Docker Container Isolation Not Working In CentOS 7
Hi,
I’ve decided to use these summer holidays to wrap my head around Docker and its quirks. Spent the last couple weeks working through a Udemy tutorial and a thick book about Docker, and I have Docker CE installed on two machines:
* my workstation running OpenSUSE Leap 15.1
* a public sandbox server running CentOS 7
I’m currently fiddling with custom networks and container isolation, and it looks like I discovered a bug or at least an inconsistency in CentOS. Maybe the gurus among you have an explanation for this. Sorry if this is a bit long, but I try to be as clear as possible.
OpenSUSE Leap 15.1
——————
For demonstration purposes on how things *should* be, I’m starting two Nginx containers named “webserver1” and “webserver2”:
$ docker run -dit –name webserver1 nginx
$ docker run -dit –name webserver2 nginx
These two containers have the respective 172.17.0.2 and 172.17.0.3 IP addresses:
$ docker network inspect bridge | grep -i ipv4address
“IPv4Address”: “172.17.0.2/16”,
“IPv4Address”: “172.17.0.3/16”,
The “webserver1” container has the 172.17.0.2 IP address:
$ docker exec -it webserver1 hostname -I
172.17.0.2
Since “webserver1” and “webserver2” are both on the “bridge” network, they can communicate with each other:
$ docker exec -it webserver1 curl -m 5 http://172.17.0.3
…
Now I’m creating the custom “blog” network:
$ docker network create blog
$ docker network ls NETWORK ID NAME DRIVER SCOPE
e02e6fc654c6 blog bridge local
3ea6f28134ba bridge bridge local
8d2b8dfe5352 host host local
0bd337e274c2 none null local
I’m starting a third container named “webserver3” and assign it to the new
“blog” network:
$ docker run -dit –name webserver3 –network blog nginx
This new container is in a whole new network segment:
$ docker network inspect blog | grep -i ipv4address
“IPv4Address”: “172.20.0.2/16”,
As is to be expected, it can’t communicate with the other two containers:
$ docker exec -it webserver3 curl -m 5 http://172.17.0.2
curl: (28) Connection timed out after 5001 milliseconds
$ docker exec -it webserver3 curl -m 5 http://172.17.0.3
curl: (28) Connection timed out after 5001 milliseconds
So far so good.
CentOS 7
——–
Now let’s repeat the exact same experiment on a server running CentOS 7.
First, create two containers on the default “bridge” network and check if they can communicate with each other:
$ docker run -dit –name webserver1 nginx
$ docker run -dit –name webserver2 nginx
$ docker network inspect bridge | grep -i ipv4address
“IPv4Address”: “172.17.0.3/16”,
“IPv4Address”: “172.17.0.2/16”,
$ docker exec -it webserver1 hostname -I
172.17.0.2
$ docker exec -it webserver1 curl -m 5 http://172.17.0.3
…
Now create a custom “blog” network and start a third container assigned to that network:
$ docker network create blog
$ docker network ls | grep blog
0571c80fef1b blog bridge local
$ docker run -dit –name webserver3 –network blog nginx
$ docker network inspect blog | grep -i ipv4address
“IPv4Address”: “172.19.0.2/16”,
$ docker exec -it webserver3 hostname -I
172.19.0.2
Now IN THEORY “webserver3” shouldn’t be able to communicate with the
“webserver1” and “webserver2” containers.
But here’s what happens IN PRACTICE (and only on CentOS 7):
$ docker exec -it webserver3 curl -m 5 http://172.17.0.2
…
$ docker exec -it webserver3 curl -m 5 http://172.17.0.3
…
As far as I’m concerned, it looks like a bug, it walks like a bug and it quacks like a bug.
Any remarks and/or suggestions?
Cheers from the sunny South of France,
Niki
—
Microlinux – Solutions informatiques durables
7, place de l’église – 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12
4 thoughts on - Docker Container Isolation Not Working In CentOS 7
Le 10/08/2020 à 15:10, Nicolas Kovacs a écrit :
I’ve experimented some more, and while this is clearly a bug, the simple and pragmatic workaround consists in creating a custom network for every container group I want to isolate.
Cheers,
Niki
—
Microlinux – Solutions informatiques durables
7, place de l’église – 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12
Where is your docker coming from?
Regards.
Le 10/08/2020 à 17:03, Roberto Ragusa a écrit :
From the CentOS repository on Docker.com:
$ head -n 7 /etc/yum.repos.d/docker-ce.repo
[docker-ce-stable]
name=Docker CE Stable – $basearch baseurl=https://download.docker.com/linux/CentOS/7/$basearch/stable enabled=1
gpgcheck=1
gpgkey=https://download.docker.com/linux/CentOS/gpg
Nearly all the online tutorials and Docker documentation strongly suggest to install Docker CE from this source.
—
Microlinux – Solutions informatiques durables
7, place de l’église – 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12
You might want to take a look at Podman while you are at it.