Holepunching failing with linux iptables - docker

I am trying to test a custom made hole punching library. I want to setup a simulator using Docker. There are 3 subnets:
2 nated ones (172.30.0.0/16 and 172.31.0.0/16), with one Debian machine each playing the role of NAT instances. They are running the following iptable config.
1 other "public" subnet (172.29.0.0/16) where both NAT instances have an IP (172.29.0.3 and 172.29.0.4).
A node in one NATed subnet (172.30.0.10) is trying to communicate with one in the other one (172.31.0.10)
The iptables rules for the subnets are are defined by the following script:
#!/bin/bash
# Required env:
# NATED_SUBNET the source subnet
# OUTPUT_IP the ip of the output ("public" network) interface
# INPUT_IP the ip of the input (NATed network) interface
# OUTPUT_GATEWAY_IP the ip of the gateway in the output network
set -e -o xtrace
OUTPUT_IFNAME=$(ip -br addr show | grep $OUTPUT_IP | cut -d "#" -f 1)
# enable access to public internet
ip route replace default via $OUTPUT_GATEWAY_IP dev $OUTPUT_IFNAME
# setup syslogs
iptables -I FORWARD -s $NATED_SUBNET -d 0/0 -j NFLOG --nflog-prefix "[nated|FORWARD|OUT]:" --nflog-group 1
iptables -I FORWARD -s 0/0 -d $NATED_SUBNET -j NFLOG --nflog-prefix "[nated|FORWARD|IN]:" --nflog-group 1
iptables -N LOG_DROP
iptables -A LOG_DROP -j NFLOG --nflog-prefix "[nated|DROP]:" --nflog-group 1
iptables -A LOG_DROP -j DROP
iptables -t nat -A POSTROUTING -s $NATED_SUBNET -o $OUTPUT_IFNAME -j MASQUERADE
iptables -A INPUT -j LOG_DROP
I get the following logs
docker-router2-1 | Feb 5 18:21:11 69e0e4683741 [nated|FORWARD|OUT]: IN=eth0 OUT=eth1 MAC=02:42:ac:1f:00:03:02:42:ac:1f:00:0a:08:00 SRC=172.31.0.10 DST=172.29.0.3 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=35566 DF PROTO=TCP SPT=8080 DPT=56943 SEQ=3939548479 ACK=0 WINDOW=64240 SYN URGP=0 MARK=0
docker-router1-1 | Feb 5 18:21:11 86ed5150c6b9 [nated|DROP]: IN=eth1 OUT= MAC=02:42:ac:1d:00:03:02:42:ac:1d:00:04:08:00 SRC=172.29.0.4 DST=172.29.0.3 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=35566 DF PROTO=TCP SPT=8080 DPT=56943 SEQ=3939548479 ACK=0 WINDOW=64240 SYN URGP=0 MARK=0
docker-router1-1 | Feb 5 18:21:12 86ed5150c6b9 [nated|FORWARD|OUT]: IN=eth0 OUT=eth1 MAC=02:42:ac:1e:00:03:02:42:ac:1e:00:0a:08:00 SRC=172.30.0.10 DST=172.29.0.4 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=7623 DF PROTO=TCP SPT=56943 DPT=8080 SEQ=491450156 ACK=0 WINDOW=64240 SYN URGP=0 MARK=0
docker-router1-1 | Feb 5 18:21:12 86ed5150c6b9 [nated|DROP]: IN=eth1 OUT= MAC=02:42:ac:1d:00:03:02:42:ac:1d:00:04:08:00 SRC=172.31.0.10 DST=172.29.0.3 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=8080 DPT=56943 SEQ=3955213225 ACK=491450157 WINDOW=65160 ACK SYN URGP=0 MARK=0
docker-router2-1 | Feb 5 18:21:12 69e0e4683741 [nated|FORWARD|IN]: IN=eth1 OUT=eth0 MAC=02:42:ac:1d:00:04:02:42:ac:1d:00:03:08:00 SRC=172.29.0.3 DST=172.31.0.10 LEN=60 TOS=00 PREC=0x00 TTL=62 ID=7623 DF PROTO=TCP SPT=56943 DPT=8080 SEQ=491450156 ACK=0 WINDOW=64240 SYN URGP=0 MARK=0
docker-router2-1 | Feb 5 18:21:12 69e0e4683741 [nated|FORWARD|OUT]: IN=eth0 OUT=eth1 MAC=02:42:ac:1f:00:03:02:42:ac:1f:00:0a:08:00 SRC=172.31.0.10 DST=172.29.0.3 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=8080 DPT=56943 SEQ=3955213225 ACK=491450157 WINDOW=65160 ACK SYN URGP=0 MARK=0
Note: The order of logs is not perfect because logs from different hosts are gathered by Docker Compose in a somewhat arbitrary order.
What we can see though is that:
the first SYN that is supposed to do the punching of docker-router2-1 goes through it and is dropped by docker-router1-1 as expected
the connection from the client behind docker-router1-1 then seems to go through docker-router2-1 thanks to the punching
the server behind docker-router2-1 returns SYN-ACK, still as expected
but docker-router2-1 does not seem to replace the source IP of the SYN-ACK properly -> docker-router1-1 receives it with SRC=172.31.0.10 instead of SRC=172.29.0.4 and hence drops it
What is wrong with the setup?
Edit: I recorded the conntrack output on the routers:
simulator-router2-1 | tcp 6 118 SYN_SENT2 src=172.31.0.10 dst=172.29.0.3 sport=8080 dport=42773 src=172.29.0.3 dst=172.29.0.4 sport=42773 dport=8080 mark=0 use=1
simulator-router1-1 | tcp 6 110 SYN_SENT src=172.30.0.10 dst=172.29.0.4 sport=42773 dport=8080 [UNREPLIED] src=172.29.0.4 dst=172.29.0.3 sport=8080 dport=42773 mark=0 use=1

