Docker in Docker no longer works without docker0 bridge #183
Comments
|
We have the same issue! Our CI system, running as a docker container, is building docker images (docker in docker). Since upgrading to the latest EKS AMI we are unable to access the network from inside containers being built by our CI container. Also, simply starting a container from inside the CI docker container have the same end result. @george-freebirdrides Did you find a temporary fix for this? |
|
This caused a lot of failed builds in our CI systems too. Looks like this was introduced by #109 @kristofferahl there are some work around on that PR. |
|
@andytom Thanks! We ended up simply specifying network=host for our docker build commands. Not something we liked doing but it worked. |
|
thank you for opening this issue. We were also attempting to update today for the RUNC CVE-2019-5736 as per AWS' own blog post here: https://aws.amazon.com/security/security-bulletins/AWS-2019-002/ this validates for us that we needed to roll back ; and that perhaps we didn't even get the upgrade because #181 #177 |
|
Hi folks, As noted earlier, the change was made in #109 to disable the bridge network. This was done for a couple reasons. Primarily, Kubernetes doesn't need the bridge network, as it uses CNI for network setup. Secondarily, the bridge network docker chooses by default (if it is not overlapping with the VPC network) is This use case of using docker outside of Kubernetes management bypasses the security restrictions Kubernetes puts in place, and as a default, we wrongly assumed that users wouldn't be managing docker containers outside of Kubernetes on a host. We understand that this is a trade off that some customers choose to make, so we've added an argument to the bootstrap script enabling the previous behavior in #187. Please let us know if the change in #187 will accomodate your use cases, and we'll get an AMI out in the coming days to fix this for you. |
|
Thanks for the explanation @micahhausler - I believe an argument to the bootstrap script to enable this behavior works for our use case. Appreciate the fast response! (edit: commented from personal - my work github is @george-freebirdrides) |
|
I managed to work around this issue by using |
|
@micahhausler Any news on when the new AMI will be available? |
|
@kristofferahl it looks like https://aws.amazon.com/marketplace/pp/B07GRMYQR5?qid=1551211195678&sr=0-1&ref_=srh_res_product_title (AMI |
|
The flag is available but it still has bugs in it. From my testing it has not been completely fixed yet. |
|
Specifically |
@micahhausler is it possible to reopen this issue or build a new AMI with the missing commit? |
See awslabs/amazon-eks-ami#183. According to AWS support, adding the default bridge support is needed in order for docker in or docker on docker to build images inside of a pod.
|
Thanks a lot @kristofferahl . Your comment saves my day,, no no save my week. docker build --network=host foo/bar:latest .Hence, in my Jenkinsfile, I added : sed -i 's@docker build@docker build --network=host@g' ./build.shNow Stackexcanges issues are resolve : |
What happened:
We utilize docker-in-docker configuration to build our images from CI within our dev cluster. Because docker0 has been disabled, internal routing from the inner container can no longer reach the outside world. For instance:
What you expected to happen:
Routing to the outside world to continue working. Only the outer container can still resolve hosts and reach them.
How to reproduce it (as minimally and precisely as possible):
Launch a container in a pod that builds an inner container with apt-get update
Anything else we need to know?:
This arose during our upgrade for CVE-2019-5736
Environment:
aws eks describe-cluster --name <name> --query cluster.platformVersion):aws eks describe-cluster --name <name> --query cluster.version):uname -a):cat /tmp/releaseon a node):Was there a security reason for disable docker0?
The text was updated successfully, but these errors were encountered: