Docker Community Forums

Share and learn in the Docker community.

Unable to attach to macvlan net

Hi,

I try to move my docker services into VLAN as DMZ. For this I did setup a VLAN network. Since on the same host libvirt is running, I’m using a network bridge, all configured as:

br0.netdev

[NetDev]
Name=br0
Kind=bridge

br0.network

[Match]
Name=br0    
[Network]
Address=192.168.1.11/24
Gateway=192.168.1.1
DNS=192.168.1.1

10-uplink.network

[Match]
Name=enp3s0
[Network]
Bridge=br0
VLAN=dmz

and

dmz.netdev

[NetDev]
Name=dmz
Kind=vlan
[VLAN]
Id=90

dmz.network

[Match]
Name=dmz    
[Network]
Bridge=br0
Address=192.168.90.11/24
Gateway=192.168.90.1

Finally I created the docker network in 802.1q trunk bridge mode:

    $ docker network create -d macvlan \
        --subnet=192.168.90.0/24 --gateway=192.168.90.1 \
        --aux-address="dmz-docker-host=192.168.90.11" \
        -o parent=dmz \
        dmz_net

    $ docker network inspect dmz_net
    [
        {
            "Name": "dmz_net",
            "Id": "0bb6b1d5787ed2d8f85f5f93d79786c61ad3ffc189d58697f3aff96e54ffd24c",
            "Created": "2020-05-18T20:29:49.11435881+02:00",
            "Scope": "local",
            "Driver": "macvlan",
            "EnableIPv6": false,
            "IPAM": {
                "Driver": "default",
                "Options": {},
                "Config": [
                    {
                        "Subnet": "192.168.90.0/24",
                        "Gateway": "192.168.90.1",
                        "AuxiliaryAddresses": {
                            "dmz-docker-host": "192.168.90.11"
                        }
                    }
                ]
            },
            "Internal": false,
            "Attachable": false,
            "Ingress": false,
            "ConfigFrom": {
                "Network": ""
            },
            "ConfigOnly": false,
            "Containers": {},
            "Options": {
                "parent": "dmz"
            },
            "Labels": {}
        }
    ]

Now, creating a container attached to this network with given IP:

    $ docker run \
      --name='dmz-host' \
      --hostname='dmz-host' \
      --net=dmz_net \
      --ip=192.168.90.101 \
      --rm -ti \
      alpine:latest ash

failed with:

    docker: Error response from daemon: failed to create the macvlan port: device or resource busy.

So, what went wrong here. Is it the right approach? How to fix?

Also of interest is, I’m using clear linux with

$ docker info
Client:
 Debug Mode: false

Server:
 Containers: 1
  Running: 1
  Paused: 0
  Stopped: 0
 Images: 83
 Server Version: 19.03.8
 Storage Driver: overlay2
  Backing Filesystem: <unknown>
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: systemd
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 
 runc version: 
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
 init version: 
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.6.13-952.native
 Operating System: Clear Linux OS
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.12GiB
 Name: clr1
 ID: HNJ5:IFAK:XMTT:2IIM:LVFV:63ZR:QNFO:SFDS:BF4T:7EUQ:O4TC:PV7S
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Thanks

As usually, the examples working as expected:

    ip link add link eth0 name eth0.40 type vlan id 40
    ip link set eth0.40 up

    docker network  create  -d ipvlan \
       --subnet=192.168.40.0/24 \
       --gateway=192.168.40.1 \
       -o parent=eth0.40 ipvlan40

    # in two separate terminals
    docker run --net=ipvlan40 -it --name ivlan_test5 --rm alpine /bin/sh
    docker run --net=ipvlan40 -it --name ivlan_test6 --rm alpine /bin/sh

So, what is the difference? Since the device is created before, the convention eth0.VLAN doesn’t apply here …