Related

Docker rootless

I want to launch a Docker container in a host from a rootless container.
Example:
I have an Ubuntu VM running: gcr.io/news-ml-257304/mycontainer:latest which is rootless.
From this container I want to be able to execute this command:
docker run --network=host -v {connection_file}:/connection-spec gcr.io/news-ml-257304/mycontainer2
and mycontainer2 should start in Ubuntu VM . (Outside mycontainer). Is it possible?
I installed Docker rootless successfully. I can run a rootless container mycontainer successfully.
I'm currently following this guide:
https://docs.docker.com/engine/security/rootless/#prerequisites
docker -v
Docker version 20.10.12, build e91ed57
lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
In Host machine:
echo $DOCKER_HOST
unix:///run/user/1000/docker.sock
systemctl --user status docker
● docker.service - Docker Application Container Engine (Rootless)
Loaded: loaded (/home/gogasca/.config/systemd/user/docker.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2022-02-13 01:16:14 UTC; 9min ago
Docs: https://docs.docker.com/go/rootless/
Main PID: 28166 (rootlesskit)
CGroup: /user.slice/user-1000.slice/user#1000.service/docker.service
├─28166 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propaga
├─28177 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --prop
├─28195 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 28177 tap0
├─28202 dockerd
├─28217 containerd --config /run/user/1000/docker/containerd/containerd.toml --log-level info
├─29019 fuse-overlayfs -o lowerdir=/home/gogasca/.local/share/docker/fuse-overlayfs/l/QJ2Y7NAKB4N3ABA4CVINPOT64L:/home/gogasca/.local/share/docker/fuse-overlayfs/l/ZDXAGGP2VO2K7FWWEZYSJ2FK5
├─29026 /usr/bin/rootlesskit-docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 8080 -container-ip 172.17.0.2 -container-port 8080
├─29031 docker-proxy -container-ip 172.17.0.2 -container-port 8080 -host-ip 127.0.0.1 -host-port 8080 -proto tcp
├─29047 /usr/bin/containerd-shim-runc-v2 -namespace moby -id 624b2dbfc5f54272ef8fdf8a5a59da9d3be0d1292e2fdd2f2b22bd0ac0aee21b -address /run/user/1000/docker/containerd/containerd.sock
└─29068 /opt/conda/bin/python3.7 /opt/conda/bin/jupyter-lab --ip=0.0.0.0 --port=8080 --no-browser --allow-root --NotebookApp.token= --NotebookApp.password= --ServerApp.allow_origin=*
Feb 13 01:16:14 a-experiment-debian dockerd-rootless.sh[28166]: time="2022-02-13T01:16:14.516248592Z" level=info msg="Loading containers: start."
Feb 13 01:16:14 a-experiment-debian dockerd-rootless.sh[28166]: time="2022-02-13T01:16:14.889430212Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon opti
Feb 13 01:16:14 a-experiment-debian dockerd-rootless.sh[28166]: time="2022-02-13T01:16:14.977066622Z" level=info msg="Loading containers: done."
Feb 13 01:16:14 a-experiment-debian dockerd-rootless.sh[28166]: time="2022-02-13T01:16:14.992309698Z" level=info msg="Docker daemon" commit=459d0df graphdriver(s)=fuse-overlayfs version=20.10.12
Feb 13 01:16:14 a-experiment-debian dockerd-rootless.sh[28166]: time="2022-02-13T01:16:14.992798123Z" level=info msg="Daemon has completed initialization"
Feb 13 01:16:15 a-experiment-debian dockerd-rootless.sh[28166]: time="2022-02-13T01:16:15.023274713Z" level=info msg="API listen on /run/user/1000/docker.sock"
Feb 13 01:19:20 a-experiment-debian dockerd-rootless.sh[28166]: time="2022-02-13T01:19:20.515794206Z" level=info msg="starting signal loop" namespace=moby path=/run/.ro729122400/user/1000/docker/conta
This is how I start mycontainer
docker run -d -p 127.0.0.1:8080:8080/tcp gcr.io/news-ml-257304/mycontainer:latest -v /home/gogasca/local/:/home/jupyter -e DOCKER_HOST=$DOCKER_HOST
When I access mycontainer and check docker I get:
docker exec -it 624b2dbfc5f5 /bin/bash
docker ps
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
In Host:
echo $DOCKER_HOST
unix:///run/user/1000/docker.sock
In mycontainer DOCKER_HOST shows empty
echo $DOCKER_HOST

This post is five months old, so you've probably already figured this out, but:
Try adding
-v /run/user/1000/docker.sock:/var/run/docker.sock

I got [Errno 13] Permission denied: './docker-compose.yml' running docker

I installed docker on kubuntu 18 , but I got error
$ docker-compose up -d --build
ERROR: .PermissionError: [Errno 13] Permission denied: './docker-compose.yml'
Reading branch
docker error: .IOError: [Errno 13] Permission denied: "./docker-compose.yml"
I tried to salve it :
username#ubuntuOS:/ProjectPath/DOCKER$ sudo groupadd docker
[sudo] password for username:
groupadd: group 'docker' already exists
username#ubuntuOS:/ProjectPath/DOCKER$ sudo gpasswd -a $USER docker
Adding user username to group docker
username#ubuntuOS:/ProjectPath/DOCKER$ docker run hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
username#ubuntuOS:/ProjectPath/DOCKER$ docker-compose logs -f
ERROR: .PermissionError: [Errno 13] Permission denied: './docker-compose.yml'
username#ubuntuOS:/ProjectPath/DOCKER$ sudo dpkg-reconfigure apparmor
Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
username#ubuntuOS:/ProjectPath/DOCKER$ docker-compose up -d --build
ERROR: .PermissionError: [Errno 13] Permission denied: './docker-compose.yml'
username#ubuntuOS:/ProjectPath/DOCKER$ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.docker.compose
username#ubuntuOS:/ProjectPath/DOCKER$ docker-compose up -d --build
ERROR: .PermissionError: [Errno 13] Permission denied: './docker-compose.yml'
But Failed.
My docker-compose.yml :
version: '3.3'
services:
web:
build:
context: ./ # directory of web/Dockerfile.yml
dockerfile: Dockerfile.yml
container_name: lar_nginx_web
# restart: always
working_dir: /var/www/
volumes:
- ../:/var/www
nginx:
image: nginx:1.19-alpine
container_name: lar_nginx_nginx
# restart: always
ports:
- '8084:80'
# http://127.0.0.1:8000
volumes:
- ../:/var/www
- ./nginx:/etc/nginx/conf.d
db:
container_name: lar_nginx_db
image: mysql:5.7.28
# image: mysql:8.0.21
# restart: always
environment:
- MYSQL_DATABASE=DockerLarNginx
- MYSQL_USER=docker_user
- MYSQL_PASSWORD=4321
- MYSQL_ALLOW_EMPTY_PASSWORD=false
- MYSQL_ROOT_PASSWORD=321
- TZ=Europe/Kiev
volumes:
- /var/lib/mysql
phpmyadmin:
container_name: lar_nginx_phpmyadmin
depends_on:
- db
image: phpmyadmin/phpmyadmin
# restart: always
ports:
- 8085:80
environment:
PMA_HOST: db
MYSQL_ROOT_PASSWORD: 1
composer:
image: composer:2.1
container_name: lar_nginx_composer
volumes:
- ./:/var/www
working_dir: /var/www
command: composer install --ignore-platform-reqs
Project directory :
$ ls -l
total 16
-rwxrwxrwx 1 root root 940 Sep 5 16:39 BySteps.txt
-rwxrwxrwx 1 root root 1561 Sep 5 16:56 docker-compose.yml
-rwxrwxrwx 1 root root 1094 Sep 5 09:15 Dockerfile.yml
drwxrwxrwx 1 root root 0 Sep 2 08:21 nginx
-rwxrwxrwx 1 root root 805 Oct 20 2019 virtualhost.conf
How can it be fixed ?
Modified Block:
Searching for decision I found a hints
I might want to turn off apparmor and check if it works without
But Stopping apparmor I got errors:
username#ubuntuOS:ProjectPath$ sudo systemctl stop apparmor
username#ubuntuOS:ProjectPath$ sudo systemctl enable docker
Synchronizing state of docker.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable docker
Failed to enable unit: Unit file /etc/systemd/system/docker.service is masked.
username#ubuntuOS:ProjectPath$ sudo systemctl start docker
Failed to start docker.service: Unit docker.service is masked.
username#ubuntuOS:ProjectPath$ sudo systemctl start apparmor
If my Docker installation is from Snap?
I installed with command :
sudo apt-get install docker-ce
Is it snap installation?
docker info
Client:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)
Server:
ERROR: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
errors pretty printing info
In which way have I to check is it snap installation and how my errors depends on it ?
I failed to run docker :
$ sudo systemctl enable docker
Synchronizing state of docker.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable docker
Failed to enable unit: Unit file /etc/systemd/system/docker.service is masked.
$ sudo systemctl start docker
Failed to start docker.service: Unit docker.service is masked.
In my Synaptic I found installed packages:
snap
location of genes from DNA sequence with hidden markov model
and
apparmor
user-space parser utility for AppArmor
I have some prior docker expierence, but I did not have such problems.
How these can be fixed?
Modified Block # 2:
username#ubuntuOS:/ProjectPath//DOCKER$ docker run hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
username#ubuntuOS:/ProjectPath//DOCKER$ sudo systemctl unmask docker && sudo systemctl start docker
Removed /etc/systemd/system/docker.service.
Job for docker.service failed because the control process exited with error code.
See "systemctl status docker.service" and "journalctl -xe" for details.
username#ubuntuOS:/ProjectPath//DOCKER$ docker-compose
Define and run multi-container applications with Docker.
Usage:
docker-compose [-f <arg>...] [options] [COMMAND] [ARGS...]
docker-compose -h|--help
Options:
-f, --file FILE Specify an alternate compose file
(default: docker-compose.yml)
-p, --project-name NAME Specify an alternate project name
(default: directory name)
--verbose Show more output
--log-level LEVEL Set log level (DEBUG, INFO, WARNING, ERROR, CRITICAL)
--no-ansi Do not print ANSI control characters
-v, --version Print version and exit
