Unable to access Harbor from some specific network
search cancel

Unable to access Harbor from some specific network

book

Article ID: 345558

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid

Issue/Introduction

Symptoms:
  • You are unable to access Harbor from some specific IP subnets.
  • Traceroute to Harbor from these subnets shows, packet is reaching however the Harbor vm is dropping the packet.
  • When you run ifconfig on the Harbor VM, you the docker bridge network subnets conflicts with the other subnets in your environment.


Environment

VMware PKS 1.x

Cause

This issue occurs due to IP conflict between docker bridge network on Harbor and other subnets in your PKS environment. As per the documentation, 172.17.0.0/16 > 172.22.0.0/16 are Docker reserved network CIDR (Classless Inter-Dormain Routing). However we could see that 172.23.0.0/16 > 172.26.0.0/16 bridge interfaces were also created on the latest Harbor versions.
https://docs.pivotal.io/runtimes/pks/1-3/nsxt-prepare-env.html#reserved-ip-blocks

Resolution

To avoid this issue, ensure to not to use the Docker reserved IP ranges in your PKS environment.
 
If the Docker bridge subnets are conflicting with your existing networks, resolve the issue by customizing the container networks on Harbor and cleaning up the docker bridge stale entries if exist.

  1. Log in to Ops Manager and select Harbor Tile.

  2. Customize the container network settings on Harbor by following the documentation:
    https://docs.pivotal.io/partners/vmware-harbor/installing.html#configure_general

  3. Apply changes from Ops Manager to apply the customized networks.

  4. Once you applied the changes, log in to Harbor VM and verify if you have any stale entries of previous networks by running the command: ifconfig

  5. If there are any stale networks, clean them up by following the below steps.

  6. Stop the Harbor service by running the command: monit stop harbor

  7. Check the interfaces on harbor by running ifconfig, you would see the stale entries of bridge network, names starting with br_xxxxxx.

  8. Export docker alias : alias docker='/var/vcap/packages/docker/bin/docker -H unix:///var/vcap/sys/run/docker/dockerd.sock'

  9. Remove the docker bridge networks by running the command:
    docker network rm $(docker network ls -q )
    Note: This should remove the stale bridge network interfaces, you can confirm by checking ifconfig. They will be re-created automatically when you start the Harbor service.

  10. Start the Harbor service by running the command:
    monit start harbor

  11. Verify that docker networks are created and working fine.