Hi,
docker is not configured in any special way, the only change to the
config file was attached in the original report.
Here are the relevant outputs of a full session after a fresh boot:
==== after boot ====
$ ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0
state UP group default qlen 1000
link/ether c0:3f:d5:61:1a:0f brd ff:ff:ff:ff:ff:ff
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group
default qlen 1000
link/ether c0:3f:d5:61:1a:0f brd ff:ff:ff:ff:ff:ff
inet 10.43.70.1/16 brd 10.43.255.255 scope global br0
valid_lft forever preferred_lft forever
inet6 2001:858:107:1:c23f:d5ff:fe61:1a0f/64 scope global mngtmpaddr dynamic
valid_lft 86398sec preferred_lft 14398sec
inet6 fe80::c23f:d5ff:fe61:1a0f/64 scope link
valid_lft forever preferred_lft forever
$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
$ brcrl show
bridge name bridge id STP enabled interfaces
br0 8002.c03fd5611a0f no eth2
==== after VM start (which is a KVM based VM, with its NIC on br0, device model
virtio) ====
The output is from the host, the VM pings fine to public hostnames
(e.g., debian.org)
$ ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0
state UP group default qlen 1000
link/ether c0:3f:d5:61:1a:0f brd ff:ff:ff:ff:ff:ff
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group
default qlen 1000
link/ether c0:3f:d5:61:1a:0f brd ff:ff:ff:ff:ff:ff
inet 10.43.70.1/16 brd 10.43.255.255 scope global br0
valid_lft forever preferred_lft forever
inet6 2001:858:107:1:c23f:d5ff:fe61:1a0f/64 scope global mngtmpaddr dynamic
valid_lft 86394sec preferred_lft 14394sec
inet6 fe80::c23f:d5ff:fe61:1a0f/64 scope link
valid_lft forever preferred_lft forever
4: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master
br0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:67:36:c8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe67:36c8/64 scope link
valid_lft forever preferred_lft forever
$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
brctl show
bridge name bridge id STP enabled interfaces
br0 8000.c03fd5611a0f no eth2
vnet0
==== after "docker images" (yes, the only docker command I ran), and from this
point on networking in the VM is dead: ====
$ ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0
state UP group default qlen 1000
link/ether c0:3f:d5:61:1a:0f brd ff:ff:ff:ff:ff:ff
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group
default qlen 1000
link/ether c0:3f:d5:61:1a:0f brd ff:ff:ff:ff:ff:ff
inet 10.43.70.1/16 brd 10.43.255.255 scope global br0
valid_lft forever preferred_lft forever
inet6 2001:858:107:1:c23f:d5ff:fe61:1a0f/64 scope global mngtmpaddr dynamic
valid_lft 86397sec preferred_lft 14397sec
inet6 fe80::c23f:d5ff:fe61:1a0f/64 scope link
valid_lft forever preferred_lft forever
4: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master
br0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:67:36:c8 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe67:36c8/64 scope link
valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state
DOWN group default
link/ether 02:42:52:94:20:6b brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global docker0
valid_lft forever preferred_lft forever
$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
$ brctl show
bridge name bridge id STP enabled interfaces
br0 8000.c03fd5611a0f no eth2
vnet0
docker0 8000.02425294206b no
