incident: Generic External Service Connectivity Issue · Issue #159 · flatrun/agent · GitHub
Skip to content

incident: Generic External Service Connectivity Issue #159

Description

@nfebe

A FlatRun deployment's application service attempting to connect to an external private IP address (and IP address of another service with the docker network).

Summary of Issue:

An application service within a FlatRun deployment is consistently failing to establish a network connection to an external service located at a specific private IP address (e.g., 172.x.x.x) on a particular port. The application logs indicate a "Failed to connect to host" type error (e.g., cURL error 7). This issue is recent, as the connection to this external service previously worked without problems.

Investigation & Findings:

Application Container Connectivity:
    Direct network tests (e.g., curl to the problematic external IP:port) executed from within the affected application container also fail, confirming the container's inability to reach the destination.
    However, general outbound internet connectivity from the application container (e.g., ping to a public IP like 8.8.8.8) is functional. This indicates that the issue is not a complete lack of external network access from the container.
    Further network diagnostics (e.g., traceroute to the problematic IP) from within the container typically fail or show unusual routing, suggesting the traffic is not leaving the local network segment as expected.

FlatRun Host Network Configuration:
    Inspection of the FlatRun host's network interfaces and Docker network configurations reveals that a FlatRun-managed Docker network (or a default Docker bridge network) is configured with a subnet that overlaps with the private IP address of the intended external service.
    Crucially, the gateway IP address of this overlapping Docker network on the FlatRun host is identical to the private IP address of the external service the application is trying to reach.

Root Cause:

There is an IP address conflict (routing overlap) on the FlatRun host. The private IP address of the external service (e.g., 172.x.x.x) is the same as the gateway IP address of a local Docker network on the FlatRun host.

When the application service within the FlatRun deployment attempts to connect to this external private IP, the host's network stack misinterprets the destination. Instead of routing the traffic externally to the actual remote service, it intercepts and redirects the traffic internally to the local Docker network's gateway on the FlatRun host. As the external service is not listening on this local gateway, the connection fails.

Reason for Recent Failure:

The fact that this setup previously worked indicates a recent change introduced this IP conflict. This could be due to:

A recent change in the IP address of the external service, causing it to now overlap with an existing Docker network on the FlatRun host.
A recent reconfiguration or creation of a Docker network on the FlatRun host, which incidentally claimed a subnet and gateway IP that conflicts with an already established external service's IP.

Recommendation:

To resolve this connectivity issue, the IP address conflict must be eliminated. The following actions are recommended:

Reconfigure the External Service's IP Address: Adjust the IP address of the external service to a different private IP range that does not overlap with any existing Docker network subnets (especially gateway IPs) on the FlatRun host.
Reconfigure the Conflicting Docker Network Subnet on FlatRun Host: If changing the external service's IP is not feasible, reconfigure the subnet of the conflicting Docker network on the FlatRun host. This would involve modifying FlatRun's underlying Docker network configuration to use a different private IP range that does not conflict with the external service's IP. This is a host-level change that may affect other deployments and requires careful planning.

Generated from Flatrun's AI assistant

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions