docker-cli network_mode should default to host if bridge does not exist

[kostapsimoulis]

Description

There are a few enterprises that do not allow ip_forward or bridge networking. On dockerd the default bridge network can be disabled by setting it to none --bridge=none. When the bridge networking is not present, the cli should use host network by default. The only workaround right now is to pass --net=host every time you run the client but unfortunately there is no way to enforce this globally and there is no solution to make net=host option work with a multi-stage build compose file.

Steps to reproduce the issue:

1. docker run -it alpine ash

Describe the results you received:

WARNING: IPv4 forwarding is disabled. Networking will not work.
/ #

Describe the results you expected: No warning and using net=host

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client:
 Version:      1.13.1-cs9
 API version:  1.27
 Go version:   go1.7.5
 Git commit:   1bc62a2
 Built:        Wed Dec 13 20:56:37 2017
 OS/Arch:      linux/amd64

Server:
 Version:      1.13.1-cs9
 API version:  1.27 (minimum version 1.12)
 Go version:   go1.7.5
 Git commit:   1bc62a2
 Built:        Wed Dec 13 20:56:37 2017
 OS/Arch:      linux/amd64
 Experimental: false

Output of docker info:

Containers: 28
 Running: 1
 Paused: 0
 Stopped: 27
Images: 10
Server Version: 1.13.1-cs9
Storage Driver: overlay
 Backing Filesystem: xfs
 Supports d_type: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 6c463891b1ad274d505ae3bb738e530d1df2b3c7
runc version: 54296cf40ad8143b62dbcaa1d90e520a2136ddfe
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 3.10.0-693.21.1.el7.x86_64
Operating System: Red Hat Enterprise Linux Server 7.4 (Maipo)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.51 GiB
Name: xxx-XXXXX.xxxx.xxx
ID: 2AWA:IH6P:DNWO:GWJD:273C:CEXN:KHYH:SZS7:E4NK:HBOP:W5QA:LBUY
Docker Root Dir: /app/var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Http Proxy: http://XXXXX:XXXX@XXXX.XXXX.XXXX:8080
Https Proxy: http://XXXXX:XXXX@XXXX.XXXX.XXXX:8080
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: IPv4 forwarding is disabled

Additional environment details (AWS, VirtualBox, physical, etc.):

There is no docker0 network:

docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
f13483c9bbb4        host                host                local
fa5836204847        none                null                local

[jaswdr]

the side effect of what you are purposing are some security problems, I think is not a good one to let the containers see the host network interfaces has a fallback of bridge, someone with malicious intention can use this to get access to the host machine, something that not happend if you have none.

[thaJeztah]

I don't think the client itself has this information (I should check, but I think the default is set by the daemon)

[kostapsimoulis]

Can the client to do a "docker network ls" or an api call to the daemon to check or not there is bridge networking? If that is not possible then another solution would be to specify in the client.json file that we want the "host" networking to be default. Is that possible?

This would solve the other issue with the docker-compose and multi-stage builds. It looks like the networking option in the compose file is applied to the final container but it ignores it as an option for the build process. I understand that this might be a bug on the docker-compose side but I also believe that it's important to be able to change the default network for the client with a configuration file.