Hi,
I've decided to use these summer holidays to wrap my head around Docker and its
quirks. Spent the last couple weeks working through a Udemy tutorial and a
thick book about Docker, and I have Docker CE installed on two machines:
  * my workstation running OpenSUSE Leap 15.1
  * a public sandbox server running CentOS 7
I'm currently fiddling with custom networks and container isolation, and it
looks like I discovered a bug or at least an inconsistency in CentOS. Maybe the
gurus among you have an explanation for this. Sorry if this is a bit long, but
I try to be as clear as possible.
OpenSUSE Leap 15.1
------------------
For demonstration purposes on how things *should* be, I'm starting two Nginx
containers named "webserver1" and "webserver2":
$ docker run -dit --name webserver1 nginx
$ docker run -dit --name webserver2 nginx
These two containers have the respective 172.17.0.2 and 172.17.0.3 IP addresses:
$ docker network inspect bridge | grep -i ipv4address
                "IPv4Address": "172.17.0.2/16",
                "IPv4Address": "172.17.0.3/16",
The "webserver1" container has the 172.17.0.2 IP address:
$ docker exec -it webserver1 hostname -I
172.17.0.2
Since "webserver1" and "webserver2" are both on the "bridge" network, they can
communicate with each other:
$ docker exec -it webserver1 curl -m 5 http://172.17.0.3
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
...
Now I'm creating the custom "blog" network:
$ docker network create blog
$ docker network ls
NETWORK ID      NAME            DRIVER          SCOPE
e02e6fc654c6    blog            bridge          local
3ea6f28134ba    bridge          bridge          local
8d2b8dfe5352    host            host            local
0bd337e274c2    none            null            local
I'm starting a third container named "webserver3" and assign it to the new
"blog" network:
$ docker run -dit --name webserver3 --network blog nginx
This new container is in a whole new network segment:
$ docker network inspect blog | grep -i ipv4address
                "IPv4Address": "172.20.0.2/16",
As is to be expected, it can't communicate with the other two containers:
$ docker exec -it webserver3 curl -m 5 http://172.17.0.2
curl: (28) Connection timed out after 5001 milliseconds
$ docker exec -it webserver3 curl -m 5 http://172.17.0.3
curl: (28) Connection timed out after 5001 milliseconds
So far so good.
CentOS 7
--------
Now let's repeat the exact same experiment on a server running CentOS 7.
First, create two containers on the default "bridge" network and check if they
can communicate with each other:
$ docker run -dit --name webserver1 nginx
$ docker run -dit --name webserver2 nginx
$ docker network inspect bridge | grep -i ipv4address
                "IPv4Address": "172.17.0.3/16",
                "IPv4Address": "172.17.0.2/16",
$ docker exec -it webserver1 hostname -I
172.17.0.2
$ docker exec -it webserver1 curl -m 5 http://172.17.0.3
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
...
Now create a custom "blog" network and start a third container assigned to that
network:
$ docker network create blog
$ docker network ls | grep blog
0571c80fef1b     blog             bridge           local
$ docker run -dit --name webserver3 --network blog nginx
$ docker network inspect blog | grep -i ipv4address
                "IPv4Address": "172.19.0.2/16",
$ docker exec -it webserver3 hostname -I
172.19.0.2
Now IN THEORY "webserver3" shouldn't be able to communicate with the
"webserver1" and "webserver2" containers.
But here's what happens IN PRACTICE (and only on CentOS 7):
$ docker exec -it webserver3 curl -m 5 http://172.17.0.2
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
...
$ docker exec -it webserver3 curl -m 5 http://172.17.0.3
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
...
As far as I'm concerned, it looks like a bug, it walks like a bug and it quacks
like a bug.
Any remarks and/or suggestions?
Cheers from the sunny South of France,
Niki
-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12