-H, --host HOST Daemon socket to connect to
--tls Use TLS; implied by --tlsverify
--tlscacert CA_PATH Trust certs signed only by this CA
--tlscert CLIENT_CERT_PATH Path to TLS certificate file
--tlskey TLS_KEY_PATH Path to TLS key file
--tlsverify Use TLS and verify the remote
--skip-hostname-check Don't check the daemon's hostname against the
name specified in the client certificate
--project-directory PATH Specify an alternate working directory
(default: the path of the Compose file)
--compatibility If set, Compose will attempt to convert keys
in v3 files to their non-Swarm equivalent
--env-file PATH Specify an alternate environment file
Commands:
build Build or rebuild services
config Validate and view the Compose file
create Create services
down Stop and remove containers, networks, images, and volumes
events Receive real time events from containers
exec Execute a command in a running container
help Get help on a command
images List images
kill Kill containers
logs View output from containers
pause Pause services
port Print the public port for a port binding
ps List containers
pull Pull service images
push Push service images
restart Restart services
rm Remove stopped containers
run Run a one-off command
scale Set number of containers for a service
start Start services
stop Stop services
top Display the running processes
unpause Unpause services
up Create and start containers
version Show the Docker-Compose version information
username#ubuntuOS:/ProjectPath//DOCKER$ sudo tail -f /var/log/syslog
Sep 15 06:40:28 ubuntuOS systemd[3516]: Failed to start snap.docker.compose.2c72d705-91cd-406c-a3eb-bcbdbcfed2d5.scope.
Sep 15 06:40:30 ubuntuOS kernel: [ 1169.609359] audit: type=1400 audit(1631677230.198:65): apparmor="DENIED" operation="open" profile="snap.docker.compose" name="/proc/14125/mounts" pid=14125 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 15 06:40:30 ubuntuOS kernel: [ 1169.738542] audit: type=1400 audit(1631677230.330:66): apparmor="DENIED" operation="open" profile="snap.docker.compose" name="/ProjectPath//DOCKER/docker-compose.yml" pid=14125 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 15 06:40:30 ubuntuOS kernel: [ 1169.738565] audit: type=1400 audit(1631677230.330:67): apparmor="DENIED" operation="open" profile="snap.docker.compose" name="/ProjectPath//DOCKER/docker-compose.yml" pid=14125 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 15 06:40:39 ubuntuOS kernel: [ 1178.543524] [UFW BLOCK] IN=enp4s0 OUT= MAC=44:8a:5b:ee:2a:dd:c8:e7:f0:6e:fc:29:08:00 SRC=176.10.192.176 DST=213.109.234.130 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=40086 DF PROTO=TCP SPT=44902 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0
Sep 15 06:41:06 ubuntuOS systemd[3516]: snap.docker.compose.009e07fe-8e69-4d56-a1ad-be6649422dc1.scope: Failed to add PIDs to scope's control group: Permission denied
Sep 15 06:41:06 ubuntuOS systemd[3516]: snap.docker.compose.009e07fe-8e69-4d56-a1ad-be6649422dc1.scope: Failed with result 'resources'.
Sep 15 06:41:06 ubuntuOS systemd[3516]: Failed to start snap.docker.compose.009e07fe-8e69-4d56-a1ad-be6649422dc1.scope.
Sep 15 06:41:07 ubuntuOS kernel: [ 1206.991294] audit: type=1400 audit(1631677267.581:68): apparmor="DENIED" operation="open" profile="snap.docker.compose" name="/proc/14166/mounts" pid=14166 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 15 06:41:08 ubuntuOS kernel: [ 1208.265731] [UFW BLOCK] IN=enp4s0 OUT= MAC=44:8a:5b:ee:2a:dd:c8:e7:f0:6e:fc:29:08:00 SRC=104.140.188.18 DST=213.109.234.130 LEN=44 TOS=0x00 PREC=0x00 TTL=246 ID=50654 PROTO=TCP SPT=56649 DPT=8888 WINDOW=1024 RES=0x00 SYN URGP=0
Sep 15 06:41:24 ubuntuOS kernel: [ 1223.876776] [UFW BLOCK] IN=enp4s0 OUT= MAC=44:8a:5b:ee:2a:dd:c8:e7:f0:6e:fc:29:08:00 SRC=176.67.84.17 DST=213.109.234.130 LEN=58 TOS=0x00 PREC=0x00 TTL=122 ID=7917 PROTO=UDP SPT=61585 DPT=6881 LEN=38
Sep 15 06:41:37 ubuntuOS kernel: [ 1237.119996] [UFW BLOCK] IN=enp4s0 OUT= MAC=44:8a:5b:ee:2a:dd:c8:e7:f0:6e:fc:29:08:00 SRC=185.76.147.123 DST=213.109.234.130 LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=61449 PROTO=TCP SPT=41688 DPT=3556 WINDOW=1024 RES=0x00 SYN URGP=0
Modified Block # 3:
username#ubuntuOS:/ProjectPath/DOCKER$ sudo systemctl start docker
[sudo] password for username:
Job for docker.service failed because the control process exited with error code.
See "systemctl status docker.service" and "journalctl -xe" for details.
username#ubuntuOS:/ProjectPath/DOCKER$ sudo journalctl -xe
Sep 16 06:31:15 ubuntuOS kernel: [UFW BLOCK] IN=enp4s0 OUT= MAC=44:8a:5b:ee:2a:dd:c8:e7:f0:6e:fc:29:08:00 SRC=125.64.94.144 DST=213.109.234.130 LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=54321 PROTO=TCP SPT=48901 DPT=17988 WINDOW=65535 RES=0x00
Sep 16 06:31:23 ubuntuOS kernel: [UFW BLOCK] IN=enp4s0 OUT= MAC=44:8a:5b:ee:2a:dd:c8:e7:f0:6e:fc:29:08:00 SRC=193.27.229.54 DST=213.109.234.130 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=54084 PROTO=TCP SPT=55154 DPT=47319 WINDOW=1024 RES=0x00 S
Sep 16 06:31:42 ubuntuOS kernel: [UFW BLOCK] IN=enp4s0 OUT= MAC=44:8a:5b:ee:2a:dd:c8:e7:f0:6e:fc:29:08:00 SRC=192.241.220.215 DST=213.109.234.130 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=54321 PROTO=TCP SPT=51354 DPT=443 WINDOW=65535 RES=0x00
