How to disable Docker Network Isolation?

Question

I use gitlab, gitlab-runner, sonarqube, nexus, ... with docker compose to test build chains before implementing them on my company's servers. These servers use the same network bridge.

This worked fine on my old ubuntu, but since I'm using debian, containers on the default bridge can't connect to the docker compose bridge anymore.

Since this is not an operational instance of docker, how can I disable docker network isolation?

Answer 1

As you are using Docker compose you'll need to add the key network_mode and set that to "host"

Sources: docker-compose documentation Stack overflow answer by ford

You can use the flag --network host when using the command docker run if you need

Source: Docker Docs

Answer 2

This is what I found. docker iptables rules look like this:

$ sudo iptables -vL --line-numbers
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DOCKER-USER  all  --  any    any     anywhere             anywhere
2        0     0 DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere
...

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere
2        0     0 DOCKER-ISOLATION-STAGE-2  all  --  myiface0 !myiface0  anywhere             anywhere
3        0     0 RETURN     all  --  any    any     anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  any    docker0  anywhere             anywhere
2        0     0 DROP       all  --  any    myiface0  anywhere             anywhere
3        0     0 RETURN     all  --  any    any     anywhere             anywhere

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     all  --  any    any     anywhere             anywhere

First, it checks if a rule of the chain DOCKER-USER allows to decide between ACCEPT or DROP, then each connection between docker bridges is filtered by DOCKER-ISOLATION-STAGE-2 chain.

We can

• Explicitly add an ACCEPT rule in DOCKER-USER chain. (How to connect container in another docker network?)
• Remove DOCKER-ISOLATION-STAGE-2 rules:

  iptables -t filter -F DOCKER-ISOLATION-STAGE-2
  

Before launching docker-compose, I create the network as root:

#!/bin/bash

if ! docker network ls | grep my-network
then
    docker network create \
           --driver=bridge \
           --subnet=172.18.0.0/16 \
           --opt com.docker.network.bridge.name=myiface0 \
           my-network
fi

iptables -t filter -F DOCKER-ISOLATION-STAGE-2

And in my docker-compose file:

services:

  my-gitlab:
    networks:
      - my-network
    ...
    
  ...

networks:
  my-network:
    external: true