Fix connect to host and prevent disconnect from host for host network

[coolljt0725]

There are two commits in this PR.
The first one is to fix connect to host. If a container start with default network(bridge) or none
it can't be connect to host as desired. but if disconnect the container from bridge or none, you can
connect to host, but this will cause some problem.

$ docker run -ti --rm --name container1 busybox
$ docker network disconnect bridge container1
$ docker network connect host container1

we able to connect to host after the container disconnect from bridge
but actually, the container still use its own network namespace, docker inspect still show its own private sandbox the container use and ifconfig in the container still the information of its own private network namespace.
From what I understand the container has private network namespace cannot connect to other network namespace, https://github.com/docker/docker/blob/master/daemon/container_unix.go#L742 is supposed to do thar but may not go there because container.NetworkSettings.Networks could be nil ,correct me if I'm wrong :) @mavenugo

The second commit is to prevent from disconnecting from host for a container start with --net=host. if a container with --net=host disconnect from host, it still in the host network namespace, but able to connect to other network, and cause some problem.

$ docker run -ti --rm --net=host --name container1 busybox
$ docker network disconnect host container1
$ docker network connect bridge container1
Error response from daemon: failed to set gateway while updating gateway: network is unreachable

though connect to bridge failed, but it has create a eth0 network interface on my host

eth0: flags=4163  mtu 1500
        inet 172.17.0.2  netmask 255.255.0.0  broadcast 0.0.0.0
        inet6 fe80::42:acff:fe11:2  prefixlen 64  scopeid 0x20
        ether 02:42:ac:11:00:02  txqueuelen 0  (Ethernet)
        RX packets 8  bytes 648 (648.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10  bytes 732 (732.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

and docker inspect show the endpoint information

"Networks": {
            "bridge": {
                "EndpointID": "ddc8cd9e738f9255fc3288c82d77adf6d226ed1ec0e1c8000935b0269e39080a",
                "Gateway": "",
                "IPAddress": "172.17.0.2",
                "IPPrefixLen": 16,
                "IPv6Gateway": "",
                "GlobalIPv6Address": "",
                "GlobalIPv6PrefixLen": 0,
                "MacAddress": "02:42:ac:11:00:02"
            }
        }

So I think we should prevent user from disconnect from host
ping @tiborvass

[tiborvass]

Ping @mavenugo @mrjana

[mrjana]

We should not be needing this extra check. The check for IsPrivate() should disallow connecting to host. Are you able to connect to host after the container is started on a private network?

[coolljt0725]

@mrjana yes, I able to connect to host if I disconnect the container with private network from bridge

docker run -d --name c1 busybox top
docker network disconnect bridge c1
docker network connect host c1
docker inspect c1
  ....
"Networks": {
            "host": {
                "EndpointID": "6b09beacac0470bed008ee62c55f4161701c64d5a7ccaddd8a155eb0c779bf5f",
                "Gateway": "",
                "IPAddress": "",
                "IPPrefixLen": 0,
                "IPv6Gateway": "",
                "GlobalIPv6Address": "",
                "GlobalIPv6PrefixLen": 0,
                "MacAddress": ""
            }
        }

because if we disconnect it from bridge, the "NetworkSettings" is nil and the check below for IsPrivate() has no chance to run

[mrjana]

@coolljt0725 I am ok with the design. But had a comment on the code changes. Can you please clarify?

When you try to connect a container to host, which is already connected to a private network, container.NetworkSettings.Networks cannot be nil

[mrjana]

@coolljt0725 Also it needs a rebase

[coolljt0725]

rebased

[thaJeztah]

@mrjana @tiborvass is this a 1.9.1 fix?

[mrjana]

@thaJeztah Yes

[mrjana]

LGTM

[cpuguy83]

Moving to code review since it's got @mrjana's blessing.

[cpuguy83]

How come this is ErrConflictSharedNetwork and the other one is ErrConflictHostNetwork when they are both host?

[coolljt0725]

This is to prevent user from connecting to host and the other is prevent user from disconnecting from host

[cpuguy83]

But shouldn't these both be ErrConflictHostNetwork?

[coolljt0725]

Both be ErrConflictHostNetwork is also make sense, just need to modify the description of ErrConflictHostNetwork, I'll update

[coolljt0725]

@cpuguy83 updated

[coolljt0725]

@cpuguy83 updated

[cpuguy83]

LGTM

[calavera]

LGTM.

Unfortunately, this won't merge cleanly in the 1.9 release branch. @tiborvass should we open a new PR against that branch with a similar fix?

[calavera]

It looks like this is okay for the release, no merged conflicts.

Merging!