Docker networks and subnets

by | May 18, 2020 | Docker

Docker uses default address pools to create subnets. For most use cases, the shipped docker subnet defaults fit. But sometimes the docker subnets cause conflicts with existing networks or subnets. Overlapping networks may conflict with existing systems. Or a large number of docker networks exhaust the pools.

Docker network conflict

After starting a set of docker containers, the host machine disappears from the network. The analysis shows that it is not a host problem. The machine is running, but I cannot reach it from my workstation. Some of my colleagues share the same effect, while others do not see any issue. Rebooting the machine solves the problem for the moment. What happens here?

Network team analyses the docker network issue

In this way, I start focussing on this issue. Next time, when this issue occurs, the network team starts investigating. As a result, we see network packets targeted to my workstation IP address. But local network policies route them to a different interface, in direction to a docker container.

Conflicting docker networks

The docker-compose command creates separate networks for each YAML file. When starting a compose file, the docker creates a new network. In my case, the docker default chooses a network which conflicts with my IP address. For this reason, we must change the docker default.

Specify network in docker-compose.yaml

This article describes a way to configure docker networking as part of the compose file. The IP address management section (IPAM) supports additional parameters. In this way, the subnet becomes configured.

docer-compose.yaml

...
networks:
  backend:
      driver: bridge
      ipam:
      config:
      - subnet: 192.168.200.0/16
      gateway: 192.168.200.1

Specify the docker networks globally

The IPAM in the compose file solves a local problem. But it does not solve the problem for the entire host. Other compose files also may run into the same problem. For this reason, changing the overall default is a universal approach.

The docker daemon reads its defaults from the daemon.json file. In conclusion, changing the default here changes the default for all the compose files.

 

daemon.json

{
  "default-address-pools":[
    {"base":"172.80.0.0/16","size":24}
  ]
}

The above example uses the 172.80.[0-255].0 network. The size of 24 extends the subnet with bitmask from 16 to 24 bits.

 

https://www.bytefusion.de/2020/02/29/software-containerization-with-docker-reviewed/