Sep 16 06:32:08 ubuntuOS kernel: [UFW BLOCK] IN=enp4s0 OUT= MAC=44:8a:5b:ee:2a:dd:c8:e7:f0:6e:fc:29:08:00 SRC=193.27.229.54 DST=213.109.234.130 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=55215 PROTO=TCP SPT=55154 DPT=30869 WINDOW=1024 RES=0x00 S
Sep 16 06:32:09 ubuntuOS sudo[12849]: username : TTY=pts/5 ; PWD=/ProjectPath/DOCKER ; USER=root ; COMMAND=/bin/systemctl start docker
Sep 16 06:32:09 ubuntuOS sudo[12849]: pam_unix(sudo:session): session opened for user root by username(uid=0)
Sep 16 06:32:09 ubuntuOS systemd[1]: Starting LSB: Create lightweight, portable, self-sufficient containers....
-- Subject: Unit docker.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit docker.service has begun starting up.
Sep 16 06:32:09 ubuntuOS docker[12852]: * /usr/bin/dockerd not present or not executable
Sep 16 06:32:09 ubuntuOS sudo[12849]: pam_unix(sudo:session): session closed for user root
Sep 16 06:32:09 ubuntuOS systemd[1]: docker.service: Control process exited, code=exited status=1
Sep 16 06:32:09 ubuntuOS systemd[1]: docker.service: Failed with result 'exit-code'.
Sep 16 06:32:09 ubuntuOS systemd[1]: Failed to start LSB: Create lightweight, portable, self-sufficient containers..
-- Subject: Unit docker.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit docker.service has failed.
--
-- The result is RESULT.
Sep 16 06:32:28 ubuntuOS kernel: [UFW BLOCK] IN=enp4s0 OUT= MAC=44:8a:5b:ee:2a:dd:c8:e7:f0:6e:fc:29:08:00 SRC=40.124.92.24 DST=213.109.234.130 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=52505 PROTO=TCP SPT=53846 DPT=2375 WINDOW=1024 RES=0x00 SYN
Sep 16 06:32:29 ubuntuOS sudo[12904]: username : TTY=pts/5 ; PWD=/ProjectPath/DOCKER ; USER=root ; COMMAND=/bin/journalctl -xe
Sep 16 06:32:29 ubuntuOS sudo[12904]: pam_unix(sudo:session): session opened for user root by username(uid=0)
-- Reboot --
Jan 25 17:55:16 ubuntuOS systemd-timedated[13988]: Changed local time to Wed Jan 25 17:55:16 2023
-- Subject: Time change
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The system clock has been changed to 1674662116924753 microseconds after January 1st, 1970.
Jan 25 17:55:16 ubuntuOS anacron[14008]: Anacron 2.3 started on 2023-01-25
Jan 25 17:55:16 ubuntuOS systemd[1]: Starting Daily apt download activities...
-- Subject: Unit apt-daily.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit apt-daily.service has begun starting up.
Jan 25 17:55:16 ubuntuOS anacron[14008]: Will run job `cron.daily' in 5 min.
Jan 25 17:55:16 ubuntuOS systemd[1]: Starting Message of the Day...
-- Subject: Unit motd-news.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit motd-news.service has begun starting up.
Jan 25 17:55:16 ubuntuOS anacron[14008]: Will run job `cron.weekly' in 10 min.
Jan 25 17:55:16 ubuntuOS systemd[1]: Starting Clean php session files...
-- Subject: Unit phpsessionclean.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit phpsessionclean.service has begun starting up.
--
-- The result is RESULT.
Sep 16 06:32:28 ubuntuOS kernel: [UFW BLOCK] IN=enp4s0 OUT= MAC=44:8a:5b:ee:2a:dd:c8:e7:f0:6e:fc:29:08:00 SRC=40.124.92.24 DST=213.109.234.130 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=52505 PROTO=TCP SPT=53846 DPT=2375 WINDOW=1024 RES=0x00 SYN
Sep 16 06:32:29 ubuntuOS sudo[12904]: username : TTY=pts/5 ; PWD=/ProjectPath/DOCKER ; USER=root ; COMMAND=/bin/journalctl -xe
Sep 16 06:32:29 ubuntuOS sudo[12904]: pam_unix(sudo:session): session opened for user root by username(uid=0)
-- Reboot --
Jan 25 17:55:16 ubuntuOS systemd-timedated[13988]: Changed local time to Wed Jan 25 17:55:16 2023
-- Subject: Time change
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The system clock has been changed to 1674662116924753 microseconds after January 1st, 1970.
Jan 25 17:55:16 ubuntuOS anacron[14008]: Anacron 2.3 started on 2023-01-25
Jan 25 17:55:16 ubuntuOS systemd[1]: Starting Daily apt download activities...
-- Subject: Unit apt-daily.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit apt-daily.service has begun starting up.
Jan 25 17:55:16 ubuntuOS anacron[14008]: Will run job `cron.daily' in 5 min.
Jan 25 17:55:16 ubuntuOS systemd[1]: Starting Message of the Day...
-- Subject: Unit motd-news.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit motd-news.service has begun starting up.
Jan 25 17:55:16 ubuntuOS anacron[14008]: Will run job `cron.weekly' in 10 min.
Jan 25 17:55:16 ubuntuOS systemd[1]: Starting Clean php session files...
-- Subject: Unit phpsessionclean.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit phpsessionclean.service has begun starting up.
Jan 25 17:55:16 ubuntuOS anacron[14008]: Will run job `cron.monthly' in 15 min.
Jan 25 17:55:16 ubuntuOS systemd[1]: Starting Discard unused blocks...
-- Subject: Unit fstrim.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit fstrim.service has begun starting up.
Jan 25 17:55:16 ubuntuOS anacron[14008]: Jobs will be executed sequentially
Jan 25 17:55:16 ubuntuOS systemd[1]: Started Run anacron jobs.
-- Subject: Unit anacron.service has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit anacron.service has finished starting up.
--
-- The start-up result is RESULT.
Jan 25 17:55:16 ubuntuOS systemd[1]: Started Message of the Day.
-- Subject: Unit motd-news.service has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit motd-news.service has finished starting up.
Thanks!

