Add the possibility to forbid docker engine of certain IP CIDR blocks

[omerh]

We are running multiple VPC's with different IP addresses.
One of our swarm clusters resides in a VPC with 172.19.0.0/16 and communicates with another VPC
that uses the IP CIDR of 172.18.0.0/16

Our swarm cluster auto generated docker_gwbridge overlapping the other VPC CIDR

inet 172.18.0.1/16 scope global docker_gwbridge 

Or event stand alone docker0 that defaults to

inet 172.17.0.1/16 scope global docker0

This caused severe connectivity issues on our cluster due to overlapping of the route published in AWS Routing table.

I am suggesting a feature request to add a list of IP's to /etc/docker/daemon.json a list of restricted IP CIDR that the engine could not possibly understand by it self.

[cpuguy83]

You can tell docker the CIDR to use instead of the other way around.

[omerh]

True.
But what is easier? To remember all networks or just tell the engine what not to use?

[thaJeztah]

There's this PR to allow specifying custom ranges to use #29376, but there's still an ongoing discussion on that feature.

When creating a network, you can also exclude certain IP-addresses using the --aux-address option on docker network create

[bvis]

Hi, as a workaround we are provisioning our nodes with a list of "reserved CIDR blocks", the idea is to bootstrap your nodes with this command:

ip=$(ip route | head -n1 | awk '{ print $3 }') && ip route add 172.20.0.0/16 via $ip dev eth0
Where 172.20.0.0/16 is the network I want to protect from Docker usage.

This defines the routing to this network to the default gateway, on theory it does not change anything related to routing, but makes docker aware this network is not available for him. In case you execute several commands like:

docker network create test1
docker network create test2
docker network create test3

You'll see that ranges used are going from 172.19.0.0/16 to 172.21.0.0/16, etc. You can create as many routings like this as needed.