Docker – how to associate a Docker network interface to a Linux network interface (eth5) on Linux host

bridgedockeripnetworkingroute

My Linux host has 8 Ethernet interfaces, eth0 – eth7. I'm running three Docker 1.9 containers on this Linux host.
How can I associate a network interface inside one Docker container to a specific Linux physical network interface (say eth5) on the host, at Layer 3 (IP layer) ?

The reason for connecting at Layer 3 are:
1. to be able to configure the Docker network interface using DHCP
and
2. for ALL incoming IP traffic on the host physical interface (eth5) to be forwarded to the associated Docker interface ( I don't want to do port-mapping using NAT, which will direct traffic ONLY for a particular TCP/UDP port to the Docker interface )

Basically, how to connect a Docker network interface to a specific Linux(host) network device(say eth5) at Layer 3/Layer 2 ?

Best Answer

There are multiple ways to do this:

  1. Using Linux bridges (brctl)

  2. Using Open vSwitch (ovs-vsctl)

  3. Using MACVLAN

  4. Using IPVLAN (introduced in 3.19 kernel, but not stable until 4.2 or later)

MACVLAN and IPVLAN are both supported as Linux kernel modules

MACVLAN: This makes it possible to create virtual network interfaces that “cling on” a physical network interface(eth5 in the question above). Each virtual interface has its own MAC address - distinct from the physical interface’s MAC address. Frames sent to or from the virtual interfaces are mapped to the physical interface.

While under Linux an interface can already have multiple addresses, a MACVLAN allows further isolation on what traffic can be seen on such an interface. A MACVLAN will only be able to see traffic that has a MAC address that matches that interface, preventing processes / containers on other interfaces from listening in on traffic destined for another MACVLAN.

IPVLAN: Conceptually very similar to the macvlan driver with one major exception that is uses L3 for muxing /demuxing among slaves. The master device shares the L2 MAC with it's slave devices. This allows creation of virtual devices off of a main interface and packets are delivered based on the dest L3 IP address on the packets. All interfaces (including the main interface) share L2 making it transparent to a connected L2 switch.

For IPVLAN, the canonical documentation is: https://github.com/torvalds/linux/blob/master/Documentation/networking/ipvlan.txt

Currently Docker supports both MACVLAN and IPVLAN in experimental release; they are coming into GA soon

For more on MACVLAN and IPVLAN (including specific commands) see Brent Salisbury's excellent blogpost: http://networkstatic.net/configuring-macvlan-ipvlan-linux-networking/

Related Topic