Hi,

I’m wrestling with having a container on a macvlan network and still being able to talk to the host.

General setup
Host OS Ubuntu 16.04
Docker version 17.09.1-ce, build 19e2cf6
LAN 192.168.47.0/24
Host IP 192.168.47.250 (standard Ubuntu br0 bridge)
Container IP 192.168.47.34

Docker network setup

docker network create -d macvlan --subnet 192.168.47.0/24 --gateway 192.168.47.201 -o parent=br0 -o macvlan_mode=bridge physical

Bridging another macvlan link to allow container host connectivity

ip link add mac0 link br0 type macvlan mode bridge
ip addr add 192.168.47.250/24 dev mac0
ip link set mac0 up

Testing connectivity to LAN server (not host)

docker run --network physical -it --rm busybox ping 192.168.47.252
PING 192.168.47.252 (192.168.47.252): 56 data bytes
64 bytes from 192.168.47.252: seq=0 ttl=64 time=0.498 ms
64 bytes from 192.168.47.252: seq=1 ttl=64 time=0.323 ms
64 bytes from 192.168.47.252: seq=2 ttl=64 time=0.394 ms
^C
--- 192.168.47.252 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.323/0.405/0.498 ms

Testing with host (not working)

docker run --network physical -it --rm busybox ping 192.168.47.250
PING 192.168.47.250 (192.168.47.250): 56 data bytes
^C
--- 192.168.47.250 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

Any ideas?

Did you ever figure this out? I am trying to run a docker registry with macvlan, but my host can’t pull from it

https://sreeninet.wordpress.com/2016/05/29/docker-macvlan-and-ipvlan-network-plugins/ has the same steps as the official docs. I think maybe a kernel setting or something is in the way. I’m running Ubuntu with kernel 4.4.0

I found https://www.furorteutonicus.eu/2013/08/04/enabling-host-guest-networking-with-kvm-macvlan-and-macvtap/ which has some addition ip commands that I think are what we are missing, but running ip route flush dev has ended poorly for me in the past, so I’d like some more guidance.

Older versions of the docker documentation for mavlan networks included following note:

When using macvlan, you cannot ping or communicate with the default namespace IP address. For example, if you create a container and try to ping the Docker host’s eth0, it will not work. That traffic is explicitly filtered by the kernel modules themselves to offer additional provider isolation and security.

A macvlan subinterface can be added to the Docker host, to allow traffic between the Docker host and containers. The IP address needs to be set on this subinterface and removed from the parent address. ip link add mac0 link $PARENTDEV type macvlan mode bridge

Your networking equipment needs to be able to handle “promiscuous mode”, where one physical interface can be assigned multiple MAC addresses.

Especially if you use a vm, you need to make sure to enable promiscous mode. Some hypervisors provide the settings on VM level, some on vSwitch level.

I made it work using the info from @meyay.

Here’s what I used. It is definitely not a good practice but it can solve issues in some cases.

ip link add mac0 link enoX type macvlan mode bridge
ip addr add 192.168.X.X/24 dev mac0
ip link set mac0 up
ip route add 192.168.X.0/24 dev mac0
ip route delete 192.168.X.0/24 dev enoX