Avoid GRE interfaces exposed to container

Hello,

I am running docker 26.1.4 on Debian 12.5.
I need to run a container connected to the bridge network and it should have just the two lo and eth0 interfaces. This is a strong requirement (due to licensing) for the application hosted in the container.

$ docker run -it --rm alpine:latest ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
18: eth0@if19: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever

The issue arises when on the host machine a GRE tunnel is activated with the following commands:

sudo modprobe fou
sudo ip fou add port 5555 ipproto 47
sudo ip link add name tun1 type gre remote 10.33.34.15 local 10.33.34.16 ttl 225 encap fou encap-sport auto encap-dport 5555 encap-csum

A set of new interfaces is created and is exposed to all containers. Not the tun1 interface itself, but other GRE interfaces: gre0, gretap0, and erspan0.

$ sudo docker run -it --rm alpine:latest ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
3: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
4: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
43: eth0@if44: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

Is there a way to avoid this? I have played with the bridge driver options and created a user-defined network, but the result does not change.

Thanks,

Mauro

What is ā€œechostreamā€? A simple Docker bridge network? The point of running containers with network isolation is that you have exactly as many network interfaces as many network you attach to the container + loopback. Unfortunately Iā€™m not familiar with GRE tunnels so I donā€™t know what it does with existing networks. So I donā€™t know if it can be solved on Dockerā€™s side.

Yes. Sorry if that was confusing, I made tests with both the default bridge network and a user-defined one. The results are the same.

Thanks. I am not very familiar either with this part. I hope it can be solved.
I am now looking more in-depth into network namespaces to understand how to tackle this issue.

I looked at the kernel documentation and the default backward-compatible behavior is for fallback interfaces (like gre0, gretap0, erspan0, ā€¦) to be created in every network namespace when the module is loaded. This means they show up in all containers.

The behavior can be changed by setting the fb_tunnels_only_for_init_net option to 1.

1 Like

That was new. Thanks for sharing the link!