vhost0@eth0 is using the same IP as eth0 -> this is an IP collision, how to do better?

murkus

By murkus
in Docker Engine

Go to solution Solved by murkus,

Recommended Posts

murkus Apprentice

murkus

Posted
Posted

arpwatch and truenas are complaining that the IP of my unraid server is flapping between the MAC of its eth0 (one of 4 interfaces, but eth1-3 are not used) and vhost0@eth0. And from all I know about IP networking having two interfaces with different MACs using the same IP is not a good condition.

 

I have investigated a little and it looks like vhost0@eth0 is there even if docker is off, but then it has no IP assigned. If I turn docker on, it gets the IP of eth0 assigned. (VM manager is using virbr0, which uses a different IP and also goes away when turnin VM manager off)

The curious thing is that vhost0 hast a routing metric of 0 and is thus preferred over eth0 (metric 1007).

 

Such a construct is unseen on all of my Debian docker hosts, so it is certainly possible to have docker working fine without such a unsane setup.

 

Is it possible to run unraid with docker in a way that each interface has an on IP (without assigning individual non-docker-network IPs to the containers), and how?

 

Link to comment
ich777 Grand Master

ich777

Posted
Posted
1 hour ago, murkus said:

Is it possible to run unraid with docker in a way that each interface has an on IP (without assigning individual non-docker-network IPs to the containers), and how?

You should really include your Diagnostics since no one knows how your Unraid server is configured in terms of network.

 

This would be also be better suited in the Bug Reports subforums however, I think you are the first that reports such an issue.

@JorgeB & @itimpi & @JonathanM did you hear about that before?

Link to comment
murkus Apprentice

murkus

Posted
  • Author
Posted

I am not the first, when I searched for the problem in the forum I found 5+ threads of people reporting this and asking for help and others commenting +1. Unfortunately none of the threads received any working help.

Link to comment
  • Solution
murkus Apprentice

murkus

Posted
  • Author
  • Solution
Posted

I investigated further wit different settings for Docker and I found that vhost0@eth0 will only then get an IP (and then it is the same IP as eth0) if both of these are enabled (if only one of these is enabled, vhost0 does not get an IP):

  • Host access to custom networks
  • IPv4 custom network on interface eth0 (optional)

I have no ides why both were enabled on my server (and it is quite possible I did this myself without knowing what I was doing).

 

Just to clarify whether I really need those, could someone confirm or correct my assumptions:

  • IPv4 custom network on interface eth0 (optional): I only need this, if I want to have a containter to use an IP from the subnet in which the IP of eth0 is located. Correct?
  • Host access to custom networks: I only need this if the unraid host should access a service provided by some of the containers running on the the unraid host. Example an agent running natively on the unraid host needs to connect to a service (like NMS or backup) in a container. Correct?

 

 

Link to comment
ljm42 Experienced

ljm42

Posted
Posted
11 minutes ago, murkus said:

And I thought I had enable ipvlan, but actually macvlan is enabled. ipvlan is shown as an option, but it is greyed out and cannot be selected. Why would that be the case?

 

Most likely, you disabled bridging in order to enable macvlan. If you want to switch to ipvlan you need to re-enable bridging first. For more info see:

https://docs.unraid.net/unraid-os/release-notes/6.12.4/#fix-for-macvlan-call-traces

 

Being able to enable macvlan without getting call traces/crashes was a big enhancement of 6.12.4. A side effect of the network changes is that your router may complain about duplicate IPs on different interfaces. Aside from the complaint from your router it should not cause any actual problems.

Link to comment
JorgeB Grand Master

JorgeB

Posted
Posted
15 minutes ago, murkus said:

ipvlan is shown as an option, but it is greyed

That will happen if bridging is disabled, enable bridging and you can use ipvlan, and with ipvlan you should no longer see the IP collision warning, I believe that only for users that really need to use macvlan, the IP collision can be an issue.

