nerdctl icon indicating copy to clipboard operation
nerdctl copied to clipboard
verified publisher icon containerd

nerdctl requires CNI to be installed when running containers with network_mode host

Open vosdev opened this issue 4 months ago • 1 comments

Description

Running containers with network_mode: host, nerdctl still tries to create a default network even when no containers require one.

Steps to reproduce the issue

  1. Do not have a CNI installed on your host
  2. Try to start a container with network_mode: host (nerdctl run --rm -it --network host alpine sh or nerdctl compose up -d with a compose file with network_mode: host)
FATA[0000] failed to create default network: needs CNI plugin "bridge" to be installed in CNI_PATH ("/opt/cni/bin"), see https://github.com/containernetworking/plugins/releases: exec: "/opt/cni/bin/bridge": stat /opt/cni/bin/bridge: no such file or directory

Describe the results you received and expected

I expected nerdctl to not try to create a default network when none of my containers need one.

Docker is able to start these containers without creating a docker bridge/network

What version of nerdctl are you using?

v2.1.3 (latest)

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

Client: Namespace: default Debug Mode: false

Server: Server Version: 1.7.27 Storage Driver: overlayfs Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Log: fluentd journald json-file none syslog Storage: native overlayfs Security Options: apparmor seccomp Profile: builtin cgroupns Kernel Version: 6.14.0-27-generic Operating System: Ubuntu 25.04 OSType: linux Architecture: x86_64 CPUs: 6 Total Memory: 3GiB Name: grafana ID: 6890ed18-5623-4145-9125-84c57aaed5ae

vosdev avatar Aug 14 '25 15:08 vosdev

It's not just host -- it looks like the bridge network is always getting created, even with none. This appears specific to v2.2.0, as v2.1.6 behaves correctly. In both cases, I'm using containerd v2.1.5.

My specifics: I'm running a Kubernetes node with Cilium which also (don't ask why) needs to run nerdctl. What happens is:

  1. nerdctl run --net none hello-world
  2. nerdctl creates the bridge network anyway
  3. cilium deletes it
  4. containerd calls runc
  5. runc can't find the "bridge" network:
nerdctl run hello-world --net none

FATA[0000] failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error running createRuntime hook #0: exit status 1, stdout: , stderr: time="2025-12-07T06:51:51Z" level=fatal msg="no such network: \"bridge\""

mwinters0 avatar Dec 07 '25 07:12 mwinters0