Skip to content

feat: add support for com.docker.network.bridge.enable_icc network option #4311

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 28, 2025
Merged

feat: add support for com.docker.network.bridge.enable_icc network option #4311

merged 1 commit into from
Aug 28, 2025

Conversation

swagatbora90
Copy link
Contributor

This PR adds support for docker compatible com.docker.network.bridge.enable_icc or --icc network create option. This option is used to enable/disable intercontainer connectivity.

By default, any bridge network allows connectivity between containers attached to the same network, while containers in different networks are isolated. The enable_icc feature can be further used to enable/disable intra bridge container connectivity.

Requires firewall plugin >= v1.7.1

Testing

  1. Create a network with com.docker.network.bridge.enable_icc set to false, say test-net
  2. Run a container and attach it to test-net
  3. Run a second container and attach it to test-net
  4. Ping from container 1 to container 2 should not succeed.
sudo nerdctl network create  -o "com.docker.network.bridge.enable_icc=false" test-net          
254ddbe0ec1e5f3ed4b492876e2b6b9a051436b44c40d00ebd5e72bf7aa88435

sudo nerdctl run -d  --network test-net --name C1 ubuntu  sleep infinity  
6f22e651b9a4f3988e1ebce35f13806f65d0be942bfe9a2325c668a53cafcc9b

 sudo nerdctl run --network test-net alpine ping -c 1 -W 1 C1
PING C1 (10.4.4.4): 56 data bytes

--- C1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

With icc=true, it will fallback to default behavior

sudo nerdctl network create  -o "com.docker.network.bridge.enable_icc=true" test-net1   
cf021853e2fd31f5ef29264e5fd834d45bf1ea364c3fef8ff60edec326899b77
 
sudo nerdctl run -d  --network test-net1 --name C2 ubuntu  sleep infinity  
2c95ae6ad9da8a07de97c609d9e65acdc95f3b343ea6e4c46ccd4c9b3df79b90

sudo nerdctl run --network test-net1 alpine ping -c 1 -W 1 C2
PING C2 (10.4.5.2): 56 data bytes
64 bytes from 10.4.5.2: seq=0 ttl=127 time=0.115 ms

--- C2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.115/0.115/0.115 ms

apostasie
apostasie reviewed Jun 11, 2025
View reviewed changes
apostasie
apostasie reviewed Jun 11, 2025
View reviewed changes
apostasie
apostasie reviewed Jun 11, 2025
View reviewed changes
apostasie
apostasie reviewed Jun 11, 2025
View reviewed changes
AkihiroSuda
AkihiroSuda reviewed Jun 11, 2025
View reviewed changes
@swagatbora90 swagatbora90 force-pushed the feat-icc-nerdctl branch 3 times, most recently from c85e72d to bea516f Compare June 12, 2025 00:32
AkihiroSuda
AkihiroSuda reviewed Jun 12, 2025
View reviewed changes
AkihiroSuda
AkihiroSuda reviewed Jun 12, 2025
View reviewed changes
AkihiroSuda
AkihiroSuda approved these changes Jun 12, 2025
View reviewed changes
Copy link
Member

@AkihiroSuda AkihiroSuda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@AkihiroSuda AkihiroSuda added this to the v2.1.3 milestone Jun 12, 2025
@swagatbora90
Copy link
Contributor Author

Looks like the test disabling ICC is failing on a few platform. Taking a look.

@swagatbora90 swagatbora90 reopened this Jun 18, 2025
@AkihiroSuda AkihiroSuda mentioned this pull request Jun 20, 2025
Closed
@AkihiroSuda AkihiroSuda modified the milestones: v2.1.3, v2.1.4 Jun 30, 2025
@AkihiroSuda
Copy link
Member

Moving to the v2.1.4 milestone

@swagatbora90 swagatbora90 force-pushed the feat-icc-nerdctl branch 4 times, most recently from 546602c to 9ce8625 Compare July 24, 2025 23:43
@AkihiroSuda
Copy link
Member

Needs rebase, in addition to fixing the CI

@swagatbora90 swagatbora90 force-pushed the feat-icc-nerdctl branch 2 times, most recently from c83c41a to 8d9aa54 Compare August 21, 2025 21:13
@swagatbora90
Copy link
Contributor Author

Needs rebase, in addition to fixing the CI

@AkihiroSuda I had a hard time debugging the CI failures since this was working on my local test host. Finally, figured out that the the test are failing because the ubuntu runners do not have br-netfilter module loaded, which is required for this feature to work. We need the bridged traffic to go through netfilter.

We will need to load the module in our ubuntu runners first for this test to work. Given we have other features that also rely on cni firewall rules, I am thinking of enabling it across all the runners. let me know what you think?

@AkihiroSuda
Copy link
Member

AkihiroSuda commented Aug 22, 2025
edited
Loading

We will need to load the module in our ubuntu runners first for this test to work. Given we have other features that also rely on cni firewall rules, I am thinking of enabling it across all the runners. let me know what you think?

👍, but maybe you do not need to modprobe it explicitly if you mount -v /lib/modules:/lib/modules:ro here:

nerdctl/.github/workflows/job-test-in-container.yml

Line 166 in 832c455

docker run -t --rm --privileged -e GITHUB_STEP_SUMMARY="$GITHUB_STEP_SUMMARY" -v "$GITHUB_STEP_SUMMARY":"$GITHUB_STEP_SUMMARY" -e WORKAROUND_ISSUE_622=${WORKAROUND_ISSUE_622:-} "${args[@]}" -test.only-flaky=false -test.target=${{ inputs.binary }}

(and in the similar places in other test-in-*.yaml)

@swagatbora90
Copy link
Contributor Author

but maybe you do not need to modprobe it explicitly if you mount -v /lib/modules:/lib/modules:ro here

I tried this option, but ran into the same errors swagatbora90@06d49d0. Looks like I need to load the br_netfilter module explicitly as they are not loaded by default.

@swagatbora90 swagatbora90 mentioned this pull request Aug 22, 2025
Merged
@swagatbora90
Copy link
Contributor Author

Opened [https://github.com//pull/4481] to load the br_netfilter module inn the runners.

@swagatbora90
feat: add support for com.docker.network.bridge.enable_icc network op…
45816cd 
…tion

Signed-off-by: Swagat Bora <sbora@amazon.com>
@swagatbora90 swagatbora90 reopened this Aug 27, 2025
@swagatbora90
Copy link
Contributor Author

Test failures are not related and appear to be one of the flaky ones.

@swagatbora90
Copy link
Contributor Author

@AkihiroSuda @apostasie Tests are passing now after latest CI update to load the br_netfilter module. I think this PR is good to be merged now. Still seeing some random flaky test failures though, but appears to be unrelated.

ChengyuZhu6
ChengyuZhu6 approved these changes Aug 28, 2025
View reviewed changes
Copy link
Member

@ChengyuZhu6 ChengyuZhu6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

AkihiroSuda
AkihiroSuda approved these changes Aug 28, 2025
View reviewed changes
Copy link
Member

@AkihiroSuda AkihiroSuda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@AkihiroSuda AkihiroSuda merged commit fb66c8c into containerd:main Aug 28, 2025
108 of 116 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda

+2 more reviewers

@apostasie apostasie

@ChengyuZhu6 ChengyuZhu6

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.1.4
Development

Successfully merging this pull request may close these issues.
4 participants
@swagatbora90 @AkihiroSuda @ChengyuZhu6 @apostasie