Hi,

I’ve decided to use these summer holidays to wrap my head around Docker and its quirks. Spent the last couple weeks working through a Udemy tutorial and a thick book about Docker, and I have Docker CE installed on two machines:

* my workstation running OpenSUSE Leap 15.1

* a public sandbox server running CentOS 7

I’m currently fiddling with custom networks and container isolation, and it looks like I discovered a bug or at least an inconsistency in CentOS. Maybe the gurus among you have an explanation for this. Sorry if this is a bit long, but I try to be as clear as possible.

OpenSUSE Leap 15.1
——————

For demonstration purposes on how things *should* be, I’m starting two Nginx containers named “webserver1” and “webserver2”:

$ docker run -dit –name webserver1 nginx
$ docker run -dit –name webserver2 nginx

These two containers have the respective 172.17.0.2 and 172.17.0.3 IP addresses:

$ docker network inspect bridge | grep -i ipv4address
“IPv4Address”: “172.17.0.2/16”,
“IPv4Address”: “172.17.0.3/16”,

The “webserver1” container has the 172.17.0.2 IP address:

$ docker exec -it webserver1 hostname -I
172.17.0.2

Since “webserver1” and “webserver2” are both on the “bridge” network, they can communicate with each other:

$ docker exec -it webserver1 curl -m 5 http://172.17.0.3




…

Now I’m creating the custom “blog” network:

$ docker network create blog
$ docker network ls NETWORK ID NAME DRIVER SCOPE
e02e6fc654c6 blog bridge local
3ea6f28134ba bridge bridge local
8d2b8dfe5352 host host local
0bd337e274c2 none null local

I’m starting a third container named “webserver3” and assign it to the new
“blog” network:

$ docker run -dit –name webserver3 –network blog nginx

This new container is in a whole new network segment:

$ docker network inspect blog | grep -i ipv4address
“IPv4Address”: “172.20.0.2/16”,

As is to be expected, it can’t communicate with the other two containers:

$ docker exec -it webserver3 curl -m 5 http://172.17.0.2
curl: (28) Connection timed out after 5001 milliseconds
$ docker exec -it webserver3 curl -m 5 http://172.17.0.3
curl: (28) Connection timed out after 5001 milliseconds

So far so good.

CentOS 7
——–

Now let’s repeat the exact same experiment on a server running CentOS 7.

First, create two containers on the default “bridge” network and check if they can communicate with each other:

$ docker run -dit –name webserver1 nginx
$ docker run -dit –name webserver2 nginx
$ docker network inspect bridge | grep -i ipv4address
“IPv4Address”: “172.17.0.3/16”,
“IPv4Address”: “172.17.0.2/16”,
$ docker exec -it webserver1 hostname -I
172.17.0.2
$ docker exec -it webserver1 curl -m 5 http://172.17.0.3




…

Now create a custom “blog” network and start a third container assigned to that network:

$ docker network create blog
$ docker network ls | grep blog
0571c80fef1b blog bridge local
$ docker run -dit –name webserver3 –network blog nginx
$ docker network inspect blog | grep -i ipv4address
“IPv4Address”: “172.19.0.2/16”,
$ docker exec -it webserver3 hostname -I
172.19.0.2

Now IN THEORY “webserver3” shouldn’t be able to communicate with the
“webserver1” and “webserver2” containers.

But here’s what happens IN PRACTICE (and only on CentOS 7):

$ docker exec -it webserver3 curl -m 5 http://172.17.0.2




…
$ docker exec -it webserver3 curl -m 5 http://172.17.0.3




…

As far as I’m concerned, it looks like a bug, it walks like a bug and it quacks like a bug.

Any remarks and/or suggestions?

Cheers from the sunny South of France,

Niki

—
Microlinux – Solutions informatiques durables
7, place de l’église – 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12