knrdlog
================================================================================================================================================================

Conceptualize Docker Networks to be minimal

docker

Introduction

There are three kinds of private ip ranges:

ClassCIDRLast IPIPsTypical Usage
A10.0.0.0/810.255.255.25516,777,216Big Company Network
B172.16.0.0/12172.31.255.2551,048,576Docker Network!
C192.168.0.0/16192.168.255.25565,536Home Network

So there are about a million IPs available for docker containers in docker networks. However, docker per default splits them up as /24 CIDRs. Therefore, every docker network can include up to 2 (32-24) - 2 = 254 Container-IPs. The total number of docker networks is limited to 2 (24-12) = 4096 .

While these defaults are okay, it’s possible to run out of address spaces, especially if private Class B addresses are used elsewhere (by other applications/routing). Using more docker networks with fewer containers per network has two benefits: Security and Safety.

Security & Safety

  1. Scenario with three containers: gateway, appserver, database.

    It’s easy to put all three of them in a single docker network. But this would allow the gateway to access the database, which is not required. Therefore, 2 docker networks should be utilized.

  2. Scenario with three containers: gateway, appserver1, appserver2.

    Using a single network to connect the appservers to the gateway, allows appserver1 to talk to appserver2. This might not be desired, if app1 and app2 are two distinct applications.

The security gain is a better separation of trust levels, following the principle of least privilege. Anyway, an advanced attacker can still try OSI-Layer 2 (“MAC-Level”) sniffing attacks.

The bigger gain is the safety of the container environment. The impact of configuration mistakes is limited. The architecture is clearer: Confusion about what service the hostname “app” belongs to is hopefully prevented.

The cost of this approach is that there might be more docker networks needed than the 4096 possible ones. A config change allows to create more networks.

This is just an example! 4096 is a reasonable amount of networks. But if there is only a subspace of private class B addresses available or class C must be used, then things might look different. Per default max 256 docker networks can be produced in class C, which could be limiting.

Configuration

In /etc/docker/daemon.json add:

{
  "default-address-pools": [
    {
      "base": "172.16.0.0/12",
      "size": 27
    }
  ]
}

This will use the complete Class B private namespace (172.16.0.0/12). The CIDR per docker network is /27.

Max docker networks per host: 2 (27-12) = 32,768

Max containers per docker network: 2 (32-27) - 2 = 30

Github logo Feedback