Issue: networking, isolating groups of containers from other groups via separate bridge networks
Host: CentOS Linux release 7.3.1611 (Core)
Docker version 1.12.6, build 1398f24/1.12.6
I have been attempting to isolate our docker services from each other by placing them on separate docker bridge networks using the docker network create command. The goal is to prevent any compromised container from sniffing out the existence of other containers on the same host.
I tried the enable_icc=false option to shut down inter-container communication, but that was overkill for our case. We need containers on the same bridge network to communicate. We just don’t want containers on different bridge networks to see each other.
I have also set enable_ip_masquerade=false during the creating of new network bridges. I’m not sure what role that plays here.
I can confirm that a given container can’t resolve or see services on a different bridge network. However, if I look at the dmesg logs, I can see that all containers seem to detect the various bridge NICs.
Now, I’m already at the limits of my understanding of networking topology here, so I apologize for asking naive questions.
Is it sufficient that I can’t ping or query other services on other bridge networks at their assigned ports? Does it matter that something (as indicated by dmesg) is seeing the other NICs created by network create? As long as the services on those other NICs are somehow being blocked?
Perhaps this is an issue of having created the containers with “docker run” when the network permissions were more promiscuous (both icc and masquarade were true). Maybe this goes away when I create new containers with new docker run commands?
Thanks for suggestions.