June 12, 20179 yr Hello, I have all my dockers on Br0. unRAID is set to a static IP. Only one NIC. When I "docker exec -it <DOCKERNAME> /bin/bash" I can ping any other container and get a response, but I do not get a response from unRAID. They are all on the same subnet. Thoughts? Edited June 12, 20179 yr by smdion
June 14, 20179 yr On 6/13/2017 at 0:26 AM, smdion said: Hello, I have all my dockers on Br0. unRAID is set to a static IP. Only one NIC. When I "docker exec -it <DOCKERNAME> /bin/bash" I can ping any other container and get a response, but I do not get a response from unRAID. They are all on the same subnet. Thoughts? This is by desgin of macvlan used in Docker. Below note is from the Docker documentation: Note: In Macvlan you are not able to ping or communicate with the default namespace IP address. For example, if you create a container and try to ping the Docker host’s eth0 it will not work. That traffic is explicitly filtered by the kernel modules themselves to offer additional provider isolation and security.
June 14, 20179 yr Yes, you need to give it an IP address and it will be automatically available as a network choice for the docker containers. Edited June 14, 20179 yr by bonienl
June 14, 20179 yr 16 minutes ago, zin105 said: I haven't tried 6.4 yet but is there a big warning that unraid won't be able to talk to the container? I feel like that's a pretty big downside that people need to know about Only if you're using macvlan. If you don't change the setup config it'll work the same as always
June 14, 20179 yr 43 minutes ago, zin105 said: I haven't tried 6.4 yet but is there a big warning that unraid won't be able to talk to the container? I feel like that's a pretty big downside that people need to know about This is a big misconception. First you can access containers as before. No change. Second when intercontainer communication is required, make sure they all are in the same custom network, e.g br0 Third access to unRAID is still possible thru folder mappings. In short there are no show stoppers.
June 14, 20179 yr 5 minutes ago, zin105 said: Pi-hole container and using that as the DNS on my unRAID box does not work on 6.3.5 when using macvlan, can you confirm that works in 6.4? If not then I think that's a show stopper. I am not using Pi-hole container myself, what is the reason you want to run that on a custom network (macvlan) and not as host network?
June 14, 20179 yr For me the word "show stopper" means there is something seriously wrong. In this case there isn't. Docker implementation with macvlan prevents a Docker container can talk to its own host, since this is considered a security breach. Remember that containers are closed environments. Let me give an example to explain the security aspect. Say your unRAID server is 192.168.1.100 You create a container, e.g. webserver with address 192.168.1.200 and open your firewall for outside sources to reach this address. Now if somebody is able to compromize your container at address 192.168.1.200 he won't be able to access your unRAID server (host) on address 192.168.1.100. Edited June 14, 20179 yr by bonienl
June 14, 20179 yr I read somwwhere that you could configure the host to communicate via the macvlan. Maybe this is a requet for enhancement.
June 14, 20179 yr 57 minutes ago, aim60 said: I read somwwhere that you could configure the host to communicate via the macvlan. Maybe this is a requet for enhancement. Do you have a reference? Not sure if it is possible, but if it is, then it can be added.
June 14, 20179 yr Author I would agree that its not a showstopper of core unRAID features, but a warning or FYI would be nice for those of us that tinker and go above and beyond core functionality. Edited June 14, 20179 yr by smdion
June 14, 20179 yr Author So, work around is install eth1, have it on same subnet as br0 and have the containers talk to the eth1 address of unRAID?
June 14, 20179 yr 6 hours ago, smdion said: but a warning or FYI would be nice for those of us that tinker I would consider this topic itself to be the "warning" in this case. It's very hard to know all the ways someone might be experimenting and how our changes might affect that.
June 14, 20179 yr 7 hours ago, bonienl said: Do you have a reference? Not sure if it is possible, but if it is, then it can be added. Don't know enough to know if these are kluges or solutions good enough for a production system. This is one example: https://www.furorteutonicus.eu/2013/08/04/enabling-host-guest-networking-with-kvm-macvlan-and-macvtap/ A Google search of "assign macvlan to host" comes up with several hits. Hopefully, a solution can be implemented so that dockers with their own IPs, VMs, and the host can all talk.
June 15, 20179 yr 7 hours ago, aim60 said: This is one example: https://www.furorteutonicus.eu/2013/08/04/enabling-host-guest-networking-with-kvm-macvlan-and-macvtap/ This example is for VMs but doesn't work for Dockers.
June 17, 20179 yr Author On 6/14/2017 at 3:44 AM, bonienl said: Yes, you need to give it an IP address and it will be automatically available as a network choice for the docker containers. Is it possible to set unRAID's emhttp/nginx to only listen on one IP?
June 17, 20179 yr Author 10 minutes ago, jonathanm said: Not if you want both http and https. What if I'm okay with just HTTP
June 19, 20179 yr On 6/14/2017 at 3:10 AM, bonienl said: Docker implementation with macvlan prevents a Docker container can talk to its own host, since this is considered a security breach. Remember that containers are closed environments. I think I'm looking for pretty much the same thing as @smdion, so hopefully he won't mind if I jump in... Here's what I'm looking for: I want the unRAID gui to run on port 443 on the main IP I want my LetsEncrypt container to run on port 443 on a different IP I want the LetsEncrypt container to be able to reverse proxy the unRAID gui My motherboard does have 2 NICs, but I currently only have one plugged in. I have no VLANs or other complications. Is there a way (perhaps via the second nic?) to allow my LetsEncrypt container to access the webgui?
June 19, 20179 yr This article: http://hicu.be/docker-networking-macvlan-bridge-mode-configuration offers a hint: If you need direct connectivity between the container and the docker host configure a macvlan subinterface on the host
June 19, 20179 yr Author 14 hours ago, ljm42 said: I think I'm looking for pretty much the same thing as @smdion, so hopefully he won't mind if I jump in... Here's what I'm looking for: I want the unRAID gui to run on port 443 on the main IP I want my LetsEncrypt container to run on port 443 on a different IP I want the LetsEncrypt container to be able to reverse proxy the unRAID gui My motherboard does have 2 NICs, but I currently only have one plugged in. I have no VLANs or other complications. Is there a way (perhaps via the second nic?) to allow my LetsEncrypt container to access the webgui? Yep.. thats what I'm doing, but using vhosts to only allow access from known/internal IPs. I also have a few scripts that update InfluxDB for my Grafana dashboard. I can also confirm that adding a 2nd NIC on a different VLAN does not resolve the issue. The containers running on eth1 still do not have access to the host via either IP set to unRAID. Edited June 19, 20179 yr by smdion
June 19, 20179 yr 4 hours ago, smdion said: I can also confirm that adding a 2nd NIC on a different VLAN does not resolve the issue. The containers running on eth1 still do not have access to the host via either IP set to unRAID. That is expected behavior of Docker.
Archived
This topic is now archived and is closed to further replies.