Link to comment
murkus Apprentice

murkus

Posted
  • Author
Posted

@ljm42 @JorgeB thanks I got that working now.

For the benefit of all people who had the same problem and posted to a bunch of other threads (which have been leinked to this thread now) here is my summary of what I have learnt:

 

  • to be able to use macvlan driver for docker: disable bridging in network settings; here eth0 and possibly vhost0@eth0 have the IP address of the unraid host
  • to be able to use ipvlan driver for docker: enable bridging in network settings; here eth0 has no IP address, but is connected to br0 which has the IP address of the unraid host
  • to avoid vhost0@eth0 to use the same IP as eth0 (will be alarmed by arpwatch, pfSense, TrueNAS, etc.): do no NOT enable BOTH of IPv4 custom network on interface eth0 (optional) (default is ON) and Host access to custom networks (default is OFF)

I am currently using these settings successfully:

  • in this setting eth0-eth3 have no IP address but are connected to the bridge br0, which has the IP address of the unraid host 
  • network settings: Bridging: yes
  • docker settings: Docker custom network type: ipvlan;  Host access to custom networks: disabled; IPv4 custom network on interface eth0 (optional): enabled
  • Like 1
Link to comment
aglyons Explorer

aglyons

Posted
Posted
On 3/7/2024 at 6:40 PM, murkus said:

to avoid vhost0@eth0 to use the same IP as eth0 (will be alarmed by arpwatch, pfSense, TrueNAS, etc.): do no NOT enable BOTH of IPv4 custom network on interface eth0 (optional) (default is ON) and Host access to custom networks (default is OFF)

 

Does this step not interfere with the new workaround to solve the MACVLAN call trace issues? In the config docs it states "Settings > Docker > Host access to custom networks = Enabled". If I recall correctly, this was required to allow the workaround to function properly as a custom network is created when docker is started.

 

Link to comment
murkus Apprentice

murkus

Posted
  • Author
Posted (edited)
On 3/9/2024 at 11:57 PM, aglyons said:

 

Does this step not interfere with the new workaround to solve the MACVLAN call trace issues? In the config docs it states "Settings > Docker > Host access to custom networks = Enabled". If I recall correctly, this was required to allow the workaround to function properly as a custom network is created when docker is started.

 

 

no problems here so far, but note that I have enabled bridging and I use ipvlan driver for Docker.
The recommendation you mentioned is for the case when people use macvlan driver for Docker and no bridging because they otherwise had problems with network equipement (Fritzbox, Unifi).
However, I do not experience problems with the Unifi network application and the IP-flapping issue with arpwatch and truenas is resolved now, although I am using ipvlan.
 

Edited by murkus
Link to comment
murkus Apprentice

murkus

Posted
  • Author
Posted
On 3/9/2024 at 11:57 PM, aglyons said:

 

Does this step not interfere with the new workaround to solve the MACVLAN call trace issues? In the config docs it states "Settings > Docker > Host access to custom networks = Enabled". If I recall correctly, this was required to allow the workaround to function properly as a custom network is created when docker is started.

 

maybe @ljm42 or @JorgeB have some comment about your concern

Link to comment
aglyons Explorer

aglyons

Posted
Posted
On 3/7/2024 at 12:03 PM, ljm42 said:

 

Most likely, you disabled bridging in order to enable macvlan. If you want to switch to ipvlan you need to re-enable bridging first. For more info see:

https://docs.unraid.net/unraid-os/release-notes/6.12.4/#fix-for-macvlan-call-traces

 

Being able to enable macvlan without getting call traces/crashes was a big enhancement of 6.12.4. A side effect of the network changes is that your router may complain about duplicate IPs on different interfaces. Aside from the complaint from your router it should not cause any actual problems.

 

I think this may be causing problems when it comes to VM's going through the MACVTAP. I posted a new thread as it's similar but not the same.

 

 

What do you think @JorgeB ?

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing