Docker Community Forums

Share and learn in the Docker community.

Dockerd takes over network interface


(Lezzgiles) #1

Ubuntu 16.04;

docker version

Client:
Version: 1.12.1
API version: 1.24
Go version: go1.6.3
Git commit: 23cf638
Built: Thu Aug 18 05:33:38 2016
OS/Arch: linux/amd64

Server:
Version: 1.12.1
API version: 1.24
Go version: go1.6.3
Git commit: 23cf638
Built: Thu Aug 18 05:33:38 2016
OS/Arch: linux/amd64

When dockerd starts, it removes the default gateway and address from br2 which is the default network device and gives it a different address. It also sets up NAT on both br2 and docker0. The debug output from dockerd (note the highlighted line):

INFO[0001] Firewalld running: false
DEBU[0001] /sbin/iptables, [–wait --version]
DEBU[0001] /sbin/iptables, [–wait -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t nat -D PREROUTING]
DEBU[0001] /sbin/iptables, [–wait -t nat -D OUTPUT]
DEBU[0001] /sbin/iptables, [–wait -t nat -F DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t nat -X DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t filter -F DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t filter -X DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t filter -F DOCKER-ISOLATION]
DEBU[0001] /sbin/iptables, [–wait -t filter -X DOCKER-ISOLATION]
DEBU[0001] /sbin/iptables, [–wait -t nat -n -L DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t nat -N DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t filter -n -L DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t filter -n -L DOCKER-ISOLATION]
DEBU[0001] /sbin/iptables, [–wait -t filter -C DOCKER-ISOLATION -j RETURN]
DEBU[0001] /sbin/iptables, [–wait -I DOCKER-ISOLATION -j RETURN]
DEBU[0001] Assigning address to bridge interface br2: 10.64.6.90/16
DEBU[0001] /sbin/iptables, [–wait -t nat -C POSTROUTING -s 10.64.0.0/16 ! -o br2 -j MASQUERADE]
DEBU[0001] /sbin/iptables, [–wait -t nat -C DOCKER -i br2 -j RETURN]
DEBU[0001] /sbin/iptables, [–wait -t nat -I DOCKER -i br2 -j RETURN]
DEBU[0001] /sbin/iptables, [–wait -D FORWARD -i br2 -o br2 -j DROP]
DEBU[0001] /sbin/iptables, [–wait -t filter -C FORWARD -i br2 -o br2 -j ACCEPT]
DEBU[0001] /sbin/iptables, [–wait -t filter -C FORWARD -i br2 ! -o br2 -j ACCEPT]
DEBU[0001] /sbin/iptables, [–wait -t filter -C FORWARD -o br2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]
DEBU[0001] /sbin/iptables, [–wait -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]
DEBU[0001] /sbin/iptables, [–wait -t nat -A OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]
DEBU[0001] /sbin/iptables, [–wait -t filter -C FORWARD -o br2 -j DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t filter -C FORWARD -o br2 -j DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t filter -C FORWARD -j DOCKER-ISOLATION]
DEBU[0001] /sbin/iptables, [–wait -D FORWARD -j DOCKER-ISOLATION]
DEBU[0001] /sbin/iptables, [–wait -I FORWARD -j DOCKER-ISOLATION]
DEBU[0001] Network (da8fda7) restored
DEBU[0001] /sbin/iptables, [–wait -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]
DEBU[0001] /sbin/iptables, [–wait -t nat -C DOCKER -i docker0 -j RETURN]
DEBU[0001] /sbin/iptables, [–wait -t nat -I DOCKER -i docker0 -j RETURN]
DEBU[0001] /sbin/iptables, [–wait -D FORWARD -i docker0 -o docker0 -j DROP]
DEBU[0001] /sbin/iptables, [–wait -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT]
DEBU[0001] /sbin/iptables, [–wait -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT]
DEBU[0001] /sbin/iptables, [–wait -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]
DEBU[0001] /sbin/iptables, [–wait -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]
DEBU[0001] /sbin/iptables, [–wait -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]
DEBU[0001] /sbin/iptables, [–wait -t filter -C FORWARD -o docker0 -j DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t filter -C FORWARD -o docker0 -j DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t filter -C FORWARD -j DOCKER-ISOLATION]
DEBU[0001] /sbin/iptables, [–wait -D FORWARD -j DOCKER-ISOLATION]
DEBU[0001] /sbin/iptables, [–wait -I FORWARD -j DOCKER-ISOLATION]
DEBU[0001] /sbin/iptables, [–wait -t filter -C DOCKER-ISOLATION -i docker0 -o br2 -j DROP]
DEBU[0001] /sbin/iptables, [–wait -I DOCKER-ISOLATION -i docker0 -o br2 -j DROP]
DEBU[0001] /sbin/iptables, [–wait -t filter -C DOCKER-ISOLATION -i br2 -o docker0 -j DROP]
DEBU[0001] /sbin/iptables, [–wait -I DOCKER-ISOLATION -i br2 -o docker0 -j DROP]
DEBU[0001] Network (f0e04ab) restored
DEBU[0001] Allocating IPv4 pools for network bridge (f0e04abb6f76604b8fc73dcdf7fdddc64ccd71675b9ad10f3651cccc6449d06a)
