Docker Container Networking: From Bridge to CNI Plugins - Complete Tutorial

Networking Home Networking
, ,
1

Making Docker Containers Available on Your Network (Rootless Setup)

When using rootless Docker, macvlan isn’t supported directly. However, there are several approaches you can take. I’ll explain the main options:

  1. Using Docker’s bridge network with port mapping (simplest but not what you’re looking for):
# This is the default approach but doesn't give containers their own IPs
docker run -p 8080:80 nginx
  1. Using a bridge network with the host network interface:
# Create a bridge network
docker network create --driver bridge my_network

# Run container on this network
docker run --network my_network nginx

  1. Using slirp4netns (what rootless Docker uses by default):
    This is automatically handled by rootless Docker but has limitations in terms of performance and direct network access.

  2. The solution that might work best for your case - Using CNI plugins with rootless Docker:

# First, install CNI plugins
sudo apt-get install containernetworking-plugins  # For Ubuntu/Debian
# or
sudo dnf install containernetworking-plugins      # For Fedora/RHEL

# Create a CNI configuration directory
mkdir -p ~/.config/cni/net.d/

# Create a bridge configuration
cat > ~/.config/cni/net.d/bridge.conf << EOF
{
    "cniVersion": "0.4.0",
    "name": "bridge",
    "type": "bridge",
    "bridge": "cni0",
    "isGateway": true,
    "ipMasq": true,
    "ipam": {
        "type": "host-local",
        "subnet": "172.19.0.0/24",
        "routes": [
            { "dst": "0.0.0.0/0" }
        ]
    }
}
EOF

# Configure Docker to use CNI networking
mkdir -p ~/.config/docker/
cat > ~/.config/docker/daemon.json << EOF
{
    "cni-plugins-dir": "/usr/lib/cni",
    "network-plugin": "cni"
}
EOF
  1. If you want to bridge the Docker network interface with your network:
    This is possible but requires some additional setup and might need root privileges:
# Create a bridge interface (requires root)
sudo ip link add name docker-br type bridge
sudo ip link set docker-br up

# Add your physical interface to the bridge
sudo ip link set eth0 master docker-br

# Configure Docker to use this bridge
cat > ~/.config/docker/daemon.json << EOF
{
    "bridge": "docker-br",
    "iptables": false
}
EOF

Important considerations:

  1. Security: When exposing containers directly on the network, make sure to:

    • Implement proper firewall rules
    • Use container security features
    • Consider network isolation requirements

  2. Network Configuration:

    • Make sure your subnet doesn’t conflict with existing networks
    • Consider DHCP and DNS requirements
    • Plan your IP address allocation

  3. Performance:

    • Bridge mode has some overhead
    • Consider using host networking for performance-critical applications

  4. Troubleshooting:

# Check network connectivity
ip addr show

# View network interfaces
bridge link show

# Check Docker networks
docker network ls

# Inspect network details
docker network inspect bridge

If you want to proceed with the CNI plugin approach (recommended for rootless Docker), you’ll need to:

  1. Install CNI plugins
  2. Configure the network
  3. Restart your Docker daemon
  4. Test with a container:
# Test with a container
docker run --network cni-bridge nginx
docker inspect <container_id> | grep IPAddress

This gives you containers with their own IPs while maintaining rootless operation. The CNI plugin approach is more flexible and maintainable than trying to bridge the Docker network interface directly.