It is the permissions to this file: docker-compose.yml?
ERROR: .PermissionError: [Errno 13] Permission denied: './docker-compose.yml'
I had an error similar with MySQL server and simply allowing permission to write to this file solved the issue.
Good luck!

Access the port mapped by the docker container :curl: (56) Recv failure: Connection reset by peer

Use host and br to start two containers
docker run -d --name="nginx_host" --net="host" nginx
docker run -d --name nginx_br -p 8000:80 nginx
View the container list
[root#docker_base ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2754b6f0d93e nginx "/docker-entrypoint.…" 2 hours ago Up 2 hours 0.0.0.0:8000->80/tcp nginx_br
cb73872caa94 nginx "/docker-entrypoint.…" 2 hours ago Up 2 hours nginx_host
Show the problem
[root#docker_base ~]# curl localhost:8000
curl: (56) Recv failure: Connection reset by peer
[root#docker_base ~]# curl localhost:80
<!DOCTYPE html>
<html>
<head>
Why nginx_br can not be accessed?
========================
Some information
[root#docker_base ~]# systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
Active: active (running) since 二 2021-03-16 17:12:51 CST; 1h 49min ago
Docs: https://docs.docker.com
Main PID: 2278 (dockerd)
CGroup: /system.slice/docker.service
├─2278 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
└─2975 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8000 -container-ip 172.17.0.2 -container-port 80
3月 16 17:12:50 docker_base dockerd[2278]: time="2021-03-16T17:12:50.364215347+08:00" level=warning msg="[graphdriver] WARNING: the devicemapper storage-dr...e release"
3月 16 17:12:51 docker_base dockerd[2278]: time="2021-03-16T17:12:50.999168695+08:00" level=warning msg="Unable to find pids cgroup in mounts"
3月 16 17:12:51 docker_base dockerd[2278]: time="2021-03-16T17:12:51.000925360+08:00" level=info msg="Loading containers: start."
3月 16 17:12:51 docker_base dockerd[2278]: time="2021-03-16T17:12:51.298066663+08:00" level=info msg="Loading containers: done."
3月 16 17:12:51 docker_base dockerd[2278]: time="2021-03-16T17:12:51.754027070+08:00" level=info msg="Docker daemon" commit=363e9a8 graphdriver(s)=devicema...on=20.10.4
3月 16 17:12:51 docker_base dockerd[2278]: time="2021-03-16T17:12:51.754707862+08:00" level=info msg="Daemon has completed initialization"
3月 16 17:12:51 docker_base systemd[1]: Started Docker Application Container Engine.
3月 16 17:12:51 docker_base dockerd[2278]: time="2021-03-16T17:12:51.869090242+08:00" level=info msg="API listen on /var/run/docker.sock"
3月 16 17:19:45 docker_base dockerd[2278]: time="2021-03-16T17:19:45.903746502+08:00" level=info msg="ignoring event" container=3edc61d736b71ba79f5ed3b09fe...askDelete"
3月 16 18:51:45 docker_base dockerd[2278]: time="2021-03-16T18:51:45.978054059+08:00" level=info msg="ignoring event" container=c5959e50dfa8524bfefe60f8a01...askDelete"
Hint: Some lines were ellipsized, use -l to show in full.
[root#docker_base ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.000000000000 no vetha8d3493
[root#docker_base ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Here are some environment and network details

I could not solve it by restarting docker.
but,I set docker0 to promiscuous mode.This problem is solved
ifconfig docker0 promisc

Try to run the server in your Docker Container with ip 0.0.0.0 instead of localhost

Can't start docker service after updating to 1.12.6-176.1 in OpenSUSE:

I have updated docker in my OpenSUSE 13.2.
After some tests I see that -H flag in /etc/sysconfig/docker is causing dockerd not to start, but I need it to enable port 2375 or 2376 (as it has been working OK for months). With it, TSL or not TSL, all or any port, docker will not start. I have tried binding to 0.0.0.0, localhost, ...
-- Logs begin at Tue 2016-10-25 12:48:00 CEST, end at Thu 2017-02-02 23:02:35 CET. --
Feb 02 23:01:35 ezequiel dockerd[22661]: time="2017-02-02T23:01:35.134216922+01:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
Feb 02 23:01:35 ezequiel dockerd[22661]: time="2017-02-02T23:01:35.247510727+01:00" level=info msg="Loading containers: done."
Feb 02 23:01:35 ezequiel dockerd[22661]: time="2017-02-02T23:01:35.247659069+01:00" level=info msg="Daemon has completed initialization"
Feb 02 23:01:35 ezequiel dockerd[22661]: time="2017-02-02T23:01:35.247709386+01:00" level=info msg="Docker daemon" commit=78d1802 graphdriver=btrfs version=1.12.6
Feb 02 23:01:35 ezequiel dockerd[22661]: time="2017-02-02T23:01:35.267370317+01:00" level=info msg="API listen on 192.168.100.1:2375"
Feb 02 23:02:35 ezequiel docker_service_helper.sh[22662]: Docker is dead
Feb 02 23:02:35 ezequiel systemd[1]: docker.service: control process exited, code=exited status=1
Feb 02 23:02:35 ezequiel dockerd[22661]: time="2017-02-02T23:02:35.810756005+01:00" level=info msg="Processing signal 'terminated'"
Feb 02 23:02:35 ezequiel systemd[1]: Failed to start Docker Application Container Engine.
-- Subject: Unit docker.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit docker.service has failed.
--
-- The result is failed.
Feb 02 23:02:35 ezequiel systemd[1]: Unit docker.service entered failed state.
If I remove it, docker starts, but I can't access it from outside the host (I used to use TSL through port 2376)
I have tried dockerd directly and it binds to tcp port:
# /usr/bin/dockerd --containerd /run/containerd/containerd.sock --add-runtime oci=/usr/bin/docker-runc --label provider=generic -g /optLVM/varLibDocker -H tcp://127.0.0.1:2375
WARN[0000] [!] DON'T BIND ON ANY IP ADDRESS WITHOUT setting -tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING [!]
INFO[0000] [graphdriver] using prior storage driver "btrfs"
INFO[0000] Graph migration to content-addressability took 0.00 seconds
WARN[0000] Your kernel does not support swap memory limit.
WARN[0000] Your kernel does not support kernel memory limit.
WARN[0000] mountpoint for pids not found
INFO[0000] Loading containers: start.
.................INFO[0000] Firewalld running: false
INFO[0000] Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address
INFO[0000] Loading containers: done.
INFO[0000] Daemon has completed initialization
INFO[0000] Docker daemon commit=78d1802 graphdriver=btrfs version=1.12.6
INFO[0000] API listen on 127.0.0.1:2375
So it seems something has changed in the configuration.
My old version was:
docker-1.12.1-152.3.x86_64
And new one:
docker-1.12.6-176.1.x86_64
Thanks for any help... I do need TCP, with or without TSL, to access docker remotely.

I got the same Problem after updating.
From 1.12.1 to 1.12.6 they changed somthing with the "fd://". For me it did not work anymore. I'm using tcp with tls.
In my config file (/etc/docker/daemon.json)
{
"tls" : true,
"tlsverify": true,
"tlscacert": "/etc/docker/ca.pem",
"tlscert" : "/etc/docker/server/server-cert.pem",
"tlskey" : "/etc/docker/server/server-key.pem",
"hosts" : ["unix:///var/run/docker.sock", "tcp://10.10.1.1:2376"]
}
I am adding the "host": unix:///var/run/docker.sock
I think the local communication is handled via the unix socket and remote connection runs over tcp.
You can find the Infos here ...

