Docker - Container with MACVLAN

Tiago Stoco -

I have recently heard from Peter Mckee from Docker on the talk python to me podcast episode 308 that we should not assign IP addresses to our containers.

He compared containers to food that we should cook, consume and when hungry cook another meal, therefore having the host handling the networking.

Although not recommended, I have decided to set up a pihole container and such application requires an IP address and we are going to set it on a different network than its host. Since my network is using VLANs and my container is going to sit in an specific VLAN it will need to be configured with docker's MACVLAN network driver.

That decision had some implications on my network, the switch port our host is connected had to be changed from untagged to tagged and the host NIC set with a VLAN.

5: enp0s10.10@enp0s10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether f8:0f:41:21:3f:02 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.10/24 brd 192.168.10.255 scope global enp0s10.10
       valid_lft forever preferred_lft forever
    inet6 fe80::fa0f:41ff:fe21:3f02/64 scope link 
       valid_lft forever preferred_lft forever
Docker Host NIC Configuration

Let's create the new VLAN that the docker container is going to use.

Router1 - Switch Configuration
Router 2 - Switch Configuration

The OpenWRT switch configuration is a bit confusing but to create a new VLAN the order is as follows :

1) Add the VLAN to the swith configuration and set it as tagged on the trunk and on the physical port it is connecting or according your network parameters.

2) Add a new sub interface and name it then set DNS and DHCP settings.

We now have created the VLAN6 for our pihole and a few other servers that will be added to our network in the future like NTP.

My pihole is currently using VLAN10 which was set for testing purposes now we are going to move it to our newly created VLAN6. First let's inspect our docker networks :

docker network ls

NETWORK ID          NAME                DRIVER              SCOPE
95bc94a1e0e7        bridge              bridge              local
351c7ea05fa7        host                host                local
fdfa287915ea        macvlan10           macvlan             local
d35120bf0522        none                null                local

Since we already have a working network it could have been cloned with the create command and the option :

--config-from string   The network from which copying the configuration

But, to have an example for future reference we are going to create a new one from scratch as explained in the docker's documentation.

docker network create -d macvlan \
> --subnet=192.168.6.0/24 \
> --gateway=192.168.6.1 \
> --opt parent=enp0s10.6 \
> macvlan6
root@home-svr1:~# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
95bc94a1e0e7        bridge              bridge              local
351c7ea05fa7        host                host                local
cb20a724db68        macvlan6            macvlan             local
fdfa287915ea        macvlan10           macvlan             local
d35120bf0522        none                null                local

root@home-svr1:~# ip -c addr show dev enp0s10.6
144: enp0s10.6@enp0s10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether f8:0f:41:21:3f:02 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fa0f:41ff:fe21:3f02/64 scope link 
       valid_lft forever preferred_lft forever
Docker will automatically create the new interface for the macvlan network if not already present on the host.

After, our network was created we can create our container following the guide below.

Docker - Pihole Container
This blog post will detail how to create a custom pihole[https://hub.docker.com/r/pihole/pihole/] container with a pre-loaded script toupdate our block and allow lists automatically. To have this custom container we will have to create our own custom dockerimage. First let’s create our custom D…
Infoitech - [B]loggingTiago Stoco

Our pihole has been deployed and we can now work towards creating an script for our openWRT dnsmasq instances to use pihole as the DNS server for some of our networks.

External Sources :

VLAN - ArchWiki
ArchWiki
Linux Advanced Routing Tutorial | Linux Journal
Toggle navigation Topics+ Cloud Containers Desktop Kernel Mobile Networking Privacy Programming Security Servers SysAdmin News eBooks Search Search Search Enter the terms you wish to search for. News Popular RecentMichal Ludvig
A Quick Introduction to Linux Policy Routing - Scott’s Weblog - The weblog of an IT pro focusing on cloud computing, Kubernetes, Linux, containers, and networking
A Quick Introduction to Linux Policy Routing - Scott’s Weblog - The weblog of an IT pro focusing on cloud computing, Kubernetes, Linux, containers, and networking
Scott's WeblogScott Lowe
Configuring Multiple Interfaces and Multiple Default Routes in Linux - Free Linux Tutorials
Scenario: Multiple network interfaces in your server and each connected to different network and getting the IP via DHCP Objective: Make all IP pingable and accessible remotely e.g. SSH Solution: Configure Gateway Routing or setting up multiple default routes for each interfaces Initially when you c…
Free Linux TutorialsView all posts
ip-rule(8) - Linux manual page
Linux manual page
ip-route(8) - Linux manual page
Linux manual page
Tcpdump Examples - 22 Tactical Commands | HackerTarget.com
In these tcpdump examples you will find 22 tactical commands to zero in on the key packets. Know your network with this powerful packet capture tool. Examples for http, icmp, dns, snmp and more.
HackerTarget.com