Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

No Connectivity to unRAID from Docker Containers

Featured Replies

Hello,

 

I have all my dockers on Br0.  unRAID is set to a static IP.  Only one NIC. When I "docker exec -it <DOCKERNAME> /bin/bash" I can ping any other container and get a response, but I do not get a response from unRAID.  They are all on the same subnet.  

 

Thoughts?

Edited by smdion

On 6/13/2017 at 0:26 AM, smdion said:

Hello,

 

I have all my dockers on Br0.  unRAID is set to a static IP.  Only one NIC. When I "docker exec -it <DOCKERNAME> /bin/bash" I can ping any other container and get a response, but I do not get a response from unRAID.  They are all on the same subnet.  

 

Thoughts?

This is by desgin of macvlan used in Docker. Below note is from the Docker documentation:

  • Note: In Macvlan you are not able to ping or communicate with the default namespace IP address. For example, if you create a container and try to ping the Docker host’s eth0 it will not work. That traffic is explicitly filtered by the kernel modules themselves to offer additional provider isolation and security.

Yes, you need to give it an IP address and it will be automatically available as a network choice for the docker containers.

Edited by bonienl

16 minutes ago, zin105 said:

I haven't tried 6.4 yet but is there a big warning that unraid won't be able to talk to the container? I feel like that's a pretty big downside that people need to know about 

 

Only if you're using macvlan.  If you don't change the setup config it'll work the same as always

43 minutes ago, zin105 said:

I haven't tried 6.4 yet but is there a big warning that unraid won't be able to talk to the container? I feel like that's a pretty big downside that people need to know about 

This is a big misconception.

First you can access containers as before. No change.

Second when intercontainer communication is required, make sure they all are in the same custom network, e.g br0

Third access to unRAID is still possible thru folder mappings.

In short there are no show stoppers.

 

 

5 minutes ago, zin105 said:

Pi-hole container and using that as the DNS on my unRAID box does not work on 6.3.5 when using macvlan, can you confirm that works in 6.4? If not then I think that's a show stopper.

I am not using Pi-hole container myself, what is the reason you want to run that on a custom network (macvlan) and not as host network?

For me the word "show stopper" means there is something seriously wrong. In this case there isn't. Docker implementation with macvlan prevents  a Docker container can talk to its own host, since this is considered a security breach. Remember that containers are closed environments.

 

Let me give an example to explain the security aspect.

 

Say your unRAID server is 192.168.1.100

You create a container, e.g. webserver with address 192.168.1.200 and open your firewall for outside sources to reach this address.

 

Now if somebody is able to compromize your container at address 192.168.1.200 he won't be able to access your unRAID server (host) on address 192.168.1.100.

 

Edited by bonienl

I read somwwhere that you could configure the host to communicate via the macvlan.  Maybe this is a requet for enhancement. 

57 minutes ago, aim60 said:

I read somwwhere that you could configure the host to communicate via the macvlan.  Maybe this is a requet for enhancement. 

 

Do you have a reference?

 

Not sure if it is possible, but if it is, then it can be added.

  • Author

I would agree that its not a showstopper of core unRAID features, but a warning or FYI would be nice for those of us that tinker and go above and beyond core functionality. 

Edited by smdion

  • Author

So, work around is install eth1, have it on same subnet as br0 and have the containers talk to the eth1 address of unRAID?

6 hours ago, smdion said:

but a warning or FYI would be nice for those of us that tinker

 

I would consider this topic itself to be the "warning" in this case.  It's very hard to know all the ways someone might be experimenting and how our changes might affect that.

7 hours ago, bonienl said:

 

Do you have a reference?

 

Not sure if it is possible, but if it is, then it can be added.

Don't know enough to know if these are kluges or solutions good enough for a production system.

 

This is one example:

https://www.furorteutonicus.eu/2013/08/04/enabling-host-guest-networking-with-kvm-macvlan-and-macvtap/

A Google search of "assign macvlan to host" comes up with several hits.

 

Hopefully, a solution can be implemented so that dockers with their own IPs, VMs, and the host can all talk.

  • Author
On 6/14/2017 at 3:44 AM, bonienl said:

Yes, you need to give it an IP address and it will be automatically available as a network choice for the docker containers.

Is it possible to set unRAID's emhttp/nginx to only listen on one IP?

  • Author
10 minutes ago, jonathanm said:

Not if you want both http and https.

What if I'm okay with just HTTP

On 6/14/2017 at 3:10 AM, bonienl said:

Docker implementation with macvlan prevents  a Docker container can talk to its own host, since this is considered a security breach. Remember that containers are closed environments.

 

I think I'm looking for pretty much the same thing as @smdion, so hopefully he won't mind if I jump in...

Here's what I'm looking for:

  • I want the unRAID gui to run on port 443 on the main IP
  • I want my LetsEncrypt container to run on port 443 on a different IP
  • I want the LetsEncrypt container to be able to reverse proxy the unRAID gui

My motherboard does have 2 NICs, but I currently only have one plugged in.  I have no VLANs or other complications.  Is there a way (perhaps via the second nic?)  to allow my LetsEncrypt container to access the webgui?

  • Author
14 hours ago, ljm42 said:

 

I think I'm looking for pretty much the same thing as @smdion, so hopefully he won't mind if I jump in...

Here's what I'm looking for:

  • I want the unRAID gui to run on port 443 on the main IP
  • I want my LetsEncrypt container to run on port 443 on a different IP
  • I want the LetsEncrypt container to be able to reverse proxy the unRAID gui

My motherboard does have 2 NICs, but I currently only have one plugged in.  I have no VLANs or other complications.  Is there a way (perhaps via the second nic?)  to allow my LetsEncrypt container to access the webgui?

 

 

Yep.. thats what I'm doing, but using vhosts to only allow access from known/internal IPs.  I also have a few scripts that update InfluxDB for my Grafana dashboard.

 

I can also confirm that adding a 2nd NIC on a different VLAN does not resolve the issue.  The containers running on eth1 still do not have access to the host via either IP set to unRAID.

Edited by smdion

4 hours ago, smdion said:

I can also confirm that adding a 2nd NIC on a different VLAN does not resolve the issue.  The containers running on eth1 still do not have access to the host via either IP set to unRAID.

 

That is expected behavior of Docker.

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.