Step-by-step
Jump to There is no docker0 bridge on macOS - Because of the way networking is implemented in Docker for Mac, you cannot see a docker0. Docker Machine is a tool that lets you install Docker Engine on virtual hosts, and manage the hosts with docker-machine commands. You can use Machine to create Docker hosts on your local Mac or Windows box, on your company network, in your data center, or on cloud providers like Azure, AWS, or Digital Ocean.
Overview
This post describes how to use and customize the default docker0 bridge to setup the networking for docker containers. The Docker server creates and configures the host system’s docker0 interface as an Ethernet bridge inside the Linux kernel that could be used by the docker containers to communicate with each other and with the outside world, the default configuration of the docker0 works for most of the scenarios but you could customize the docker0 bridge based on your specific requirements.The docker0 bridge is virtual interface created by docker, it randomly chooses an address and subnet from the private range defined by RFC 1918 that are not in use on the host machine, and assigns it to docker0. All the docker containers will be connected to the docker0 bridge by default, the docker containers connnected to the docker0 bridge could use the iptables NAT rules created by docker to communicate with the outside world.How the docker0 bridge is created?
The docker0 bridge will be created when the docker service is started.The docker0 bridge and NAT rules under the hood
docker0 is a Linux bridge without any real network adapter attached, and configured with ip address 172.17.0.1/16docker creates a network named “bridge” for docker0 Linux bridge, as shown below.Look even further into the docker network “bridge” using command “docker network inspect”, we could see that the subnet associated with the network is 172.17.0.0/16, two docker containers “docker1” and “docker2” are connected to the bridge network with ip addresses 172.17.0.2/16 and 172.17.0.3/16.Docker also creates the iptables NAT rules on the docker host that could be used by the docker containers connected to docker0 bridge to connect to the outside world.Connects the docker containers to docker0 bridge
By default Docker will attach all containers to the docker0 bridge, so you do not need to specify any additional flag with docker run command to connect the docker containers to the docker0 bridge, unless the DOCKER_OPTS in docker configuration file explicitly specifies to use the other network than docker0 bridge, in this case you could use –net=bridge with docker run command to connect the containers to the docker0 bridge.You could use brctl show docker0 to verify if the docker container connects to the docker0 bridge correctly, here is an example:There are three docker containers connect to the docker0 bridge, to verify if the docker3 is in the list:The prefix number of the eth0 in docker3 is 17, use ethtool to check the prefix number of the veths connected to the bridge docker0:veth84dfd16 is the veth peer of docker3 eth0, then we could say the docker3 is connected to the docker0 bridge correctly.Customize docker0 bridge
The default configuration of docker0 works for most of the cases, however, you could customize the docker0 configuration per your requirements, the following options of docker0 are configurable at server startup:– –bip=CIDR — supply a specific IP address and netmask for the docker0 bridge, using standard CIDR notation like 192.168.1.5/24.– –fixed-cidr=CIDR — restrict the IP range from the docker0 subnet, using the standard CIDR notation like 172.167.1.0/28. This range must be an IPv4 range for fixed IPs (ex: 10.20.0.0/16) and must be a subset of the bridge IP range (docker0 or set using –bridge). For example with –fixed-cidr=192.168.1.0/25, IPs for your containers will be chosen from the first half of 192.168.1.0/24 subnet.– –mtu=BYTES — override the maximum packet length on docker0.These configurable parameters could be added to the docker configuration file /etc/default/docker or /etc/sysconfig/docker, here is an example:DOCKER_OPTS=”–bip=192.168.200.0/16 –fixed-cidr=192.168.200.0/24 –default-gateway=192.168.200.1 –mtu=1024″systemctl restart docker
This project is no longer maintained as my team have moved away fromdeveloping on MacOS. A more active project with similar aims may be foundhere. For those that prefer the approach taken by this project, thereare several forks that may offer some support for newer versions of Dockerand can be found via the network and forks pages of thisrepo.
As of the time of writing Docker for Mac can't access containers via IP fromthe host. Let's fix that.
It's worth remembering that this appears to be a commonly requested feature, soit might be worth checking to see if it's beenfixed in recent versions.
![Docker for mac Docker for mac](http://hicu.be/wp-content/uploads/2016/05/docker-macvlan-bridge-mode.png)
Docker Version | Host Bridge Version | Fully Tested |
---|---|---|
17.03.1-ce, build c6d412e | >= 1.0.0 | |
17.04.0-ce-rc2, build 2f35d73 | >= 1.1.0 | |
17.05 * | >= 1.1.0 | |
17.06 * | >= 1.1.0 | |
17.09.0-ce-mac33 (19543) | >= 1.1.0 | |
18.03.0-ce-rc1, build c160c73 | >= 1.2.0 |
Approach
Add an additional network interface (provided by
tuntap
OSX) to moby
(theVM containing the Linux kernel and Docker daemon) that's also accessible to thehost
. Create a docker bridge network and then, inside moby
, add the tap
backed interface to the network's bridge thus providing direct conectivity tothe host
.Install
- Download the
tuntap
OSX kernel extensions - Extract the
.pkg
file within thetuntap
archive - Download
install.sh
- (Optional, but encouraged) Read
install.sh
! - Run
install.sh
(see example below)
n.b. There are several environment variable settings.
WARNING:
Unfortunately
install.sh
must currently be run after every restart of Docker.This is because both moby
and the tap
interface only persist while Dockeris running. Hopefully this can be improved upon in the future.Uninstall
There's no dedicated uninstaller, but the process is fairly simple:
- Move
com.docker.hyperkit.real
back tocom.docker.hyperkit
- Reboot Docker
- Restore the owner of the chosen
tap
device toroot
, or alternatively - Removal instructions for
tuntap
OSX can be found in their FAQ.
Thanks
- Michael Henkel --Without these forumposts this wouldn't exist.
- tuntaposx.sourceforge.net
- @tinychaos42 and @idio --Without whose Mac this investigation wouldn't have been possible.
- @muz --Without whose beta testing containers wouldn't even have internet. >_>;;