OpenWrt with Docker & Docker-Compose - Network

Hello,

as I want to run Docker on my OpenWRT, I have installed the needed LuCI packages. As I now see, this creates three default networks: null, bridge, host and an interface called docker0.

I wonder, how can I address this network bridge / docker0 network from docker-compose.

When I create a network called "bridge" it creates a new entry inside the LuCI overview. And I guess, having it connected somehow to the device is necessary to get the Firewall settings correct.

Docker-compose.yml:

version: "3.3"

services:
  portainer:
    image: portainer/portainer-ce
    container_name: Portainer
    command: -H unix:///var/run/docker.sock
    restart: always
    ports:
      - 9000:9000
      - 8000:8000
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./Portainer/data:/data

And the overview in LuCi:

Bildschirm­foto 2023-02-01 um 14.40.302410×996 203 KB

I had the same issue and solved it with: network_mode: bridge

crowdsec:
      image: crowdsecurity/crowdsec
      container_name: crowdsec
      network_mode: bridge
      ports:
        - 9090:9090
      environment:
        - PGID=1000
      volumes:
        - ~/.crowdsec/data:/var/lib/crowdsec/data
        - ~/.crowdsec/etc:/etc/crowdsec
        - /var/log/auth.log:/var/log/auth.log:ro
      restart: unless-stopped

Okay, reasonable. As I see in your docker-compose-definition, you are exposing the port 9090 to the OpenWRT system. May I ask, how does your Firewall setting look to access this port from your LAN?

Having fought with this on openwrt:

What i did:

Dockers default bridge should only be used for testing purposes and really you should create your own named bridge interface - the reason it defaults to creating a new docker interface.

Official docker docs do say that!

You can do this by cli or gui, but doing via cli is easier as you need to set some options for it to work correctly on openwrt i.e

"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker1",
"com.docker.network.driver.mtu": "1500"

So what i did was create a new bridge interface called 'docker1' and a new interface called 'dockerlan' in the cgi-bin/luci/admin/network/network - 'devices' for the bridge and 'interfaces' for the dockerlan interface

example of /etc/config/network:

config device
	option type 'bridge'
	option name 'docker1'

config interface 'dockerlan'
	option proto 'none'
	option device 'docker1'
	option auto '0'

With the docker network create command from the ssh shell of openwrt:

docker network create -o com.docker.network.bridge.enable_icc=true -o com.docker.network.bridge.enable_ip_masquerade=true dockerlan -o com.docker.network.bridge.host_binding_ipv4=0.0.0.0 -o com.docker.network.bridge.name=docker1 --ip-range=172.19.0.0/24 --subnet 172.19.0.0/27 --gateway=172.19.0.1

Then for the firewall rule to allow communication to outside etc - /etc/config/firewall

config zone 'docker'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'docker'
	option forward 'REJECT'
	option log '1'
	list network 'dockerlan'
	list network 'docker'
	list device 'docker0'
	list device 'docker1'

config rule
	option name 'DockertoDockerAny'
	option src 'docker'
	option dest 'docker'
	option target 'ACCEPT'

Then in my docker-compose files just at the end added

networks:
  default:
    name: dockerlan

I found using the web of luci for docker networks doesnt add the required options correctly and so wont work properly - has options, but be nice if you can select common options to select.

Be aware that if you did a docker-compose down, it will remove the docker network you created, so just do docker stop and docker rm when trying to update containers etc.

Hope this helps?

This method looks more elegant than mine, thank you. It's working fine.

Well, I looked your code example for almost 30 minutes to understand it, let me enter some settings, to get it:

Docker network Parameter for bridge

name -  clear
enable_icc - allows communication between containers
host_binding_ipv4 - by assigning no IP (0.0.0.0), OpenWRT does that?
enable_ip_masquerade - necessary for Internet?

Your example includes „docker“ as interface and „docker0“ as device. Are both entries the ones, which are automatically created by OpenWRT?
Is it enough, to use the interface „dockerlan“ in docker-compose, to link docker network and OpenWRT?

Is this configuration enough, to access a Web Interface from a docker container from a different LAN device or at least the OpenWRT router?

So to explain your questions:

The default created openwrt install of docker creates the 'docker' and 'docker0' interfaces/bridge.
Most docker installs do this regardless - openwrt or linux.

I've created the 'dockerlan' interface in the openwrt luci or by cli up to you, and created the bridge of my choice 'docker1'

The docker network create can be done via the docker compose file automatically based on what your services need in communication internally or outside.

I did this because i wont a static name that i know of, otherwise doing a docker compose will create a random bridge name and not create the correct routing.

As i stated, official docker docs does not recommend using the default bridge and create your own.

From your docker compose file can determine what ports are presented to your containers and use the openwrt firewall rules to manipulate that.

Did you delete docker0 from the network?

No, as its default if you delete it will come back again. so just left it as is.

What is the advantages/disadvantages for this method over creating a "macvlan" interface as described in this guide?

Personally, I consider the following topics:

1. Running inside Docker completely makes the services available for opening to the Internet with some NGINX as Gateway.
2. Having a MacVLAN always helps when Smart Home using Multicast / Unicast / Bonjour protocols. Think of all those SONOS and PLEX applications and stuff like that.
3. By locking everything inside Docker, even PiHole, makes it possible to go for modern techniques like DNS-over-HTTPS instead of using Port 53 or similar.

If good or bad...well, not sure, but these are the points I identified.

I am still having trouble getting Docker Compose running on OpenWRT. I guess, not enough knowledge about Firewall settings:

I have installed Portainer via Docker-Compose and released the port 9000 by the simple 9000:9000 port setting, as I have done it often in Docker-Compose. I can access the Portainer Interface.

Now I noticed, that I cannot access the Portainer templates, I get inside Portainer the time out message:

"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json": dial tcp: lookup raw.githubusercontent.com: i/o timeout

I can manually open the URL on my browser, so from the LAN zone the URL can be accessed. I could need a little hint, what to set in the Firewall settings.

Portainer is running on dockerlan as bridged network, OpenWrt LAN operates on 192.168.180.0/24 and the dockerlan on 172.19.0.0/24.

Hi all
I've got a docker-compose yml file that creates the networks as frontend and backend. On my raspberry pi the frontend is used to connect to the reverse proxy which reverse-proxies requests to containers connected to the backend network. The proxy is connected to both.

I cannot access the frontend network and I feel like I'm missing something. I don't understand how creating a bridge manually will fix this problem for me.

I don't understand how the default bridge connects to the rest of the network nor any custom bridge interface.

I thought that perhaps I need to create a bridge device that's connected to the "frontend" docker bridge and then create an interface that connects to said device and put that interface in the "docker" zone created in the FW.

I tried that but I still can't connect to my reverse proxy in docker. It's listening on 443 and I made sure to change uhttpd to listen on 9443 instead for luci so that's all good.

I don't understand the traffic flow or what to do to get this to work so any help would be appreciated.