Docker compose break existing network bridge

General Discussions
1

Hello,

I am new to Docker, and i have try to install Docker and docker compose on my debian server to deploy some container.

On this server i am running a virtual machine with KVM, which use a bridge to my network connection.
When i installed docker compose and docker, the bridge is broken.

Docker create several interface, and broke the existing bridge.
I have no container installed and running yet, but i am not able to use correctly my KVM.

What is the way to go to be able to keep my existing bridge and use some container?

Ifconfig before installing Docker and docker compose

typebr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.105.2  netmask 255.255.255.0  broadcast 192.168.105.255
        inet6 fe80::2ef0:5dff:fe99:dcb7  prefixlen 64  scopeid 0x20<link>
        inet6 fdb5:6134:a89a:0:2ef0:5dff:fe99:dcb7  prefixlen 64  scopeid 0x0<global>
        ether 2c:f0:5d:99:dc:b7  txqueuelen 1000  (Ethernet)
        RX packets 9081  bytes 698973 (682.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16844  bytes 12808362 (12.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp37s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 2c:f0:5d:99:dc:b7  txqueuelen 1000  (Ethernet)
        RX packets 9211  bytes 835425 (815.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16844  bytes 12808362 (12.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Boucle locale)
        RX packets 67  bytes 10198 (9.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 67  bytes 10198 (9.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0 or paste code here

Ifconfig after installing Docker and docker compose

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.105.2  netmask 255.255.255.0  broadcast 192.168.105.255
        inet6 fe80::2ef0:5dff:fe99:dcb7  prefixlen 64  scopeid 0x20<link>
        inet6 fdb5:6134:a89a:0:2ef0:5dff:fe99:dcb7  prefixlen 64  scopeid 0x0<global>
        ether 2c:f0:5d:99:dc:b7  txqueuelen 1000  (Ethernet)
        RX packets 10011  bytes 772574 (754.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 23603  bytes 22155815 (21.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

br-80355a11f2de: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.19.0.1  netmask 255.255.0.0  broadcast 172.19.255.255
        ether 02:42:2a:75:b6:f6  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:60:54:ed:bf  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp37s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 2c:f0:5d:99:dc:b7  txqueuelen 1000  (Ethernet)
        RX packets 11775  bytes 1327036 (1.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 24995  bytes 22390392 (21.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Boucle locale)
        RX packets 73  bytes 10312 (10.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 73  bytes 10312 (10.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::fcc8:85ff:fe7f:4b3f  prefixlen 64  scopeid 0x20<link>
        ether fe:c8:85:7f:4b:3f  txqueuelen 1000  (Ethernet)
        RX packets 1748  bytes 267453 (261.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1314  bytes 408295 (398.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

My /etc/network/interfaces

 auto lo br0
 iface lo inet loopback

 # Configurez les interfaces manuellement en Ʃvitant les conflits avec le manager rƩseau.
 iface enp37s0 inet manual



 # Configuration du pont(bridge)
 iface br0 inet dhcp

       bridge_ports enp37s0
       bridge_hw 2C:F0:5D:99:DC:B7
2

The same has just happened to me. I see this had no reply for a year. Googling the problem, it seems itā€™s been happening since at least 2018. It is quite irritating that, within Dockerā€™s extensive documentation, there is not a hint of this risk in the installation section.

Nor have I found a definitive solution. It seems generally like the solution will be to undo a lot of the changes that docker makes to iptables and then reinstate forwarding to the bridge used by the vms. This seems to be viewed as a sub-optimal solution, re-opening the security holes that the docker install was trying to minimise, but I havenā€™t seen a better solution proposed. Each solution has a slightly different version of how to undo the damage, and itā€™s not clear which is preferable, or even works (the first I tried didnā€™t).

Fair enough to build a system however its creator fancies, but warnings about potential conflicts would be kind. Iā€™ve only installed docker for frigate. Had I known about this, Iā€™d have probably done zoneminder instead.

3

We probably missed the question when the topic was created. There were other similar questions though, like this:

This Link was recommended:

https://wiki.archlinux.org/title/Docker#Starting_Docker_breaks_KVM_bridged_networking

Where you can find this:

If there is already a network bridge configured for KVM, this may be fixable by telling docker about it. See [20] where docker configuration is modified as:

/etc/docker/daemon.json

{ "bridge": "br0" }

If the above does not work, or you prefer to solve the issue through iptables directly, or through a manager like UFW, add this:

iptables -I FORWARD -i br0 -o br0 -j ACCEPT

Then the Docker documentation mentiones that parameter too

  • The -b, --bridge= flag is set to docker0 as default bridge network. It is created automatically when you install Docker. If you arenā€™t using the default, you must create and configure the bridge manually, or set it to ā€˜noneā€™: --bridge=none

This was also recommended for running multiple Docker daemons, so that should help with KVM and Docker on the same machine too, but I never tried it. If you try it, please, share how it worked.

4

I was able to solve this issue by using the link for the archlinux wiki.
I added my bridge used on the KVM on the json file /etc/docker/deamon.json and now the bridge is not broke by docker.

1 Like