Docker overrides the IP address of my own manually created bridge

I am trying to set docker up to connect all containers to my own manually created bridge (br0), I don't want docker to create or edit anything in my bridge, because I have other services which uses and depends on my bridge (like OpenVPN) therefore I prefer to create the bridge using my own bash script.
The problem comes when I start docker service, docker changes my bridge IP address from what I want (192.168.1.10) to something else address(169.254.x.x)!!!
My Docker version 1.12.1, build 23cf638
The steps I did
Bridge creation:
sudo brctl addbr br0
sudo brctl addif br0 eth0
sudo ip addr del 192.168.1.10/24 dev eth0
sudo ip addr add 192.168.1.10/24 dev br0
sudo ip route add default via 192.168.1.1 dev br0
I also deleted the default docker0 brdige.
Tell docker to use my br0 instead of the default docker0:
Passing -b br0 parameter to dockerd.service starting script to tell docker that I want him to use my br0:
sudo vi /etc/systemd/system/docker.service.d/overlay.conf
I edited ExecStart to be like this:
ExecStart=/usr/bin/dockerd --storage-driver=overlay -H fd:// -b=br0
and then:
sudo systemctl daemon-reload
sudo systemctl restart docker
And now when I check my br0 IP, it is NOT 192.168.1.10 any more, it is back to 172.17.x.x, and when I try to change it now manually back to 192.168.1.10, the interfaces in containers keeps using 169.254.x.x instead of the IP I want.
P.s. when I check where are the interfaces of my containers: brctl show, they are really in my br0 (that means docker accepted -b br0 paramter, but it just ignores or override my intended IP address).
Could some one help me please to over come that problem? it looks for me like a bug maybe. I just want docker to use my br0 with the intended IP address 192.168.1.10.
My need is that all my containers get and IP address in the range I want.
Thanks in advance.
Edited:
My /var/log/daemon.log
Oct 10 20:41:12 raspberrypi systemd[1]: Stopping Docker Application Container Engine...
Oct 10 20:41:12 raspberrypi dockerd[976]: time="2016-10-10T20:41:12.067551389Z" level=info msg="Processing signal 'terminated'"
Oct 10 20:41:12 raspberrypi dockerd[976]: time="2016-10-10T20:41:12.128388194Z" level=info msg="stopping containerd after receiving terminated"
Oct 10 20:41:13 raspberrypi systemd[1]: Stopped Docker Application Container Engine.
Oct 10 20:41:13 raspberrypi systemd[1]: Stopping Docker Socket for the API.
Oct 10 20:41:13 raspberrypi systemd[1]: Closed Docker Socket for the API.
Oct 10 20:41:13 raspberrypi systemd[1]: Stopped Docker Application Container Engine.
Oct 10 20:41:50 raspberrypi avahi-daemon[440]: Withdrawing address record for 169.254.124.135 on br0.
Oct 10 20:41:50 raspberrypi dhcpcd[698]: br0: removing IP address 169.254.124.135/16
Oct 10 20:41:50 raspberrypi avahi-daemon[440]: Leaving mDNS multicast group on interface br0.IPv4 with address 169.254.124.135.
Oct 10 20:41:50 raspberrypi avahi-daemon[440]: Interface br0.IPv4 no longer relevant for mDNS.
Oct 10 20:41:50 raspberrypi dhcpcd[698]: br0: deleting route to 169.254.0.0/16
Oct 10 20:41:52 raspberrypi ntpd[723]: Deleting interface #7 br0, 169.254.124.135#123, interface stats: received=0, sent=0, dropped=0, active_time=516 secs
Oct 10 20:41:52 raspberrypi ntpd[723]: peers refreshed
Oct 10 20:42:58 raspberrypi avahi-daemon[440]: Joining mDNS multicast group on interface br0.IPv4 with address 192.168.1.19.
Oct 10 20:42:58 raspberrypi avahi-daemon[440]: New relevant interface br0.IPv4 for mDNS.
Oct 10 20:42:58 raspberrypi avahi-daemon[440]: Registering new address record for 192.168.1.19 on br0.IPv4.
Oct 10 20:43:00 raspberrypi ntpd[723]: Listen normally on 8 br0 192.168.1.19 UDP 123
Oct 10 20:43:00 raspberrypi ntpd[723]: peers refreshed
Oct 10 20:43:15 raspberrypi systemd[1]: getty#tty1.service has no holdoff time, scheduling restart.
Oct 10 20:43:15 raspberrypi systemd[1]: Stopping Getty on tty1...
Oct 10 20:43:15 raspberrypi systemd[1]: Starting Getty on tty1...
Oct 10 20:43:15 raspberrypi systemd[1]: Started Getty on tty1.
Oct 10 20:43:21 raspberrypi systemd[1]: getty#tty1.service has no holdoff time, scheduling restart.
Oct 10 20:43:21 raspberrypi systemd[1]: Stopping Getty on tty1...
Oct 10 20:43:21 raspberrypi systemd[1]: Starting Getty on tty1...
Oct 10 20:43:21 raspberrypi systemd[1]: Started Getty on tty1.
Oct 10 20:44:31 raspberrypi systemd[1]: Starting Docker Socket for the API.
Oct 10 20:44:31 raspberrypi systemd[1]: Listening on Docker Socket for the API.
Oct 10 20:44:31 raspberrypi systemd[1]: Starting Docker Application Container Engine...
Oct 10 20:44:31 raspberrypi dockerd[1536]: time="2016-10-10T20:44:31.887581128Z" level=info msg="libcontainerd: new containerd process, pid: 1543"
Oct 10 20:44:32 raspberrypi dockerd[1536]: time="2016-10-10T20:44:32.903109872Z" level=info msg="[graphdriver] using prior storage driver \"overlay\""
