Basically I need to blacklist an IP range (and maybe multiple ranges) so that Docker can use any other IPs for its containers BUT IPs in this range.
Assume I have my docker nodes in a swarm of n nodes. They are in IP range 10.1.1.0/24. There are multiple other VMs in this IP range like a VPN Server, a firewall, etc.
Can I restrict Docker from assigning IPs from this range to containers it starts?
Docker should avoid using a network if there's a route to that network (see ip r). You can whitelist networks that docker is allowed to use with configurations in several places:
bip in /etc/docker/daemon.json which controls the docker bridge network named bridge. This needs to be set to a gateway ip with CIDR notation.default-address-pools in /etc/docker/daemon.json which is a list of CIDR blocks for all other bridge networks.--default-addr-pool when initializing a swarm to a CIDR block for overlay networks.Make sure the two pools are large enough to create multiple networks, e.g. a /16 subnet to allow creation of 256 /24 networks.
More details of this are available in my DockerCon presentation (press P for presenter notes).