DEBU[0001] RequestPool(LocalDefault, 172.17.0.0/16, , map[], false)
DEBU[0001] RequestAddress(LocalDefault/172.17.0.0/16, 172.17.0.1, map[RequestAddressType:com.docker.network.gateway])
DEBU[0001] /sbin/iptables, [–wait -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]
DEBU[0001] /sbin/iptables, [–wait -t nat -D POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]
DEBU[0001] /sbin/iptables, [–wait -t nat -C DOCKER -i docker0 -j RETURN]
DEBU[0001] /sbin/iptables, [–wait -t nat -D DOCKER -i docker0 -j RETURN]
DEBU[0001] /sbin/iptables, [–wait -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT]
DEBU[0001] /sbin/iptables, [–wait -D FORWARD -i docker0 -o docker0 -j ACCEPT]
DEBU[0001] /sbin/iptables, [–wait -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT]
DEBU[0001] /sbin/iptables, [–wait -D FORWARD -i docker0 ! -o docker0 -j ACCEPT]
DEBU[0001] /sbin/iptables, [–wait -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]
DEBU[0001] /sbin/iptables, [–wait -D FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]
DEBU[0001] /sbin/iptables, [–wait -t filter -C FORWARD -o docker0 -j DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t filter -C FORWARD -o docker0 -j DOCKER]
DEBU[0001] /sbin/iptables, [–wait -D FORWARD -o docker0 -j DOCKER]
DEBU[0001] /sbin/iptables, [–wait -t filter -C DOCKER-ISOLATION -i docker0 -o br2 -j DROP]
DEBU[0001] /sbin/iptables, [–wait -D DOCKER-ISOLATION -i docker0 -o br2 -j DROP]
DEBU[0001] /sbin/iptables, [–wait -t filter -C DOCKER-ISOLATION -i br2 -o docker0 -j DROP]
DEBU[0001] /sbin/iptables, [–wait -D DOCKER-ISOLATION -i br2 -o docker0 -j DROP]
DEBU[0002] releasing IPv4 pools from network bridge (f0e04abb6f76604b8fc73dcdf7fdddc64ccd71675b9ad10f3651cccc6449d06a)
DEBU[0002] ReleaseAddress(LocalDefault/172.17.0.0/16, 172.17.0.1)
DEBU[0002] ReleasePool(LocalDefault/172.17.0.0/16)
INFO[0002] Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address
DEBU[0002] Allocating IPv4 pools for network bridge (9f551252bab7d8607c12d2e1041f4c26327890e6a6538f4ad24f0b6a6b7a4d9c)
DEBU[0002] RequestPool(LocalDefault, 172.17.0.0/16, , map[], false)
DEBU[0002] RequestAddress(LocalDefault/172.17.0.0/16, 172.17.0.1, map[RequestAddressType:com.docker.network.gateway])
DEBU[0002] /sbin/iptables, [–wait -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]
DEBU[0002] /sbin/iptables, [–wait -t nat -I POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE]
DEBU[0002] /sbin/iptables, [–wait -t nat -C DOCKER -i docker0 -j RETURN]
DEBU[0002] /sbin/iptables, [–wait -t nat -I DOCKER -i docker0 -j RETURN]
DEBU[0002] /sbin/iptables, [–wait -D FORWARD -i docker0 -o docker0 -j DROP]
DEBU[0002] /sbin/iptables, [–wait -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT]
DEBU[0002] /sbin/iptables, [–wait -I FORWARD -i docker0 -o docker0 -j ACCEPT]
DEBU[0002] /sbin/iptables, [–wait -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT]
DEBU[0002] /sbin/iptables, [–wait -I FORWARD -i docker0 ! -o docker0 -j ACCEPT]
DEBU[0002] /sbin/iptables, [–wait -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]
DEBU[0002] /sbin/iptables, [–wait -I FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT]
DEBU[0002] /sbin/iptables, [–wait -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]
DEBU[0002] /sbin/iptables, [–wait -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER]
DEBU[0002] /sbin/iptables, [–wait -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]
DEBU[0002] /sbin/iptables, [–wait -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8]
DEBU[0002] /sbin/iptables, [–wait -t filter -C FORWARD -o docker0 -j DOCKER]
DEBU[0002] /sbin/iptables, [–wait -I FORWARD -o docker0 -j DOCKER]
DEBU[0002] /sbin/iptables, [–wait -t filter -C FORWARD -j DOCKER-ISOLATION]
DEBU[0002] /sbin/iptables, [–wait -D FORWARD -j DOCKER-ISOLATION]
DEBU[0002] /sbin/iptables, [–wait -I FORWARD -j DOCKER-ISOLATION]
DEBU[0002] /sbin/iptables, [–wait -t filter -C DOCKER-ISOLATION -i docker0 -o br2 -j DROP]
DEBU[0002] /sbin/iptables, [–wait -I DOCKER-ISOLATION -i docker0 -o br2 -j DROP]
DEBU[0002] /sbin/iptables, [–wait -t filter -C DOCKER-ISOLATION -i br2 -o docker0 -j DROP]
DEBU[0002] /sbin/iptables, [–wait -I DOCKER-ISOLATION -i br2 -o docker0 -j DROP]

The nat iptables table looks like this:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all – 172.17.0.0/16 anywhere
MASQUERADE all – 10.64.0.0/16 anywhere

Chain DOCKER (2 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere

We have two other essentially identical servers which are running docker but which do not have this problem.