libnetwork icon indicating copy to clipboard operation
libnetwork copied to clipboard
verified publisher icon moby

It should be possible to create a network without assigning the bridge an IP address

Open nategraf opened this issue 8 years ago • 5 comments

Using the default bridge and IPAM drivers, it should be possible to create a bridge without assigning it an IP address. This is expressed at the gateway address through the CLI, and although I can set the gateway address within the subnet assigned to the network, there appears to be no way to specify that the bridge should not be assigned an IP address at all.

This is strange when considered in the context or isolated networks where there should be no connectivity outside the isolated network, and therefore no need for a gateway. This is important in the case of untrusted or possibly compromised containers on the isolated docker network, as the bridge address exposes host services. (i.e. if the host is running SSH, HTTP, or (god forbid) Docker listening over TCP without binding to a particular IP address, then these services will be accessible through the bridge IP, and open to compromise from an attacker)

What I'd like to see would be that if I specify a new flag (e.g. "--noip") or provide a special value (e.g. "0.0.0.0") to the "--gateway" flag when using the CLI "docker network create" command that it would create the bridge with no IP address. I am not familiar enough with the internal libnetwork APIs to know what it would be at this layer.

Any comments, pointers on how to implement this change, or workarounds, would be appreciated

nategraf avatar May 27 '17 21:05 nategraf

+1 I thought this is what --ipam-driver=null is for, but it does not work. I would like to use the macvlan driver with --ipam=driver=null and then use a DHCP client to assign an IP address , but this does not work. At least not in docker 17.06.

greyarch avatar Jul 03 '17 19:07 greyarch

+100

dbarrosop avatar Nov 07 '17 18:11 dbarrosop

Apparently "moby" is the upstream from where changes trickle out, so I opened an issue: https://github.com/moby/moby/issues/37430 and a proposed pull request: https://github.com/moby/moby/pull/37432 there.

gsomlo avatar Jul 11 '18 12:07 gsomlo

Google "com.docker.network.bridge.inhibit_ipv4=true" if anyone lands on this page looking for solutions

crazybert avatar Dec 19 '22 02:12 crazybert

terrible things.... the "com.docker.network.bridge.inhibit_ipv4=true" dosen't work on macvlan docker network create -d macvlan -o parent="eth1" -o com.docker.network.bridge.inhibit_ipv4=true veth2 docker network inpect veth2 I got .... "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "172.23.0.0/16", "Gateway": "172.23.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": {}, "Options": { "com.docker.network.bridge.inhibit_ipv4": "true", "parent": "eth1" }, ....

when I create a new container with veth2. docker assigns 172.23.0.2 to me

docker version is 20.10.1

longforrich avatar Feb 01 '23 14:02 longforrich