Modify docker default gateway

Article background:

When we use Docker in a LAN, one of the most common confusions we encounter is that sometimes the network is blocked across network segments. The reason is that the gateway generated by Docker by default sometimes conflicts with our LAN segment. For example, if Docker is deployed on a machine in the 172.16 network segment, and the resulting docker0 bridge is the 172.17 network segment, then it is the same as the one used in the real environment. There is a conflict between machines in the network segment (that is, the machine in the 172.17 network segment cannot be pinged).

(Recommended tutorial: docker tutorial)

In order to avoid conflicts, the first thing that comes to mind is to change the gateway. The example is as follows (taking Centos as an example):

service docker stop
# 删除docker防火墙过滤规则
iptables -t nat -F POSTROUTING
# 删除docker默认网关配置
ip link set dev docker0 down
ip addr del 172.17.0.1/16 dev docker0
# 增加新的docker网关配置
ip addr add 192.168.2.1/24 dev docker0
ip link set dev docker0 up
# 检测是否配置成功，如果输出信息中有 192.168.5.1，则表明成功
ip addr show docker0
service docker start
# 验证docker防火墙过滤规则

After this modification, will it be reliable? The answer is no, because after docker restarts, docker0 may still be rebuilt, overwriting the modifications we made. It shows that Docker’s IP rules are hard-coded and we are not allowed to change them at will. But let’s change our thinking and kill docker0 directly and rebuild a new bridge:

First we need to install the bridge creation tool brctl:

sudo yum install -y bridge-utils

Start the creation operation:

# 1.停止 Docker 服务
service docker stop
 
# 2.创建新的网桥（新的网段）
brctl addbr bridge0
ip addr add 192.168.2.1/24 dev bridge0
ip link set dev bridge0 up
 
# 3.确认网桥信息
ip addr show bridge0
# 4.修改配置文件
/etc/docker/daemon.json（如不存在则创建一个 touch daemon.json）,使Docker启动时使用自定义网桥
 
{
  "bridge": "bridge0"
}
# 5.重启 Docker
service docker start
    
# 确认 NAT 网络路由
iptables -t nat -L -n
 
# 6.删除不再使用的网桥
ip link set dev docker0 down
 
brctl delbr docker0
 
iptables -t nat -F POSTROUTING

Regarding the modified configuration made in step 4, it is to reference the new network bridge. In fact, you can also reference the new network bridge in the docker configuration file:

echo 'DOCKER_OPTS="-b=bridge0"' >> /etc/sysconfig/docker
sudo service docker start

But it does not mean that we will definitely be able to see the docker custom configuration. file, if there is no default/docker or sysconfig/docker, it will be more troublesome. The solution is as follows:

$ vi /lib/systemd/system/docker.service
#添加一行
$ EnvironmentFile=-/etc/default/docker
或者
$ EnvironmentFile=-/etc/sysconfig/docker
#-代表ignore error
 
#并修改
$ ExecStart=/usr/bin/docker daemon -H fd://
#改成
$ ExecStart=/usr/bin/docker daemon -H fd:// $DOCKER_OPTS
#这样才能使用/etc/default/docker里定义的DOCKER_OPTS参数
 
$ systemctl daemon-reload 重载
$ sudo service docker restart

After completing the creation of bridge0 and transitioning from docker0 to bridge0, we can route it to confirm whether we The 172.17 network segment that we don’t want to see:

As long as it is not there, then we will not only be connected to the machines in the 172.17 network segment. If there is still one, then use ip addr del 172.17.0.1/16 dev docker0 until it is cleared (because a new docker bridge has been established, deleting the old one will not affect the use of docker).

If the network bridge created by brctl may be lost after restarting the machine, then we can write the following command into the Linux self-start script and execute it every time it restarts:

brctl addbr bridge0
ip addr add 192.168.2.1/24 dev bridge0
ip link set dev bridge0 up

Self-start Scripts can be added by adding executable statements (such as sh /opt/script.sh &) in the /etc/rc.local file. In this way, basically every time the machine is restarted, bridge0 can be guaranteed to be created and the docker service can start normally.

In addition: If you just want to solve the IP network segment conflict and are unwilling to operate the above complicated process, you can actually just change /etc/docker/daemon.json by adding the content "bip": "ip/ netmask" to change the network segment of the docker0 bridge, as follows:

[root@iZ2ze278r1bks3c1m6jdznZ ~]# cat /etc/docker/daemon.json
{
 "bip":"192.168.2.1/24"
}

The above is the detailed content of Modify docker default gateway. For more information, please follow other related articles on the PHP Chinese website!