Docker Community Forums

Share and learn in the Docker community.

Macvlan, cannot reach container from other host when there is only one container attached to


(Noodle05) #1

I’m trying to use macvlan on one of my host. But facing some issues:

  • Docker host cannot reach any container that attached to macvlan network.
  • When there is only one active container attached to macvlan network, it not reachable from local network.
  • When there are more than one active containers attached to macvlan network, all of them are reachable from local network.

Is this expected behavior?

Please see following for detailed information

$> docker info
Containers: 5
 Running: 5
 Paused: 0
 Stopped: 0
Images: 25
Server Version: 18.09.0
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: c4446665cb9c30056f4998ed953e6d4ff22c7c39
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: fec3683
Security Options:
 seccomp
Profile: default
Kernel Version: 4.4.156-rockchip64
Operating System: Ubuntu 18.04.1 LTS
OSType: linux
Architecture: aarch64
CPUs: 4
Total Memory: 1.883GiB
Name: xxx
ID: XXX:XXX
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: xxx
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

Create a macvlan network:

$> docker network create -d macvlan --subnet=192.168.1.0/24 --gateway=192.168.1.1 --ip-range 192.168.1.64/28 -o parent=eth0 public

Start one container

$> docker run -d --name test1 --network public alpine:3.8 ping 8.8.8.8

Get container ip address:

$> docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' test1
192.168.1.64

Ping container ip address from another machine (not docker host)

$> ping 192.168.1.64
PING 192.168.1.64 (192.168.1.64): 56 data bytes
Request timeout for icmp_seq 0

Now, create another container and attach to macvlan

$> docker run -d --name test2 --network public alpine:3.8 ping 8.8.8.8

Get second container ip address

$> docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' test2
192.168.1.65

Ping first container from another machine:

$> ping 192.168.1.64
PING 192.168.1.64 (192.168.1.64): 56 data bytes
64 bytes from 192.168.1.64: icmp_seq=0 ttl=64 time=0.843 ms

Ping second container also success

$> ping 192.168.1.65
PING 192.168.1.65 (192.168.1.65): 56 data bytes
64 bytes from 192.168.1.65: icmp_seq=0 ttl=64 time=1.660 ms

Now if stop any one of these two containers, another will become unreachable.

Ping container from docker host will never success no matter how many container attached to the macvlan network.