Macvlan swarm replicas get duplicate mac and wrong IP

Open Source Projects Swarm
1

I have been following this article and modifying it to run 2 replicas of the same container in a 3 swarm node.
Docker Swarm + MACVLAN (jpft.win)

I set the IP range to 192.168.1.248 /30 (rather than /32 in the example)

Both containers startup ok, both containers can ping the outside world.

  1. both containers get the same IP and the same MAC while running at the same time
  2. oddly ping works from both
  3. the IP is 192.168.1.248 when i was expecting the two nodes to get 192.168.1.249 and 250 (as no node should ever be issued the network address or the broadcast address)

Am i doing something wrong or are my expectations wrong?

(note i actually made the macvlan-config on all 3 nodes from portainer and i made the macvlan from portainer).

2

Regardings the blog-post: it creates a macvlan config with an ip range of a single ip on each of the three nodes and then creates a swarm scoped network that uses these configs.

Since the mvl network is swarm scoped, it should have only be able to deploy a single replica and denied all others due to an exhausted ip pool. Strange it didn’t.

Regarding your problem:
If the config is created indivdualy on each node and then a swarm scoped macvlan using these configs is created, it should keep track of used ip addresses and assign each container a new ip from the pool.

That’s odd and looks like a configuration issue. I am surprised your switch does not get crazy due to duplicate mac. At least a duplicate ip “just” creates flaky behavior, which will mess up traffic send to the containers.

The test is only valid if executed in parallel at the same time.

Why would you expect that? The --ip-range parameter does specify a range, not a subnet. There is no ip reservation for the network or broadcast. You have 4 Ip’s in the range. You need to use --ip-range 192.168.1.249/31 to get the two ip range you expected.

N.B.: it is not possible to create more than a single macvlan network that uses the same gateway.

3

Thanks for the detailed answer.

yes i was very surprised my switch didn’t freak and its why i was surprised that ping worked from both i know exactly what real dupe MACs looks like on physical hardware :slight_smile:

On IP expectation, got it To get what I would want I assume I would have to set the subnet to 192.168.1.248/30 and define a gateway in that subnet for the IPAM to know to exclude the broadcast and network addresses (aka treat it as proper subnetting). Then I would, i assume, need to set bunch of static routes on my main router and intermediate nodes as normal.

I just discovered the gateway issue - interestingly that worked as a placement constraint, one container started - hit that issue was rejected and moved swarm node where it worked just fine on the second node.

The approach i ended up with was to define the service twice in the stack and created two macvlans and two sets of macvlan configs where the IP range is 192.168.1.x/32 - this seems to work (modulo the dupe gateway issue - which oddly worked to my advantage).

I have a way to force this to work, so I think my issue is closed. thanks for the help.