Oct 10 20:44:32 raspberrypi dockerd[1536]: time="2016-10-10T20:44:32.950908429Z" level=info msg="Graph migration to content-addressability took 0.00 seconds"
Oct 10 20:44:32 raspberrypi dockerd[1536]: time="2016-10-10T20:44:32.951611338Z" level=warning msg="Your kernel does not support swap memory limit."
Oct 10 20:44:32 raspberrypi dockerd[1536]: time="2016-10-10T20:44:32.951800086Z" level=warning msg="Your kernel does not support kernel memory limit."
Oct 10 20:44:32 raspberrypi dockerd[1536]: time="2016-10-10T20:44:32.951906179Z" level=warning msg="Your kernel does not support cgroup cfs period"
Oct 10 20:44:32 raspberrypi dockerd[1536]: time="2016-10-10T20:44:32.951993522Z" level=warning msg="Your kernel does not support cgroup cfs quotas"
Oct 10 20:44:32 raspberrypi dockerd[1536]: time="2016-10-10T20:44:32.952173520Z" level=warning msg="Unable to find cpuset cgroup in mounts"
Oct 10 20:44:32 raspberrypi dockerd[1536]: time="2016-10-10T20:44:32.952372059Z" level=warning msg="mountpoint for pids not found"
Oct 10 20:44:32 raspberrypi dockerd[1536]: time="2016-10-10T20:44:32.953406319Z" level=info msg="Loading containers: start."
Oct 10 20:44:32 raspberrypi dockerd[1536]: time="2016-10-10T20:44:32.970612440Z" level=info msg="Firewalld running: false"
Oct 10 20:44:32 raspberrypi dockerd[1536]: time="2016-10-10T20:44:32.953406319Z" level=info msg="Loading containers: start."
Oct 10 20:44:32 raspberrypi dockerd[1536]: time="2016-10-10T20:44:32.970612440Z" level=info msg="Firewalld running: false"
Oct 10 20:44:33 raspberrypi avahi-daemon[440]: Withdrawing address record for 192.168.1.19 on br0.
Oct 10 20:44:33 raspberrypi avahi-daemon[440]: Leaving mDNS multicast group on interface br0.IPv4 with address 192.168.1.19.
Oct 10 20:44:33 raspberrypi avahi-daemon[440]: Interface br0.IPv4 no longer relevant for mDNS.
Oct 10 20:44:33 raspberrypi avahi-daemon[440]: Joining mDNS multicast group on interface br0.IPv4 with address 169.254.124.135.
Oct 10 20:44:33 raspberrypi avahi-daemon[440]: New relevant interface br0.IPv4 for mDNS.
Oct 10 20:44:33 raspberrypi avahi-daemon[440]: Registering new address record for 169.254.124.135 on br0.IPv4.
Oct 10 20:44:33 raspberrypi dockerd[1536]: time="2016-10-10T20:44:33.715576231Z" level=info msg="Loading containers: done."
Oct 10 20:44:33 raspberrypi dockerd[1536]: time="2016-10-10T20:44:33.715837582Z" level=info msg="Daemon has completed initialization"
Oct 10 20:44:33 raspberrypi dockerd[1536]: time="2016-10-10T20:44:33.715921435Z" level=info msg="Docker daemon" commit=23cf638 graphdriver=overlay version=1.12.1
Oct 10 20:44:33 raspberrypi systemd[1]: Started Docker Application Container Engine.
Oct 10 20:44:33 raspberrypi dockerd[1536]: time="2016-10-10T20:44:33.754984356Z" level=info msg="API listen on /var/run/docker.sock"
Oct 10 20:44:34 raspberrypi ntpd[723]: Listen normally on 9 br0 169.254.124.135 UDP 123
Oct 10 20:44:34 raspberrypi ntpd[723]: Deleting interface #8 br0, 192.168.1.19#123, interface stats: received=0, sent=0, dropped=0, active_time=94 secs
Oct 10 20:44:34 raspberrypi ntpd[723]: peers refreshed
The interesting part is the last part (I recopied it here bellow):
Oct 10 20:44:33 raspberrypi avahi-daemon[440]: Withdrawing address record for 192.168.1.19 on br0.
Oct 10 20:44:33 raspberrypi avahi-daemon[440]: Leaving mDNS multicast group on interface br0.IPv4 with address 192.168.1.19.
Oct 10 20:44:33 raspberrypi avahi-daemon[440]: Interface br0.IPv4 no longer relevant for mDNS.
Oct 10 20:44:33 raspberrypi avahi-daemon[440]: Joining mDNS multicast group on interface br0.IPv4 with address 169.254.124.135.
Oct 10 20:44:33 raspberrypi avahi-daemon[440]: New relevant interface br0.IPv4 for mDNS.
Oct 10 20:44:33 raspberrypi avahi-daemon[440]: Registering new address record for 169.254.124.135 on br0.IPv4.
Oct 10 20:44:33 raspberrypi dockerd[1536]: time="2016-10-10T20:44:33.715576231Z" level=info msg="Loading containers: done."
Oct 10 20:44:33 raspberrypi dockerd[1536]: time="2016-10-10T20:44:33.715837582Z" level=info msg="Daemon has completed initialization"
Oct 10 20:44:33 raspberrypi dockerd[1536]: time="2016-10-10T20:44:33.715921435Z" level=info msg="Docker daemon" commit=23cf638 graphdriver=overlay version=1.12.1
Oct 10 20:44:33 raspberrypi systemd[1]: Started Docker Application Container Engine.
Oct 10 20:44:33 raspberrypi dockerd[1536]: time="2016-10-10T20:44:33.754984356Z" level=info msg="API listen on /var/run/docker.sock"
Oct 10 20:44:34 raspberrypi ntpd[723]: Listen normally on 9 br0 169.254.124.135 UDP 123
Oct 10 20:44:34 raspberrypi ntpd[723]: Deleting interface #8 br0, 192.168.1.19#123, interface stats: received=0, sent=0, dropped=0, active_time=94

Once the docker container is running the network configuration is not editable. Try running your docker container with --bip=CIDR and set your bridge ip manually. For more info follow here.

Resources