Prevent bridge network driver from setting IPv4 address on bridge interface #37430
Description
I'm looking for a good way to prevent setting up the gateway IP address (or any other IP address, for that matter) on the bridge interface. I like the ability to configure an IP address, subnet, and default gateway on a container, but I'd like to avoid relinguishing ownership of the gateway IP itself to Docker. For instance, assume this setup before/outside of Docker:
# ifconfig br0
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.75 netmask 255.255.255.0 broadcast 192.168.10.255
# route -n
Destination Gateway Genmask ... Use Iface
0.0.0.0 192.168.10.1 0.0.0.0 ... br0
192.168.10.0 0.0.0.0 255.255.255.0 ... br0
# brctl show
bridge name bridge id STP enabled interfaces
br0 XXXXXXXXX no eth0
tap0
...
IOW, I have an existing bridge, with an already configured IP (or maybe not, maybe the bridge is a purely Layer-2 link), and a LAN broadcast domain with an existing subnet and default gateway. If I wanted to set up docker containers capable of fully participating on that LAN segment, including the ability to communicate with the host (if the bridge has an IPv4 address), I'd like to do the following:
docker network create \
--subnet 192.168.10.0/24 \
--ip-range 192.168.10.192/26 \
--gateway 192.168.10.1 \
-o com.docker.network.bridge.name=br0 \
docker42
At this point, Docker clobbers br0's IP address (.75) and replaces it with that of the gateway (.1). I can manually fix that (but shouldn't have to)...:
ip addr del 192.168.10.1/24 dev br0
killall dhclient
dhclient br0
... in order to restore br0's proper address, before bringing up a container like so:
docker run -d --network docker42 --ip 192.168.10.195 nginx
At this point, I can connect to my container from everywhere on the LAN, including my host, and from anywhere else my LAN is reachable (e.g. via routing hops, subject to firewall rules, etc.), which is the desired result. The only obstacle is Docker's insistence on "owning" the default gateway. I want the gateway to be used as part of the IPAM setup, but HAVE TO be able to avoid having it applied to the bridge interface itself, where it doesn't belong!!!!
While using the macvlan driver instead is a possible option, I'd lose the ability to communicate with the host, and also to configure delay/loss/jitter values with e.g. "netem" on the container's host-side vethXXYYZZ interface, which is another hard requirement I have.
I'd like to introduce the "-o com.docker.network.bridge.inhibit_ipv4=true" option, which would leave the bridge interface untouched at Layer-3, but otherwise keep everything else (ipam, pool management, numbering of containers started on the given network, etc.) unchanged.
RFC pull request to follow shortly (I'm new to Docker and GoLang, so please excuse any blatant n00bness on my part :) )