Docker is breaking my routing table. Bug or misconfiguration?

mxmiller · February 26, 2024, 2:37am

Docker is consistently breaking the routing table on my Debian 12 machine by adding default routes that point to one of it’s virtual interfaces. This causes me to completely lose access to anything beyond my local network.

Docker version 25.0.3, build 4debf41

The broken routing table:

ip route
0.0.0.0 dev veth5fd70d9 scope link
0.0.0.0 dev veth4b5118f scope link
default dev veth5fd70d9 scope link
default dev veth4b5118f scope link
default via 192.168.1.1 dev enp13s0
default via 192.168.1.1 dev enp13s0 proto static metric 100
169.254.0.0/16 dev veth4b5118f proto kernel scope link src 169.254.162.19
169.254.0.0/16 dev veth5fd70d9 proto kernel scope link src 169.254.15.92
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.18.0.0/16 dev br-39a835ab55a4 proto kernel scope link src 172.18.0.1 linkdown
172.19.0.0/16 dev br-e98dfd9bc8fd proto kernel scope link src 172.19.0.1
172.20.0.0/16 dev br-99157cc563ca proto kernel scope link src 172.20.0.1 linkdown
172.21.0.0/16 dev br-dbb0ea5de7a4 proto kernel scope link src 172.21.0.1 linkdown
172.22.0.0/16 dev br-383428225a9a proto kernel scope link src 172.22.0.1 linkdown
172.25.0.0/16 dev br-1458e368a5bf proto kernel scope link src 172.25.0.1 linkdown
192.168.1.0/24 dev enp13s0 proto kernel scope link src 192.168.1.179 metric 100
192.168.1.1 dev enp13s0 scope link

My bridge configuration:

docker network inspect bridge
[
{
“Name”: “bridge”,
“Id”: “538dbd495b7f5465bdfb96f7d1b35969fc95ede6ee13a6a755b67882b97cedb3”,
“Created”: “2024-02-25T21:16:26.156207677-05:00”,
“Scope”: “local”,
“Driver”: “bridge”,
“EnableIPv6”: false,
“IPAM”: {
“Driver”: “default”,
“Options”: null,
“Config”: [
{
“Subnet”: “172.17.0.0/16”,
“Gateway”: “172.17.0.1”
}
]
},
“Internal”: false,
“Attachable”: false,
“Ingress”: false,
“ConfigFrom”: {
“Network”: “”
},
“ConfigOnly”: false,
“Containers”: {
“c334d55d6700da2a979588659c63a35008828029dafe576c2676d11119f59595”: {
“Name”: “jolly_maxwell”,
“EndpointID”: “497252cbbb2154edb31f4d5dd286ea1074abce50469c1afa96d170e7ebaa3dc6”,
“MacAddress”: “02:42:ac:11:00:02”,
“IPv4Address”: “172.17.0.2/16”,
“IPv6Address”: “”
}
},
“Options”: {
“com.docker.network.bridge.default_bridge”: “true”,
“com.docker.network.bridge.enable_icc”: “true”,
“com.docker.network.bridge.enable_ip_masquerade”: “true”,
“com.docker.network.bridge.host_binding_ipv4”: “0.0.0.0”,
“com.docker.network.bridge.name”: “docker0”,
“com.docker.network.driver.mtu”: “1500”
},
“Labels”: {}
}
]

Is there a way to tell it to NEVER overwrite the default entry in the routing table? I tried adding the following to /etc/docker/daemon.json but then Docker refuses to start at all.

{
“bip”:“172.18.0.1/24”,
“default-address-pools”:[
{“base”:“172.19.0.0/16”,“size”:24}
]
}

rimelek · February 26, 2024, 9:18pm

You are not the first user to report it. I tried to help here

and shared a link about an issue related to conman. Eventually it turned out I was right.

PS: When you share a code, please, follow this guide to format the code properly: How to format your forum posts

mxmiller · February 27, 2024, 1:05am

Thanks for responding. Unfortunately, blacklisting the veth and docker interfaces in /etc/connman/main.conf did not seem to work. The routes are there now any time the Docker service is running.

This is what I’m currently running:

dpkg -l | grep -i docker
ii  docker-buildx-plugin                                        0.12.1-1~debian.12~bookworm                                    amd64        Docker Buildx cli plugin.
ii  docker-ce                                                   5:25.0.3-1~debian.12~bookworm                                  amd64        Docker: the open-source application container engine
ii  docker-ce-cli                                               5:25.0.3-1~debian.12~bookworm                                  amd64        Docker CLI: the open-source application container engine
ii  docker-ce-rootless-extras                                   5:25.0.3-1~debian.12~bookworm                                  amd64        Rootless support for Docker.
ii  docker-compose                                              1.29.2-3                                                       all          define and run multi-container Docker applications with YAML
ii  docker-compose-plugin                                       2.24.5-1~debian.12~bookworm                                    amd64        Docker Compose (V2) plugin for the Docker CLI.
ii  docker-desktop                                              4.8.0-77103                                                    amd64        Docker Desktop
ii  python3-docker                                              5.0.3-1                                                        all          Python 3 wrapper to access docker.io's control socket
ii  python3-dockerpty                                           0.4.1-4                                                        all          Pseudo-tty handler for docker Python client (Python 3.x)
rc  wmdocker                                                    1.5-2                                                          amd64        System tray for KDE3/GNOME2 docklet applications

mxmiller · February 28, 2024, 2:28am

Never underestimate your own capacity for stupidity. I did edit /etc/connman/main.conf to blacklist Docker’s virtual interfaces. But I did NOT remember to uncomment the line. LOL.

So, this was the solution for me as well. Thanks for the help.