Avoid GRE interfaces exposed to container

Hello,

I am running docker 26.1.4 on Debian 12.5.
I need to run a container connected to the bridge network and it should have just the two lo and eth0 interfaces. This is a strong requirement (due to licensing) for the application hosted in the container.

$ docker run -it --rm alpine:latest ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
18: eth0@if19: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever

The issue arises when on the host machine a GRE tunnel is activated with the following commands:

sudo modprobe fou
sudo ip fou add port 5555 ipproto 47
sudo ip link add name tun1 type gre remote 10.33.34.15 local 10.33.34.16 ttl 225 encap fou encap-sport auto encap-dport 5555 encap-csum

A set of new interfaces is created and is exposed to all containers. Not the tun1 interface itself, but other GRE interfaces: gre0, gretap0, and erspan0.

$ sudo docker run -it --rm alpine:latest ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
3: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
4: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
43: eth0@if44: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

Is there a way to avoid this? I have played with the bridge driver options and created a user-defined network, but the result does not change.

Thanks,

Mauro

What is “echostream”? A simple Docker bridge network? The point of running containers with network isolation is that you have exactly as many network interfaces as many network you attach to the container + loopback. Unfortunately I’m not familiar with GRE tunnels so I don’t know what it does with existing networks. So I don’t know if it can be solved on Docker’s side.

Yes. Sorry if that was confusing, I made tests with both the default bridge network and a user-defined one. The results are the same.

Thanks. I am not very familiar either with this part. I hope it can be solved.
I am now looking more in-depth into network namespaces to understand how to tackle this issue.

I looked at the kernel documentation and the default backward-compatible behavior is for fallback interfaces (like gre0, gretap0, erspan0, …) to be created in every network namespace when the module is loaded. This means they show up in all containers.

The behavior can be changed by setting the fb_tunnels_only_for_init_net option to 1.

1 Like

That was new. Thanks for sharing the link!