34

I am trying to run a Docker container as a router between a private (--internal) Docker network and the predefined host network. This means the container needs to have two network interfaces: One "outside" interface, that can access all host IP addresses, and one "inside" interface, that acts as a gateway for the containers in the internal Docker network

The router container itself will then NAT network traffic from/to containers.

I have not found a way to configure Docker to run the container with those two interfaces. The closest I could get is having two bridge interfaces assigned, which is not exactly what I need.

Trying to connect manually results in an error:

# docker network connect host root_router_1
Error response from daemon: Container cannot be disconnected from host network or connected to host network

Can anybody show me how to achieve this, preferably even whith Docker Compose?

Hexaholic
  • 611
  • 1
  • 5
  • 8
  • 2
    @PunMum Unfortunately not. We ended up connecting all containers directly to the host network and configuring the IPs inside the containers. – Hexaholic Apr 09 '18 at 07:37

2 Answers2

5

Docker does not allow to connect a container to the host network and any other Docker bridge network at the same time. I will try to illustrate the reason with an example:

  • Let us think of a container C1. Hypothetically, C1 would be connected to the host network (--net=host) and a Docker bridge network Br1 (--net=Br1).
  • A second container, let us say C2, is connected to Br1.

With the above setup, my guess is that the host network is visible from C2, and I suppose this is the reason why Docker automatically prevents us from unintentionally exposing the host network to non-host-specified containers.

That being said, if we have a set of containers, and we want all of them to be interconnected, with just a single container having access to the host network, my approach would be:

  • [C2,...,CN] are connected to a user-defined Docker bridge Br1 (--net=Br1)
  • C1 is connected to the host network (--net=host)
  • C1 exposes a port in order to be accessible from the rest of containers

EDIT: We would still have to adapt iptables policies in such a way that C1 can be reached from the rest of containers (see https://docs.docker.com/network/iptables/)

JJFanFer
  • 51
  • 1
  • 3
3

According to this Q&A on github:

The host network is special. You have to use network_mode: host on the service

030
  • 13,383
  • 17
  • 76
  • 178