patterndockerMinor
Connect Docker container to both host and internal bridge network
Viewed 0 times
connectcontainerdockerbothinternalbridgehostandnetwork
Problem
I am trying to run a Docker container as a router between a private (
The router container itself will then NAT network traffic from/to containers.
I have not found a way to configure Docker to run the container with those two interfaces. The closest I could get is having two
Trying to connect manually results in an error:
Can anybody show me how to achieve this, preferably even whith Docker Compose?
--internal) Docker network and the predefined host network. This means the container needs to have two network interfaces: One "outside" interface, that can access all host IP addresses, and one "inside" interface, that acts as a gateway for the containers in the internal Docker networkThe router container itself will then NAT network traffic from/to containers.
I have not found a way to configure Docker to run the container with those two interfaces. The closest I could get is having two
bridge interfaces assigned, which is not exactly what I need.Trying to connect manually results in an error:
# docker network connect host root_router_1
Error response from daemon: Container cannot be disconnected from host network or connected to host networkCan anybody show me how to achieve this, preferably even whith Docker Compose?
Solution
Docker does not allow to connect a container to the host network and any other Docker bridge network at the same time. I will try to illustrate the reason with an example:
With the above setup, my guess is that the host network is visible from C2, and I suppose this is the reason why Docker automatically prevents us from unintentionally exposing the host network to non-host-specified containers.
That being said, if we have a set of containers, and we want all of them to be interconnected, with just a single container having access to the host network, my approach would be:
EDIT: We would still have to adapt iptables policies in such a way that C1 can be reached from the rest of containers (see https://docs.docker.com/network/iptables/)
- Let us think of a container C1. Hypothetically, C1 would be connected to the host network (--net=host) and a Docker bridge network Br1 (--net=Br1).
- A second container, let us say C2, is connected to Br1.
With the above setup, my guess is that the host network is visible from C2, and I suppose this is the reason why Docker automatically prevents us from unintentionally exposing the host network to non-host-specified containers.
That being said, if we have a set of containers, and we want all of them to be interconnected, with just a single container having access to the host network, my approach would be:
- [C2,...,CN] are connected to a user-defined Docker bridge Br1 (--net=Br1)
- C1 is connected to the host network (--net=host)
- C1 exposes a port in order to be accessible from the rest of containers
EDIT: We would still have to adapt iptables policies in such a way that C1 can be reached from the rest of containers (see https://docs.docker.com/network/iptables/)
Context
StackExchange DevOps Q#1410, answer score: 4
Revisions (0)
No revisions yet.