Proposal: Allow specifying a default gateway for bridge networking

[lebauce]

No description provided.

[SvenDowideit]

Heya,

this needs documenting in both cli.md and networking.md, and I think you need to add some justification & explaination of what problems it solved to your pull request description.

[lebauce]

Sure. I'll update the PR with the documentation.

Regarding the use case, we would like to run docker container with private IP adresses, but globally routable on our internal network, instead of the default private network allocated per docker host. We have tested the following options for the daemon:

--fixed-cidr=10.5.194.128/28 --ip-forward=false --ip-masq=false --iptables=false

The 10.5.194.128/28 is just an example of routable IP addresses on the integration network. Everything works fine (as long as you properly configure the docker0 bridge with a physical network device child), apart from the default gateway inside the container. This gateway is hard coded to be the hosts' IP address, which doesn't make sense in this case.

[lebauce]

@SvenDowideit I modified the documentation, could you please take a look ? Thanks !

[SvenDowideit]

Doc LGTM - @fredlf @jamtur01

[jamtur01]

Docker

[cpuguy83]

@lebauce In this case, you should either be setting --bip 10.5.194.129/28 or if you already have a bridge interface setup on the host, you can use --bridge <interface> instead of having Docker create one.

[ghost]

@cpuguy83 please allow me to chime in, as I was the one who asked @lebauce to develop this feature. I'm not sure I understand what you propose though. Our goal is:

• each docker host has an interface which belongs to a large, private network, which is globally routable in our infrastructure, say a /20
• for each docker host, we reserve a part of this large network, say a /24
• we take one of the ip addresses of this /24 and use it to configure the docker bridge; this address is not the default gateway for the large network
• we use --fixed-cidr to let the docker daemon know that it's responsible for IP address allocation in this /24
• we disable iptables altogether, and therefore source NATing and port NATing

We just need to let the containers know that the default gateway for the large network is not the address allocated to the docker bridge, which this patch does.

The pros of this approach are that the IP addresses "seen" by the containers are the same as the ones "seen" from the outside, which is important for applications that gossip (such as consul or cassandra). Also, we don't need to dynamically allocate ports, since each container has it's own globally routable address. And we don't need NATing at all.

If there's a way to do this using --bip or --bridge, I would be happy to know :)

[SvenDowideit]

please ping me if this is closed because there is some other way to achieve it - we should document it if there is :)

[fredlf]

Should be: "... this IP address..." or simply "...this address..."

[lebauce]

Fixed. I also noticed that the "be" was missing.
Thanks !

[ghost]

@SvenDowideit If there's another, existing, way to achieve what was described above, I would be happy to use it. I'm not sure if you are waiting for input from me or @cpuguy83 :)

[SvenDowideit]

@eolamey its a note only in case, as its something we don't want to lose the documentation for - even if we need to re-write it.

[crosbymichael]

This is good, i think we should do this. +1

[LK4D4]

@eolamey At first I'm glad that you using --fixed-cidr :) I tried to merge it for very long time.
Design is okay for me, not a big deal.
ping @tiborvass for moving to code-review or questions

[icecrime]

@lebauce Sorry for the crazy delay here: I'm pushing this to 2-code-review, are you please available to rebase your PR?

[thaJeztah]

@icecrime @LK4D4 @crosbymichael I see IPv6 was added (as requested), so I think this can be reviewed

(@lebauce, correct me if you weren't ready yet)

[icecrime]

@lebauce Sorry, it needs rebase again, and I promise we'll try to be reactive on review afterwards :-(

[lebauce]

@icecrime Rebased, ready for review :)

[icecrime]

Because they only manipulate net.IP and net.IPNet, I believe this code block (covering IPv6) and the one above (covering IPv4) can entirely be factored out in a function.

Not a blocker for merge considering that there's a death timer on this file anyway.

[lebauce]

Indeed. Thanks

[icecrime]

Thanks! Code LGTM (some duplication for IPv4 and IPv6 can be avoided, but I'm fine merging it nevertheless).

[cpuguy83]

LGTM moving to docs review

[jamtur01]

Docs LGTM

[SvenDowideit]

you mention eth0 twice in this sentence, but if i grok it right, the first time you're talking about the eth0 in the container, and the second one refers to the default network on the host.

on quite a few of my systems, I don't have an eth0 - RHEL seems to use some obfuscated device name.

So I would suggest making the first reference be explicit: eth0 in the container and the second could be changed to the host's default gateway

[ghost]

I think both are taking about what gateway will be added to the eth0 interface in the container, the one from --default-gateway-v6 if specified, fe80::1 otherwise. Actually, the second reference to eth0 comes from the existing documentation. I'm not 100% though, as I don't know the IPv6 setup at all.

[lebauce]

Indeed. Both mentions of 'eth0' refer to the interface of the container. Removed the second reference to "eth0" and added "in the container".

Every new container will get an IPv6 address from the defined subnet. Further
a default route will be added on `eth0` in the container via the address
specified by the daemon option `--default-gateway-v6` if present, otherwise
via `fe80::1`:

[lebauce]

@icecrime I moved the common code to the "requestDefaultGateway" method. Thanks for pointing out the code duplication

[icecrime]

Cool thanks!