Docker Community Forums

Share and learn in the Docker community.

Rootless docker: Unable to reach any host on my LAN

General Discussions General
#1

Keywords: Rootless, CIDR, Range, Allocation, daemon.json

Problem

Running rootless docker, the networks being created are, by default, overlapping with my actual LAN.

  • My LAN CIDR: 192.168.1.0\24
  • eth0 on a container I picked at random CIDR: 192.168.0.0\20

As you can see, these ranges overlap, and so from inside the container, I can’t access anything on my LAN.

I’ve never had this problem with “rootful” docker, but I’ve never thought about why.

Edit

Now I’m really confused. I found some containers with subnet masks that do not overlap with my lan, but I am still not able to reach my lan. I can ping addresses outside the “local” range (192.168.0.0/16), but not inside.

/home # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:C0:A8:30:03  
          inet addr:192.168.48.3  Bcast:192.168.63.255  Mask:255.255.240.0

Here’s an example of where I think I should be able to ping 192.168.1.1 (my router)

My questions

  • Why is this happening in rootless, and what prevents it in rootful?
  • What are my best options for configuring the global allowed IP ranges in rootless?
  • If I need to add settings in daemon.json, where does that even go?

This is also an opportunity to improve the rootless documentation, since neither daemon.json or configuring the pool of ranges are mentioned. https://docs.docker.com/engine/security/rootless

#2

Short answer: ~/.config/docker/daemon.json will work.

Make sure to bounce the systemd service.

{
    "default-address-pools": [
        {"base":"172.16.0.0/16","size":24},
        {"base":"172.20.0.0/16","size":24}
    ]
}

This will keep conflicts from happening, and allow LAN hosts to be reachable.

I’d still like to understand why this happened and why rootless docker isn’t able to avoid this issue.

#3

Steps to reproduce the issue:

Start a container with --net host.
netcat -l 12345
From outside the container, on the same host, netcat localhost 12345
Describe the results you received:
netcat does not allow for sending messages.

Describe the results you expected:
netcat should work as usual and forward any line typed on the host to the container, like it happens when running netcat -l 12345 followed by netcat localhost 12345 on the host itself.

Additional information you deem important (e.g. issue happens only occasionally):

I originally noticed this with ROS: if you start roscore on a container and then curl http://localhost:11311 from the host, curl fails with a “connection refused” message, while if you run the same command from inside a different container, an (expected) HTML error page is returned, so this means other containers can access open ports on containers, but not the host. I could not reproduce this behavior with netcat, though.
With normal (“rootful”) Docker, ROS works as expected.
Output of docker version:

Client: Docker Engine - Community
Version: 19.03.8
API version: 1.40
Go version: go1.12.17
Git commit: afacb8b7f0
Built: Wed Mar 11 01:22:56 2020
OS/Arch: linux/amd64
Experimental: false

Server: Docker Engine - Community
Engine:
Version: 19.03.8
API version: 1.40 (minimum version 1.12)
Go version: go1.12.17
Git commit: afacb8b7f0
Built: Wed Mar 11 01:30:32 2020
OS/Arch: linux/amd64
Experimental: true
containerd:
Version: v1.2.13
GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683

Output of docker info:

Client:
Debug Mode: false

Server:
Containers: 50
Running: 1
Paused: 0
Stopped: 49
Images: 98
Server Version: 19.03.8
Storage Driver: overlay2
Backing Filesystem:
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: none
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
seccomp
Profile: default
rootless
Kernel Version: 5.4.0-26-generic
Operating System: Ubuntu 20.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.677GiB
Name: nymeria
ID: 24YU:BPGQ:GEO6:VSBU:37AZ:VCOW:6UCB:WJ4V:335Y:25VV:J5C7:WZPO
Docker Root Dir: /home/kmfrick/.local/share/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: No swap limit support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

#4

@moderators lewish95 continues to spam with unhelpful information.

It’s just a copy paste of https://github.com/moby/moby/issues/40865 which will confuse future readers. Please deal with this bot.