Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add gateway mode "isolated" #49262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 5, 2025
Merged

Add gateway mode "isolated" #49262

merged 1 commit into from
Feb 5, 2025

Conversation

robmry
Copy link
Contributor

@robmry robmry commented Jan 13, 2025
edited
Loading

- What I did

Add value isolated for bridge labels com.docker.network.bridge.gateway_mode_ipv[46].

It prevents assignment of an address to the bridge, so the host has no address in the network - and can only be used when the network is also --internal.

For IPv4, mode isolated is equivalent to --internal -o com.docker.network.bridge.inhibit_ipv4=true - since commit 43f71fb, no gateway address is allocated in that case. Apart from isolated working for IPv6 too, the difference is in the intended use - inhibit_ipv4 is described as a way to put the gateway address somewhere-else (see Skip IP address configuration) so, it's fine to use it without --internal, but it doesn't necessarily isolate the network. Whereas, mode isolated can only be used with --internal and fits alongside the other gateway_mode_ipv[46] options as a way to control connectivity of containers on the network.

- How I did it

Don't assign an address to the bridge in isolated mode.

For gateway_mode_ipv6=isolated, disable IPv6 on the bridge so that it doesn't get a link-local address.

- How to verify it

New integration tests.

- Description for the changelog

- An `internal` bridge network created with gateway mode `isolated` does not have an address on the docker host.
  - An address is normally assigned to the bridge device in an `internal` network, so processes on the docker host can access the network, and containers in the network can access host services listening on that bridge address (including services listening on "any" host address, `0.0.0.0` or `::`).
  - The `network create` options are `-o com.docker.network.bridge.gateway_mode_ipv4=isolated` and `-o com.docker.network.bridge.gateway_mode_ipv6=isolated`.

@robmry robmry added kind/feature Functionality or other elements that the project doesn't currently have. Features are new and shiny area/networking Networking impact/changelog area/networking/d/bridge Networking labels Jan 13, 2025
@robmry robmry added this to the 28.0.0 milestone Jan 13, 2025
@robmry robmry self-assigned this Jan 13, 2025
@robmry robmry mentioned this pull request Jan 13, 2025
Merged
@robmry robmry force-pushed the gw_mode_isolated branch 3 times, most recently from ccd805b to 09e458d Compare January 16, 2025 12:25
@robmry robmry marked this pull request as ready for review January 16, 2025 12:28
@robmry robmry requested a review from akerouanton January 16, 2025 12:28
@robmry
Add bridge gateway mode "isolated"
9fdcde7 
It can only be set on a "--internal" network, and the only difference is
that no address is assigned to the bridge. So, there's no route to a
host address.

Signed-off-by: Rob Murray <[email protected]>
vvoland
vvoland approved these changes Feb 5, 2025
View reviewed changes
Copy link
Contributor

@vvoland vvoland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vvoland vvoland merged commit 6ee81dc into moby:master Feb 5, 2025
153 checks passed
@robmry robmry mentioned this pull request Feb 5, 2025
Merged
3 tasks
aevesdocker pushed a commit to docker/docs that referenced this pull request Feb 20, 2025
@robmry
Updates for moby 28.0 networking (#21612)
3520fa2 
## Description

Updates for moby 28.0 networking.

## Related issues or tickets

Series of commits ...
- Fix description of 'inhibit_ipv4'
- Not changed in moby 28.0, updated to clarify difference from (new)
IPv6-only networks.
- Updates to default bridge address config
  - moby/moby#48319
- Describe IPv6-only network config
  - moby/moby#48271
  - docker/cli#5599
- Update description of gateway modes
  - moby/moby#48594
  - moby/moby#48596
  - moby/moby#48597
- Describe gateway selection in the networking overview.
  - docker/cli#5664
- Describe gateway mode `isolated`
  - moby/moby#49262

## Reviews

<!-- Notes for reviewers here -->
<!-- List applicable reviews (optionally @tag reviewers) -->

- [ ] Technical review
- [ ] Editorial review
- [ ] Product review

---------

Signed-off-by: Rob Murray <[email protected]>
@robmry robmry deleted the gw_mode_isolated branch February 26, 2025 14:48
@robmry robmry mentioned this pull request Mar 21, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akerouanton akerouanton akerouanton approved these changes

@vvoland vvoland vvoland approved these changes

Assignees

@robmry robmry

Labels
area/networking/d/bridge Networking area/networking Networking docs/revisit impact/changelog kind/feature Functionality or other elements that the project doesn't currently have. Features are new and shiny
Projects
None yet
Milestone
28.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@robmry @akerouanton @vvoland