Docker and Management VRF

March 13, 2020

Running docker service over management VRF requires the service to be started bound to the VRF. Since docker and systemd do not natively understand VRF, the vrf exec helper in iproute2 can be used.

This series of steps worked for me on Ubuntu 19.10 and should work on 18.04 as well:

Configure mgmt VRF and disable systemd-resolved as noted in a previous post about management vrf and DNS
Install docker-ce

Edit /lib/systemd/system/docker.service and add /usr/sbin/ip vrf exec mgmt to the Exec lines like this:

ExecStart=/usr/sbin/ip vrf exec mgmt /usr/bin/dockerd -H fd://
--containerd=/run/containerd/containerd.sock

Tell systemd about the change and restart docker

systemctl daemon-reload
systemctl restart docker

With that, docker pull should work fine – in mgmt vrf or default vrf.