Merge pull request #19276 from calavera/internal

[Carry 18926] Add network internal mode

api/client/network.go

@@ -47,6 +47,8 @@ func (cli *DockerCli) CmdNetworkCreate(args ...string) error {
 	cmd.Var(flIpamAux, []string{"-aux-address"}, "auxiliary ipv4 or ipv6 addresses used by Network driver")
 	cmd.Var(flOpts, []string{"o", "-opt"}, "set driver specific options")
 
+	flInternal := cmd.Bool([]string{"-internal"}, false, "restricts external access to the network")
+
 	cmd.Require(flag.Exact, 1)
 	err := cmd.ParseFlags(args, true)
 	if err != nil {
@@ -72,6 +74,7 @@ func (cli *DockerCli) CmdNetworkCreate(args ...string) error {
 		IPAM:           network.IPAM{Driver: *flIpamDriver, Config: ipamCfg},
 		Options:        flOpts.GetAll(),
 		CheckDuplicate: true,
+		Internal:       *flInternal,
 	}
 
 	resp, err := cli.client.NetworkCreate(nc)

api/server/router/network/backend.go

@@ -13,7 +13,7 @@ type Backend interface {
 	GetNetworksByID(partialID string) []libnetwork.Network
 	GetAllNetworks() []libnetwork.Network
 	CreateNetwork(name, driver string, ipam network.IPAM,
-		options map[string]string) (libnetwork.Network, error)
+		options map[string]string, internal bool) (libnetwork.Network, error)
 	ConnectContainerToNetwork(containerName, networkName string, endpointConfig *network.EndpointSettings) error
 	DisconnectContainerFromNetwork(containerName string,
 		network libnetwork.Network) error

api/server/router/network/network_routes.go

@@ -92,7 +92,7 @@ func (n *networkRouter) postNetworkCreate(ctx context.Context, w http.ResponseWr
 		warning = fmt.Sprintf("Network with name %s (id : %s) already exists", nw.Name(), nw.ID())
 	}
 
-	nw, err = n.backend.CreateNetwork(create.Name, create.Driver, create.IPAM, create.Options)
+	nw, err = n.backend.CreateNetwork(create.Name, create.Driver, create.IPAM, create.Options, create.Internal)
 	if err != nil {
 		return err
 	}

daemon/network.go

@@ -101,7 +101,7 @@ func (daemon *Daemon) GetAllNetworks() []libnetwork.Network {
 }
 
 // CreateNetwork creates a network with the given name, driver and other optional parameters
-func (daemon *Daemon) CreateNetwork(name, driver string, ipam network.IPAM, options map[string]string) (libnetwork.Network, error) {
+func (daemon *Daemon) CreateNetwork(name, driver string, ipam network.IPAM, options map[string]string, internal bool) (libnetwork.Network, error) {
 	c := daemon.netController
 	if driver == "" {
 		driver = c.Config().Daemon.DefaultDriver
@@ -116,6 +116,9 @@ func (daemon *Daemon) CreateNetwork(name, driver string, ipam network.IPAM, opti
 
 	nwOptions = append(nwOptions, libnetwork.NetworkOptionIpam(ipam.Driver, "", v4Conf, v6Conf, nil))
 	nwOptions = append(nwOptions, libnetwork.NetworkOptionDriverOpts(options))
+	if internal {
+		nwOptions = append(nwOptions, libnetwork.NetworkOptionInternalNetwork())
+	}
 	n, err := c.NewNetwork(driver, name, nwOptions...)
 	if err != nil {
 		return nil, err

docs/reference/api/docker_remote_api.md

@@ -114,6 +114,7 @@ This section lists each version from latest to oldest.  Each listing includes a
 * `POST /containers/create` now allows you to set the static IPv4 and/or IPv6 address for the container.
 * `POST /networks/(id)/connect` now allows you to set the static IPv4 and/or IPv6 address for the container.
 * `GET /info` now includes the number of containers running, stopped, and paused.
+* `POST /networks/create` now supports restricting external access to the network by setting the `internal` field.
 
 ### v1.21 API changes
 

docs/reference/api/docker_remote_api_v1.22.md

@@ -2985,13 +2985,15 @@ Content-Type: application/json
 
 {
   "Name":"isolated_nw",
-  "Driver":"bridge"
+  "Driver":"bridge",
   "IPAM":{
     "Config":[{
       "Subnet":"172.20.0.0/16",
       "IPRange":"172.20.10.0/24",
       "Gateway":"172.20.10.11"
     }]
+  },
+  "Internal":true
 }
 ```
 

docs/reference/commandline/network_create.md

@@ -18,6 +18,7 @@ parent = "smn_cli"
     -d --driver=DRIVER       Driver to manage the Network bridge or overlay. The default is bridge.
     --gateway=[]             ipv4 or ipv6 Gateway for the master subnet
     --help                   Print usage
+    --internal               Restricts external access to the network
     --ip-range=[]            Allocate container ip from a sub-range
     --ipam-driver=default    IP Address Management Driver
     -o --opt=map[]           Set custom network plugin options
@@ -120,6 +121,11 @@ docker network create -d overlay
 ```
 Be sure that your subnetworks do not overlap. If they do, the network create fails and Engine returns an error.
 
+### Network internal mode
+
+By default, when you connect a container to an `overlay` network, Docker also connects a bridge network to it to provide external connectivity.
+If you want to create an externally isolated `overlay` network, you can specify the `--internal` option.
+
 ## Related information
 
 * [network inspect](network_inspect.md)

man/docker-network-create.1.md

@@ -10,6 +10,7 @@ docker-network-create - create a new network
 [**-d**|**--driver**=*DRIVER*]
 [**--gateway**=*[]*]
 [**--help**]
+[**--internal**]
 [**--ip-range**=*[]*]
 [**--ipam-driver**=*default*]
 [**-o**|**--opt**=*map[]*]
@@ -120,6 +121,11 @@ docker network create -d overlay
 ```
 Be sure that your subnetworks do not overlap. If they do, the network create fails and Engine returns an error.
 
+### Network internal mode
+
+By default, when you connect a container to an `overlay` network, Docker also connects a bridge network to it to provide external connectivity.
+If you want to create an externally isolated `overlay` network, you can specify the `--internal` option.
+
 # OPTIONS
 **--aux-address**=map[]
   Auxiliary ipv4 or ipv6 addresses used by network driver
@@ -133,6 +139,9 @@ Be sure that your subnetworks do not overlap. If they do, the network create fai
 **--help**
   Print usage
 
+**--internal**
+  Restricts external access to the network
+
 **--ip-range**=[]
   Allocate container ip from a sub-range