New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regression: docker network conflicts with host routes when creating a new network #46615
Comments
/cc @akerouanton |
This reverts commit ee9e526. Route scope is used by the kernel to choose what source IP address should be used when establishing an outbound connection. As such, filtering routes based on their scope doesn't make sense. Resolve moby#46615.
This reverts commit ee9e526. Route scope is used by the kernel to choose what source IP address should be used when establishing an outbound connection. As such, filtering routes based on their scope doesn't make sense. Resolve moby#46615.
This reverts commit ee9e526. Route scope is used by the kernel to choose what source IP address should be used when establishing an outbound connection. As such, filtering routes based on their scope doesn't make sense. Resolve moby#46615. Signed-off-by: Albin Kerouanton <albinker@gmail.com>
@dtronche did you find a workaround? or just downgrade docker to the old version before this buildx stuff? |
Our platform is on a dedicated OS which we build using buildroot, so we have patched docker sources to get back to the old behavior. |
I appreciate your quick reply!
Okay, that's crazy. But docker is only a small indie company with measly $200M in funding so what can we do 🤣 |
Oh, I missed the 'recent' replies on this issue -- sorry! We re-discussed the fix proposed in #46630 today during a libnet maintainers call. We all agree that there's no one-size-fits-all set of heuristics to determine whether a Docker subnet overlaps with some host config. We surely don't want to re-introduce the issue(s) originally fixed by #42598 (eg. dynamic IPAM allocation can't be used when OpenVPN is used in full tunnel mode). We prefer to deliberately miss some cases and give users an escape hatch, than 'over detect' potential overlaps and give users no workaround. We might still reconsider this set of heuristics, or the ability for users to influence them at a later time -- but nothing planned right now. In your case, the workaround is to configure the set of I'll close this issue as "won't fix" for the reasons explained above but feel free to continue the discussion. |
Description
docker release 23 introduced a regression in its choice of the network pool which can conflict with the host existing routes.
Previous versions of docker (until release 20), would not create a network route that overlaps with the host one
Reproduce
docker/network/files/local-kv.db
is removedip link del docker0
ip route add 172.18.13.0/24 via xxx.xxx.xxx.xxx dev yyy
172.17.0.0/16 dev docker0
Expected behavior
We should get back to the former behavior of docker and not create a route that conflicts with the host one
Result on docker 20.10.14 (correct):
Result on docker 24.0.6 (incorrect):
docker version
docker info
Additional Info
Docker debug logs on 20.10.14:
docker network create net1:
Docker debug logs on 24.0.6:
docker network create net1:
The text was updated successfully, but these errors were encountered: