Docker public IP allocation "addon"

nicjo814 · 26. November 2015

Some time ago I had an issue with a Docker container that didn't really like to run behind NAT, which is what happens when a container is started in "bridged" mode in docker. I did some digging around and found a potential solution in something called "macvlan bridging" which could give the container an IP in the same "network" as the host machine and also let the container communicate on network layer 2 (MAC address layer). This approach is quite different than adding an IP and binding the container to that IP (which will still result in NAT and runs in network layer 3, IP layer). However there were quite a lot of manual steps that had to be completed in order to configure "macvlan bridging" on both the host and in the container and I wanted something that could configure all of this both at host server restart and individual container restart. For this purpose I've created a few scripts available here: https://github.com/nicjo814/openmediavault-docker-br .
The benefits of all of this is that a container will "behave" more like a real server, networking wise, in that when you open a network port for some service (like http) that service can immediately be accessed on e.g. http://your-ip and this also lets you run multiple containers listening on the same port (as long as you give them different IP's) without having to do any port forwarding when booting up the container with docker run.

For 99% of the containers out there I would guess that this is totally unnecessary, but then there are a few which really needs this

Please note that I've only run the scripts on my own server so they are not exceptionally well tested yet...

subzero79 · 26. November 2015

I think this is necessary for example for plex running in bridge. The webui works, but devices have no access. Even forwarding all ports of plex, tcp and udp. I'll give it a try.

nicjo814 · 26. November 2015

I should mention that the "addon" properly configures everything when the host is itself a virtual machine inside Virtualbox, but it's not possible to reach the containers on their new IP's... Which makes it a bit difficult to test You can check that the bridges are created properly with ifconfig, but that's about it.

DaddyMacCadillac · 14. Dezember 2015

So I have a unique situation I think maybe these scripts will help me with but I want to clarify with you your thoughts. My home router is a DHCP server for ip range of 192.168.0.2 - 192.168.0.199. The router istelf is 192.168.0.1 and should be the default gateway for all other addresses. My OMV host is running on a static ip of 192.168.0.200. I have configured my router to force all ip addresses 192.168.0.250 and higher (up to 192.168.0.254) to connect to a VPN using OpenVPN on a DD-WRT configuration. Now when setting up the rtorrent Docker, I would like to force it to use a static ip of 192.168.0.250 for obvious reasons. So far I haven't found a way to do this. I spent hours last night trying to create my own network bridge (docker network create --driver=bridge --ip-range=xxx.xxx.xxx.xxx ...) but I had no success doing this. Will these scripts accomplish what I am trying to do? Basically I need my docker container to be on the same subnet as my OMV host with the same gateway of 192.168.0.1 but with an ip of 192.168.0.250. Thanks in advance.

nicjo814 · 14. Dezember 2015

That's exactly what it does.

subzero79 · 14. Dezember 2015

In normal circumstances there is only one gateway in omv. Also you can think about deleting the masquerade rules and add a global static route to 172.17.x.x, then in the router you can add also src address of 172 to exit through the vpn gateway. Just a suggestion

DaddyMacCadillac · 14. Dezember 2015

Zitat von subzero79

In normal circumstances there is only one gateway in omv. Also you can think about deleting the masquerade rules and add a global static route to 172.17.x.x, then in the router you can add also src address of 172 to exit through the vpn gateway. Just a…

Thank you subzero79. I am by no means a network guru so I'm not sure what you mean by deleting the masquerade rules or adding a global static route to 172.17.x.x. But thank you for trying to help.

subzero79 · 14. Dezember 2015

MASQUERADE means all packets leaving OMV from docker will be exiting with a IP source address of omv (192.168.x.x), so for the router is impossible to re-route using rules, because you'll have to fwd all OMV traffic through the vpn (if using only ip was the case, using ports would be different)

As it is right now, in your own lan, you cannot reach 172.17.0.x docker subnet, because all lan clients have no idea where is this subnet located. If you put network 172.17.0.0/24 with GW IP_OF_OMV in the router static route entries, you should be able to reach all docker instances by 172.17.0.x ip's from the lan 1982.168.x.x sunet.

Hope is more clear.

nicjo814 · 16. Dezember 2015

@DaddyMacCadillac Did you get the scripts to work?

Jetzt mitmachen!