Docker Bridge Networking in action — Deep dive with troubleshooting
In this post i am going to demonstrate a scenario, where i have two VMS, would say
Host-1 (ubuntu) and
Host-2 (Ubuntu) , Docker Host.
On Host-2, will deploy few Nginx containers using the docker Bridge network and will make these containers accessible from other machines in the network, as of now from Host-1
We can do the same using the Host network in the docker host and can access the containers with the IP address of the host and a specific port for each container however.
Below is our topology, below is how i created this
Create bridge network as below
sudo docker network create — driver=bridge — subnet=192.168.2.0/24 — gateway=192.168.2.10 new_subnet
sudo docker network ls
Create the below containers
sudo docker run — name mynginx-user — net cda2a8b96b8b -d nginx
sudo docker run — name mynginx-admin — net cda2a8b96b8b -d nginx
sudo docker run — name mynginx-rp — net cda2a8b96b8b -d nginx
sudo docker run — name mynginx — network=86b467ad8015 -d nginx
What i can see in Host-2 now —
host-2:~$ ifconfig
br-cda2a8b96b8b: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.10 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::42:b8ff:feeb:eaa prefixlen 64 scopeid 0x20<link>
ether 02:42:b8:eb:0e:aa txqueuelen 0 (Ethernet)
RX packets 10328 bytes 557224 (557.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18176 bytes 39719362 (39.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:bcff:fe1b:e49f prefixlen 64 scopeid 0x20<link>
ether 02:42:bc:1b:e4:9f txqueuelen 0 (Ethernet)
RX packets 18772 bytes 1023868 (1.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 31012 bytes 97582501 (97.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 20.20.38.183 netmask 255.255.0.0 broadcast 20.20.47.255
inet6 fe80::250:56ff:fe98:1cfe prefixlen 64 scopeid 0x20<link>
ether 00:50:56:98:1c:fe txqueuelen 1000 (Ethernet)
RX packets 1163974 bytes 604771250 (604.7 MB)
RX errors 0 dropped 75006 overruns 0 frame 0
TX packets 228100 bytes 144972268 (144.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1744 bytes 217851 (217.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1744 bytes 217851 (217.8 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0veth5e6271d: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::60f3:a9ff:fe1a:1de7 prefixlen 64 scopeid 0x20<link>
ether 62:f3:a9:1a:1d:e7 txqueuelen 0 (Ethernet)
RX packets 21 bytes 3819 (3.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 54 bytes 3910 (3.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0veth9ddbe8a: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::88d5:b8ff:fe16:b23 prefixlen 64 scopeid 0x20<link>
ether 8a:d5:b8:16:0b:23 txqueuelen 0 (Ethernet)
RX packets 81 bytes 9736 (9.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 167 bytes 12591 (12.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0vethb2079b0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::1822:59ff:fe7a:9be3 prefixlen 64 scopeid 0x20<link>
ether 1a:22:59:7a:9b:e3 txqueuelen 0 (Ethernet)
RX packets 58 bytes 7313 (7.3 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 150 bytes 10861 (10.8 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0vethd204e1e: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::a0aa:6aff:feda:67d1 prefixlen 64 scopeid 0x20<link>
ether a2:aa:6a:da:67:d1 txqueuelen 0 (Ethernet)
RX packets 5349 bytes 362884 (362.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9496 bytes 19888540 (19.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
There we see two bridge interfaces
br-cda2a8b96b8— bridge interface for new_subnet bridge we have created .
docker-0— default bridge interface bridge created with docker installation.
Virtual ethernet nics -4, for all the nginx container created
veth5e6271d,
veth9ddbe8a,
vethb2079b0,
vethd204e1e
To check the nics association with bridge, run brctl show on Host-2
Also below static routes are added, run route -n on Host -2
Now we will try to send traffic from Host-1 to one of the container on Host-2, first add a static route on Host-1
sudo route add -net 172.17.0.0 netmask 255.255.0.0 gw 20.20.38.183
Also at Host-2 enable the IP forwarding by executing
echo 1 > /proc/sys/net/ip_forwarding
Now from Host-1 lets send request to — curl -XGET http://192.168.2.2
Note: Unnecessary use of -X or — request, GET is already inferred.
* Rebuilt URL to: http://192.168.2.2/
* Trying 192.168.2.2…
* TCP_NODELAY set
^C
We observe that the request is not through and we see not traffic on interface by running sudo tcpdump -i br-cda2a8b96b8b on Host-2.
We also observe below in traceroute 192.168.2.2 on Host-1
We also observe that the traffic arrive at the physical interface on Host-2 on physical interface ens32 by running tcpdump -i ens32
We can observe that packets are being received on Host-2 but are not being sent to the bridge interface due to iptables.
Solution 1 — Disable the firewall by runnig ufw disable on Host-2
and we see upon executing curl -I -XGET 192.168.2.2, below output
Solution 2 — The below one is helped by two of my friends Prashant Shetty and Ashok B (as i am not very good in networking), which is enables the forwarding the of the packets on the ens32 to the docker bridge interface, by executing
iptables -I FORWARD 1 -i ens32 -o br-cda2a8b96b8b -j ACCEPT
In the reference below, have added the output of commands , before and after executing the above command
Host-2 — sudo tcpdump -i br-cda2a8b96b8b
Host-1 — curl -XGET http://192.168.2.2
References
