Jump to content
Shayne

[Docker] Multiple Networks or access to bridge network

18 posts in this topic Last Reply

Recommended Posts

I'm using prerelease 6.4. One of the features I like is the ability to assign an IP on my br0 network. This allowed me to get rid of the pipework container I used to assign IP addresses before 6.4.

 

I've ran into an issue where I have containers that need both an IP on my main subnet (done via br0 network in Unraid Docker config), and also access to the bridge Docket network. An example of this is the nginx-proxy container I have which opens some web services up to the Internet. The containers it reverse proxys to just have bridge network and I'd rather not assign each one of those an IP on br0.

 

A workaround I have is to manually call `docker network connect ...` to add the br0 network to my nginx-proxy container. This works, but when the container is recreated/updated it needs to be re-ran.

 

It would be great to have options for multiple networks in the Docker configuration in Unraid or if anyone knows how br0 containers can access the docker bridge network that could work too.

Share this post


Link to post
2 hours ago, Shayne said:

The containers it reverse proxys to just have bridge network and I'd rather not assign each one of those an IP on br0.

I don't think you can get around this with the way macvlan is implemented i.e. containters can only talk to other containers that have been assigned IP addresses, or those that are haven't can only talk to each other

Share this post


Link to post

I'll point you here and see if this helps you out.

But it's really an ugly solution... unless LT decides to make the primary interface a subinterface? so you only need one ip?

 

Share this post


Link to post
On 12/30/2017 at 11:56 AM, Shayne said:

I'm using prerelease 6.4. One of the features I like is the ability to assign an IP on my br0 network. This allowed me to get rid of the pipework container I used to assign IP addresses before 6.4.

 

I've ran into an issue where I have containers that need both an IP on my main subnet (done via br0 network in Unraid Docker config), and also access to the bridge Docket network. An example of this is the nginx-proxy container I have which opens some web services up to the Internet. The containers it reverse proxys to just have bridge network and I'd rather not assign each one of those an IP on br0.

 

A workaround I have is to manually call `docker network connect ...` to add the br0 network to my nginx-proxy container. This works, but when the container is recreated/updated it needs to be re-ran.

 

It would be great to have options for multiple networks in the Docker configuration in Unraid or if anyone knows how br0 containers can access the docker bridge network that could work too.

You ever get this working? I have the exact same use case.

Share this post


Link to post

I just beat the system

 

I added 

; docker network connect bridge poste 2>/dev/null

to the Post Arguments field.

Works perfectly. starting, stopping the docker container with multiple networks. 

 

edit: please don't patch this security flaw.

edit2: 'bridge' being the network, 'poste' being the container name.

Edited by Osiris

Share this post


Link to post
9 hours ago, Osiris said:

I just beat the system

 

I added 


; docker network connect bridge poste 2>/dev/null

to the Post Arguments field.

Works perfectly. starting, stopping the docker container with multiple networks. 

 

edit: please don't patch this security flaw.

edit2: 'bridge' being the network, 'poste' being the container name.

@bonienl I guess the Docker Edit page could use a field for post run/create docker commands - like linking a whole bunch of other custom networks :D

Share this post


Link to post
1 minute ago, ken-ji said:

@bonienl I guess the Docker Edit page could use a field for post run/create docker commands - like linking a whole bunch of other custom networks :D

From my point of view, including a field like that in the template is a huge security risk, since any PO'd template maintainer could at that point arbitrarily run any command they want on the host system.

Share this post


Link to post

It already is now that we've found out... :o

After thinking about it, we can have it more restricted to two things:
A connect additional networks combo box

A line to be exec'd in the docker post creation

 - thus allowing certain things to persist, like links and permission changes ( but not on device maps unfortunately )

Share this post


Link to post
15 minutes ago, ken-ji said:

It already is now that we've found out... :o

 

k.  Put another way, templates from a maintainer that contain any executable bash in that section will shortly be treated identically to a template that includes iframes, javascript.

Share this post


Link to post
On 2018-03-14 at 10:19 AM, Osiris said:

I just beat the system

 

I added 


; docker network connect bridge poste 2>/dev/null

to the Post Arguments field.

Works perfectly. starting, stopping the docker container with multiple networks. 

 

edit: please don't patch this security flaw.

edit2: 'bridge' being the network, 'poste' being the container name.

Under 6.5.1-rc1+ this security issue has been closed.

Share this post


Link to post
On 21-3-2018 at 12:21 AM, dockerPolice said:

Under 6.5.1-rc1+ this security issue has been closed.

Does this mean that my 'workaround' will no longer function and that I have no alternative to add a second network to start/stop automatically with the container?

I'll wait with patching for ken-ji's development then.

Edited by Osiris

Share this post


Link to post
1 hour ago, Osiris said:

Does this mean that my 'workaround' will no longer function and that I have no alternative to add a second network to start/stop automatically with the container?

I'll wait with patching for ken-ji's development then.

Correct.  Because of how templates work, this was an issue that had to be patched.

Share this post


Link to post

Hi. Sorry to necro this, but I'm still reluctant to upgrade.

 

Is there any possibility in the current unraid version to add that second docker network to a container?

Share this post


Link to post

You're only option now is to manually run the docker network connect command after creating the container.

I'm not aware of any trick to auto-magically do this, but the network connection will persist until the container is deleted ( or the image is updated and you migrate to the updated image)

 

I did notice that a docker with multiple networks will have the network sorted according to network name.

so a container with the default bridge + br0 will have the following assignments

eth0: bridge

eth1: br0

 

but upon restarting the container:

eth0: br0

eth1: bridge

 

Edited by ken-ji

Share this post


Link to post

Hi Ken-Ji, 
Your last reply on restarting a docker with multiple networks confuses me a bit.
Won't the second network, that was added through command line, disappear upon stopping / restarting the container?

Share this post


Link to post

docker remembers the connected networks - they survive the container stopping or restarting (barring the possible issue with reordering).

However, updating the base image makes the second network binding disappear.

Share this post


Link to post

Hi again,

May I ask how we are doing with the "add second network" combo box (if it's even being developed)?

I still have not upgraded due to this one issue I have.

 

Why I even need that second network is explained in my question here: https://stackoverflow.com/questions/52380845/docker-reverse-proxy-container-on-bridged-network-pointing-to-container-on-macvl

I want to reverse proxy to a poste (mailserver) container in the macvlan network. I'm firewalling that containers ip and doing other experimental stuff.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.