable host firewall, then gefyra-run-started container becomes accessible via public IP.
• no differences observed on ip-table config between gefyra-run and docker-run
• no differences observed on docker-inspect between gefyra-run and docker-run
• docker-engine 19.03.11-ol (latest open source version)

RCA

The difference seems to be that the cargo container changes the container's default gateway during startup:

sudo ip netns exec $pid ip route add default via 192.168.48.149

This is done via patchContainerGateway.sh.

We suspect that this default route causes the response to be routed into the cluster.

Work-around (or solution?)

As soon as we add an explicit route for the public ip address via gefyra-network gateway:

sudo ip netns exec $pid ip route add $PUBLIC_IP via 192.168.48.1

the gefyra-run started container becomes accessible.

Double-check: when route is removed:

sudo ip netns exec $pid ip route del $PUBLIC_IP

container is again only accessible via local interfaces.

What did you expect to happen?

container should be accessible from outside / on public IP address

Please provide the output of gefyra check.

.

How can we reproduce it (as minimally and precisely as possible)?

.

What Kubernetes setup are you working with?

.

OS version

No response

Anything else we need to know?

No response