2

Basically, at work I have a dhcp address assigned as:

eth0      Link encap:Ethernet  HWaddr 5c:26:0a:5a:b8:48  
          inet addr:10.10.10.193  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: <addr here>/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3591236 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2057576 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3449424352 (3.4 GB)  TX bytes:384131635 (384.1 MB)
          Interrupt:20 Memory:e2e00000-e2e20000

and with this, my host, can connect to the internet just fine. But none of my docker machines can connect to the internet at work. Their configuration looks like this:

docker0   Link encap:Ethernet  HWaddr 56:84:7a:fe:97:99  
          inet addr:172.17.42.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::5484:7aff:fefe:9799/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:117799 errors:0 dropped:0 overruns:0 frame:0
          TX packets:170586 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4858816 (4.8 MB)  TX bytes:122237788 (122.2 MB)

Everything works when I'm at home sitting beneath a traditional 192.168 router switch.

So, I'm thinking, if I somehow get docker0 interface to sit natted behind eth0, then everything would work, both at home and at work. But I'm not familiar with configuring linux interfaces. I found an article that talked about almost the exact same problem, but changing following those commands to add interface br0 to 10.10.10.200/24 made the following symptoms arise:

  1. My host no longer can resolve a domain name. Removing the interface br0 made this immediately work again
  2. The dockerized apps can now ping 4.2.2.1, but not 8.8.8.8 or 8.8.4.4 or resolve a domain name. Adding --dns 4.2.2.1 tp DOCKER_OPTS in /etc/default/docker.io does not solve the problem.
  3. The dockerized apps no longer can ping 4.2.2.1 or 8.8.8.8 or 8.8.4.4 after the br0 interface is removed

I haven't changed iptables; it's using the default docker configuration changes for a basic ubuntu 14.04 host.

How do I best configure the interfaces in order that docker allow the dockerized applications to connect to the internet both at home and work?

Adam Miller
  • 1,756
  • 1
  • 25
  • 44

1 Answers1

7

A lot of details about networking and bridge can be found at:

As I have a VM with Ubuntu 14.04, I'm not sure if that would reproduce the solution. However, I have the same exact situation in my office, where some VPN servers give the same exact default network IP that Docker uses by default on docker0 bridge. The behavior of being able to use Docker from the office and not being able to use docker when VPN'ed was really frustrating.

So, I have used the same strategy described at the link you used http://jpetazzo.github.io/2013/10/16/configure-docker-bridge-network/, but on RHEL 6.5 servers. However, I did try many different options to get it working:

  1. Used a different IP range
  2. Used a different mask
  3. Try manual setup first, then automate the permanent solution.

I have the solution on RHEL 6.5 as follows:

[root@pppdc9prd6dq newww]# cat /etc/sysconfig/network-scripts/ifcfg-bridge0
TYPE=Bridge
DEVICE=bridge0
NETMASK=255.255.252.0
IPADDR=192.168.5.1
ONBOOT=yes
BOOTPROTO=none
NM_CONTROLLED=no
DELAY=0

Manually add bridge

Here are the steps for you to create a bridge manually:

1. Stop Docker

$ sudo service docker stop

2. Create the bridge

$ ip link add bridge0 type bridge
$ ip addr add 192.168.5.1/20 dev bridge0
$ ip link set bridge0 up

3. Update the Docker daemon to use the bridge

$ vim /etc/docker/daemon.json
$ { "bridge": "bridge0"}

4. Restart Docker

sudo service start docker

If everything is working fine, just permanently add the fix

Persistent

1. Same as manual

2. Update the following file

$ vim /etc/network/interfaces
auto bridge0
iface bridge0 inet static
    address 192.168.5.1
    netmask 255.255.252.0
    bridge_ports dummy0
    bridge_stp off
    bridge_fd 0

3. Same as manual

4. Same as manual

And make sure that bridge-utils are installed on the server, otherwise the bridge interface won't come up.

Maybe that would work? Anyway, try anything here and we can discuss and change this solution. I'm sure more people will have problems with this when they start using Docker internally behind a VPN.

miha
  • 3,287
  • 3
  • 29
  • 44
Marcello DeSales
  • 21,361
  • 14
  • 77
  • 80
  • So this is the route in general, and I would be following directions very similar to this. Namely, however, the question points to two things-I would like some solution to work both at home (192.168 kind of addresses) and at work (10.10.10.193 addresses). And this would work at home fine, but not at work. The issue is the configuration that docker comes with won't work at work-it works fine at home. – Adam Miller Dec 31 '14 at 16:45
  • In addition to the bridge, did you try using the same DNS entry your host has when connected to VPN? One important factor here might be the fact that your network is dropping packets to Google's DNS??? Take a look at my answer at http://stackoverflow.com/questions/25130536/dockerfile-docker-build-cant-download-packages-centos-yum-debian-ubuntu-ap, where I was unable to access the internet as well, but the problem was linked to the host. – Marcello DeSales Dec 31 '14 at 18:57
  • 1
    Yes, it turned out to be the DNS issue. I didn't know where the DNS server was on our vlan because I wasn't the one who configured it. I couldn't get help for that until just yesterday. – Adam Miller Jan 02 '15 at 00:27
  • Great to know that...! Sometimes it is definitely tricky! Can you comment your own question with what the problem was and what you did to get it solved? That can definitely help others!!! – Marcello DeSales Jan 02 '15 at 16:13
  • There were to important things in my case (when setting up a dedicated `br0` to be used by docker). First is that you need `bridge-utils` in ubuntu installed, otherwise the bridge interface will not come up after reboot. Second is that you need to instruct docker to use that bridge via configuration. I'm using the latest `docker-ce 17.04` and `/etc/default/docker` is not read. Instead, I added the `/etc/docker/daemon.json` file, which is read by docker daemon. – miha Apr 09 '17 at 11:11
  • 1
    @MarcellodeSales After two days searching for solutions, THIS answer finally solved my issue. Wow! Just wanted to leave a thanks here.. – Christopher Will Sep 11 '17 at 13:19
  • @christopher-will You are very welcome! glad it worked for you as well! :D – Marcello DeSales Sep 12 '17 at 05:30