Keywords: Rootless, CIDR, Range, Allocation, daemon.json
Problem
Running rootless docker, the networks being created are, by default, overlapping with my actual LAN.
- My LAN CIDR: 192.168.1.0\24
- eth0 on a container I picked at random CIDR: 192.168.0.0\20
As you can see, these ranges overlap, and so from inside the container, I can’t access anything on my LAN.
I’ve never had this problem with “rootful” docker, but I’ve never thought about why.
Edit
Now I’m really confused. I found some containers with subnet masks that do not overlap with my lan, but I am still not able to reach my lan. I can ping addresses outside the “local” range (192.168.0.0/16), but not inside.
/home # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:C0:A8:30:03
inet addr:192.168.48.3 Bcast:192.168.63.255 Mask:255.255.240.0
Here’s an example of where I think I should be able to ping 192.168.1.1
(my router)
My questions
- Why is this happening in rootless, and what prevents it in rootful?
- What are my best options for configuring the global allowed IP ranges in rootless?
- If I need to add settings in
daemon.json
, where does that even go?
This is also an opportunity to improve the rootless documentation, since neither daemon.json
or configuring the pool of ranges are mentioned. https://docs.docker.com/engine/security/rootless