[ 常見問題 ] Add link between container and bridge

Preface
Supposed we have a running container being added to bridge docker0 and br0:

# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.e66f69a42450 no veth53624
docker0 8000.56847afe9799 no vethcfe301d
...
# ifconfig docker0
docker0: flags=4163 mtu 1500
inet 172.17.42.1 netmask 255.255.0.0 broadcast 0.0.0.0
...
# ifconfig br0
br0: flags=4163 mtu 1500
inet 10.0.254.1 netmask 255.255.255.0 broadcast 10.0.254.255
...

Let's check our container:

# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6ca1c890e3f2 a34f1c79c116:latest "sh /home/root/scrip 19 hours ago Up 19 hours 4444/tcp, 5999/tcp lonely_babbage
# docker exec -it 6ca1c890e3f2 bash // Enter container 
root@6ca1c890e3f2:/# ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:ac:11:00:04
inet addr:172.17.0.4 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe11:4/64 Scope:Link
...
eth1 Link encap:Ethernet HWaddr da:06:12:64:f3:78
inet addr:10.0.254.100 Bcast:10.0.254.255 Mask:255.255.255.0 

Now we are going to create another container and add it only into bridge br0 and can reach above running container.

How-To
Create a privileged container
Here we are going to create a privileged container which we can modify its network setting:

# docker images // Pickup a image to run
# docker run -it --privileged --net=none fd44297e2ddb bash
[root@d83b6721a27f /]# ping 10.0.254.1 // So far bridge br0 is unreachable
connect: Network is unreachable
[root@d83b6721a27f /]# // Enter Ctrl+p then Ctrl+q to return back to host
# docker ps // Make sure our created container is running
...
d83b6721a27f fd44297e2ddb:latest "bash" About a minute ago Up About a minute sharp_perlman

Create Veth
Now we are going to create pair veth for binding bridge with our container:

# docker inspect -f '{{.State.Pid}}' d83b6721a27f // Check the pid of container
60444
# mkdir -p /var/run/netns
# ln -sf /proc/60444/ns/net /var/run/netns/60444
# ip link add dev veth60444 type veth peer name veth60444Guest
# ip link set dev veth60444Guest netns 60444
# ip netns exec 60444 ip link set dev veth60444Guest name eth0
# ip link set dev veth60444 up
# ip netns exec 60444 ip link set dev eth1 up
# ip link add dev br0 type bridge // Run this line only if bridge br0 doesn't exist,
# ip link set dev veth60444 master br0 
# ip link set dev br0 up // Run this line only if bridge br0 doesn't exist,
# brctl show // Make sure veth60444 is added into bridge br0
bridge name bridge id STP enabled interfaces
br0 8000.4aff46682282 no veth59486, veth60444 

Testing
Now let's check if our created container can reach another container:

# docker exec -it 7947a1e6ecd9 bash
root@7947a1e6ecd9:/# ifconfig // Check our veth is up
eth0 Link encap:Ethernet HWaddr 9e:34:ee:c3:cb:cb
...
root@7947a1e6ecd9:/# ifconfig eth0 10.0.254.100 netmask 255.255.255.0
root@7947a1e6ecd9:/# ping 10.0.254.1 // Now bridge br0 is reachable!
PING 10.0.254.1 (10.0.254.1) 56(84) bytes of data.
64 bytes from 10.0.254.1: icmp_seq=1 ttl=64 time=0.161 ms
...

Supplement
* [Linux 文章收集] Introducing Linux Network Namespaces
* ip-netns - process network namespace management

A network namespace is logically another copy of the network stack,
with its own routes, firewall rules, and network devices.

By default a process inherits its network namespace from its parent.
Initially all the processes share the same default network namespace
from the init process...

* Introducing Linux Network Namespaces

In this post, I’m going to introduce you to the concept of Linux network namespaces. While it might seem a bit esoteric right now, trust me that there is a reason why I’m introducing you to network namespaces—if you, like me, are on a journey to better understand OpenStack, you’ll almost certainly run into network namespaces again...

* ifconfig permissions in container

With below error message inside container:

SIOCSIFADDR: Operation not permitted
SIOCSIFFLAGS: Operation not permitted
SIOCSIFNETMASK: Operation not permitted

Allowing a non priviledged container to change it's id and other net configs is bad because a container could steal another's ip and intercept traffic. If you want to have this ability then run the container with the --privileged flag.