0

I need a bridge network for QEMU/KVM virtual machines. But then, if I just install Docker, virtual machines lose Internet access. The solution I have found was making Docker use that existing bridge by editing /etc/docker/daemon.json. But then, it seems Docker containers lose Internet access. How can I make Internet access available to Docker containers?

Here is the exact steps of things I did to reproduce the problem in VirtualBox.

  1. Install Manjaro and update everything.
  2. Install and start Docker
  3. Create a Ubuntu container and open its shell
  4. Verify that its Internet access is working by issuing `apt update'.
  5. Create a bridge network and add an Ethernet connection to it.
  6. Delete existing docker0 and Wired connection1.
  7. Create /etc/docker/daemon.json with {"bridge": "bridge0"}.
  8. Reboot
  9. Delete existing container and recreate a Ubuntu container
  10. Open its shell and type apt update
  11. The container cannot connect to the Internet.

If anything above is unclear, I have recorded the entire operation without any editing. The screen recording is available at: https://filebin.net/94bjw3b7na8ydkyk

I have downloaded the nicolaka/netshoot container and tried printing some network information of the container. It seems that it has an incorrect IP of 192.168.0.1. That is the IP of the router, so it cannot have that IP, I think. Here are the outputs:

ifconfig -a

eth0      Link encap:Ethernet  HWaddr 02:42:C0:A8:00:01  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:227 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:12392 (12.1 KiB)  TX bytes:986 (986.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:592 (592.0 B)  TX bytes:592 (592.0 B)

ip r

default via 192.168.0.214 dev eth0 
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1

ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:00:01 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
       valid_lft forever preferred_lft forever

here is ip addr of the host computer (the virtual machine on which the Docker container is running)

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: bridge0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 3a:ac:8e:f2:ec:ac brd ff:ff:ff:ff:ff:ff
3: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:68:bd:fa brd ff:ff:ff:ff:ff:ff
    altname enp2s0
    inet 192.168.0.148/24 brd 192.168.0.255 scope global dynamic noprefixroute ens32
       valid_lft 43179sec preferred_lft 43179sec
    inet6 fd1b:715e:43ca::33b/128 scope global dynamic noprefixroute 
       valid_lft 43181sec preferred_lft 43181sec
    inet6 fd1b:715e:43ca:0:e14d:c46:1e9d:806a/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::23b0:d83c:a70d:3800/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

here is ip r of the host computer

default via 192.168.0.1 dev ens32 proto dhcp src 192.168.0.148 metric 100 
192.168.0.0/24 dev bridge0 proto kernel scope link src 192.168.0.214 
192.168.0.0/24 dev ens32 proto kernel scope link src 192.168.0.148 metric 100
Damn Vegetables
  • 187
  • 6
  • " But then, if I just install Docker, virtual machines lose Internet access." That's not generally true, and indicates something else is wrong on your system. Docker will run happily alongside virtual machines without impacting their network connectivity. – larsks Sep 23 '22 at 02:31
  • @larsks https://serverfault.com/questions/963759/docker-breaks-libvirt-bridge-network . Yes Docker can make VMs not work anymore, but I didn't understand OP's question good enough to know if that would be this (in which case I would have proposed it as duplicate). Today VM hypervisors usually insert *iptables* rules to prevent *bridged* traffic to be dropped (here's the one for libvirt: `-A FORWARD -j LIBVIRT_FWX` + `-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT`) – A.B Sep 23 '22 at 06:41
  • @larsks I don't know about other networking types, but I use bridge for VM's to allow access from other real devices on the network, and it seemed that it is a known problem that if a bridge for KVM exists and you install Docker, it breaks KVM's bridge. See this blog post for example. It proposes the same thing I did as a solution: https://muthii.com/blog/?p=540 – Damn Vegetables Sep 23 '22 at 09:13
  • The linked post specifically addresses the situation in which you're trying to use the *same* bridge for both Docker and your virtual machines. That's not the situation you describe in this question ("I need a bridge network for QEMU/KVM virtual machines. But then, if I just install Docker, virtual machines lose Internet access."). By default, Docker will use its own bridge and will not have **any** impact on your virtual machine network. I'm running with that configuration right now (and have been for years) and it requires no special configuration. – larsks Sep 23 '22 at 11:37
  • @larsks again I disagree: because Docker loads the [br_netfilter](http://ebtables.netfilter.org/documentation/bridge-nf.html) module which has a system-wide effect: on other bridges, even in other network namespaces. But again I don't know if OP's question qualifies to be affected, I didn't understand it enough. – A.B Sep 23 '22 at 11:40
  • I think this is a non-issue, but if the OP can provide a set of steps that clearly reproduces the problem I would be happy to take a closer look. – larsks Sep 23 '22 at 12:01
  • @larsks If I understood correctly, the reason why the person in the "linked post" is using the *same* bridge, in the first place, is because if he does not, VM's lose Internet connection. That was my case. I did not want to use the same bridge in the beginning; why would I? I just installed Docker and had not modify its daemon settings. And then VM's lose Internet connection. I searched for solution, and found that the solution was using the existing bridge for Docker (i.e., using the same bridge) by editing the daemon settings. – Damn Vegetables Sep 23 '22 at 20:53
  • @larsks I think I have provided a set of steps that reproduces the problem. I even provided the full screen recording. The only thing omitted in the video was how I set up that machine, which is: I created a VM, set its network type to bridge, installed Manjaro, and I updated everything. – Damn Vegetables Sep 23 '22 at 20:55

0 Answers0