Rootless docker: Unable to reach any host on my LAN

Keywords: Rootless, CIDR, Range, Allocation, daemon.json

Problem

Running rootless docker, the networks being created are, by default, overlapping with my actual LAN.

  • My LAN CIDR: 192.168.1.0\24
  • eth0 on a container I picked at random CIDR: 192.168.0.0\20

As you can see, these ranges overlap, and so from inside the container, I can’t access anything on my LAN.

I’ve never had this problem with “rootful” docker, but I’ve never thought about why.

Edit

Now I’m really confused. I found some containers with subnet masks that do not overlap with my lan, but I am still not able to reach my lan. I can ping addresses outside the “local” range (192.168.0.0/16), but not inside.

/home # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:C0:A8:30:03  
          inet addr:192.168.48.3  Bcast:192.168.63.255  Mask:255.255.240.0

Here’s an example of where I think I should be able to ping 192.168.1.1 (my router)

My questions

  • Why is this happening in rootless, and what prevents it in rootful?
  • What are my best options for configuring the global allowed IP ranges in rootless?
  • If I need to add settings in daemon.json, where does that even go?

This is also an opportunity to improve the rootless documentation, since neither daemon.json or configuring the pool of ranges are mentioned. https://docs.docker.com/engine/security/rootless

Short answer: ~/.config/docker/daemon.json will work.

Make sure to bounce the systemd service.

{
    "default-address-pools": [
        {"base":"172.16.0.0/16","size":24},
        {"base":"172.20.0.0/16","size":24}
    ]
}

This will keep conflicts from happening, and allow LAN hosts to be reachable.

I’d still like to understand why this happened and why rootless docker isn’t able to avoid this issue.

1 Like