Nicolas Kovacs
2020-Aug-10 13:10 UTC
[CentOS] Docker container isolation not working in CentOS 7
Hi, I've decided to use these summer holidays to wrap my head around Docker and its quirks. Spent the last couple weeks working through a Udemy tutorial and a thick book about Docker, and I have Docker CE installed on two machines: * my workstation running OpenSUSE Leap 15.1 * a public sandbox server running CentOS 7 I'm currently fiddling with custom networks and container isolation, and it looks like I discovered a bug or at least an inconsistency in CentOS. Maybe the gurus among you have an explanation for this. Sorry if this is a bit long, but I try to be as clear as possible. OpenSUSE Leap 15.1 ------------------ For demonstration purposes on how things *should* be, I'm starting two Nginx containers named "webserver1" and "webserver2": $ docker run -dit --name webserver1 nginx $ docker run -dit --name webserver2 nginx These two containers have the respective 172.17.0.2 and 172.17.0.3 IP addresses: $ docker network inspect bridge | grep -i ipv4address "IPv4Address": "172.17.0.2/16", "IPv4Address": "172.17.0.3/16", The "webserver1" container has the 172.17.0.2 IP address: $ docker exec -it webserver1 hostname -I 172.17.0.2 Since "webserver1" and "webserver2" are both on the "bridge" network, they can communicate with each other: $ docker exec -it webserver1 curl -m 5 http://172.17.0.3 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> ... Now I'm creating the custom "blog" network: $ docker network create blog $ docker network ls NETWORK ID NAME DRIVER SCOPE e02e6fc654c6 blog bridge local 3ea6f28134ba bridge bridge local 8d2b8dfe5352 host host local 0bd337e274c2 none null local I'm starting a third container named "webserver3" and assign it to the new "blog" network: $ docker run -dit --name webserver3 --network blog nginx This new container is in a whole new network segment: $ docker network inspect blog | grep -i ipv4address "IPv4Address": "172.20.0.2/16", As is to be expected, it can't communicate with the other two containers: $ docker exec -it webserver3 curl -m 5 http://172.17.0.2 curl: (28) Connection timed out after 5001 milliseconds $ docker exec -it webserver3 curl -m 5 http://172.17.0.3 curl: (28) Connection timed out after 5001 milliseconds So far so good. CentOS 7 -------- Now let's repeat the exact same experiment on a server running CentOS 7. First, create two containers on the default "bridge" network and check if they can communicate with each other: $ docker run -dit --name webserver1 nginx $ docker run -dit --name webserver2 nginx $ docker network inspect bridge | grep -i ipv4address "IPv4Address": "172.17.0.3/16", "IPv4Address": "172.17.0.2/16", $ docker exec -it webserver1 hostname -I 172.17.0.2 $ docker exec -it webserver1 curl -m 5 http://172.17.0.3 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> ... Now create a custom "blog" network and start a third container assigned to that network: $ docker network create blog $ docker network ls | grep blog 0571c80fef1b blog bridge local $ docker run -dit --name webserver3 --network blog nginx $ docker network inspect blog | grep -i ipv4address "IPv4Address": "172.19.0.2/16", $ docker exec -it webserver3 hostname -I 172.19.0.2 Now IN THEORY "webserver3" shouldn't be able to communicate with the "webserver1" and "webserver2" containers. But here's what happens IN PRACTICE (and only on CentOS 7): $ docker exec -it webserver3 curl -m 5 http://172.17.0.2 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> ... $ docker exec -it webserver3 curl -m 5 http://172.17.0.3 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> ... As far as I'm concerned, it looks like a bug, it walks like a bug and it quacks like a bug. Any remarks and/or suggestions? Cheers from the sunny South of France, Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32 Mob. : 06 51 80 12 12
Nicolas Kovacs
2020-Aug-10 14:54 UTC
[CentOS] Docker container isolation not working in CentOS 7
Le 10/08/2020 ? 15:10, Nicolas Kovacs a ?crit?:> Now IN THEORY "webserver3" shouldn't be able to communicate with the > "webserver1" and "webserver2" containers. > > But here's what happens IN PRACTICE (and only on CentOS 7): > > $ docker exec -it webserver3 curl -m 5 http://172.17.0.2 > <!DOCTYPE html> > <html> > <head> > <title>Welcome to nginx!</title> > ... > $ docker exec -it webserver3 curl -m 5 http://172.17.0.3 > <!DOCTYPE html> > <html> > <head> > <title>Welcome to nginx!</title> > ... > > > As far as I'm concerned, it looks like a bug, it walks like a bug and it quacks > like a bug.I've experimented some more, and while this is clearly a bug, the simple and pragmatic workaround consists in creating a custom network for every container group I want to isolate. Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32 Mob. : 06 51 80 12 12
Roberto Ragusa
2020-Aug-10 15:03 UTC
[CentOS] Docker container isolation not working in CentOS 7
On 2020-08-10 15:10, Nicolas Kovacs wrote:> Hi, > > I've decided to use these summer holidays to wrap my head around Docker and its > quirks. Spent the last couple weeks working through a Udemy tutorial and a > thick book about Docker, and I have Docker CE installed on two machines:Where is your docker coming from? Regards. -- Roberto Ragusa mail at robertoragusa.it
Nicolas Kovacs
2020-Aug-10 15:33 UTC
[CentOS] Docker container isolation not working in CentOS 7
Le 10/08/2020 ? 17:03, Roberto Ragusa a ?crit?:> Where is your docker coming from?>From the CentOS repository on Docker.com:$ head -n 7 /etc/yum.repos.d/docker-ce.repo [docker-ce-stable] name=Docker CE Stable - $basearch baseurl=https://download.docker.com/linux/centos/7/$basearch/stable enabled=1 gpgcheck=1 gpgkey=https://download.docker.com/linux/centos/gpg Nearly all the online tutorials and Docker documentation strongly suggest to install Docker CE from this source. -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32 Mob. : 06 51 80 12 12