ken-ji

[6.3.0+] How to setup Dockers without sharing unRAID IP address

49 posts in this topic

1 minute ago, CHBMB said:

Errr, I've kinda changed my approach now, doing it all at the firewall level.  But I did enjoy messing around with the macvlan stuff and I can definitely see how it would be very useful for others.

 

Your firewall solution is good, but with macvlan support you can do more... :)

 

E.g. it allows you to give individual dockers their own IP address (either dynamically or statically).

Say you want to run two web servers and both use port 80, this becomes a very easy task.

Docker isolation is also made very easy, e.g. run a docker within its own (local) network segment

0

Share this post


Link to post
Share on other sites
14 minutes ago, CHBMB said:

 

Thanks but I had it setup already since I found the guide over at Reddit a few days ago. Thanks though!

0

Share this post


Link to post
Share on other sites
13 minutes ago, bonienl said:

Perhaps you would be interested to know that macvlan support is added in the upcoming version of unRAID, it allows you to select additional 'custom' networks from the GUI.

 

 

When is this coming?? I'm excited now :D

0

Share this post


Link to post
Share on other sites

Yeah, that's where I started but it didn't work until I figured out the aliases.

Sent from my LG-H815 using Tapatalk

0

Share this post


Link to post
Share on other sites

Posted (edited)

2 minutes ago, jrdnlc said:

 

When is this coming?? I'm excited now :D

 

Soon™ :)

 

Remember we are talking Release Candidate (RC) here, in other words for testing purposes and feedback!

Edited by bonienl
1

Share this post


Link to post
Share on other sites

This all sounds very interesting but I'm afraid I'm a little short on the background to understand most of this. Could someone point me to a good vlan for dummies guide.

0

Share this post


Link to post
Share on other sites
1 minute ago, wgstarks said:

This all sounds very interesting but I'm afraid I'm a little short on the background to understand most of this. Could someone point me to a good vlan for dummies guide.

 

Actually macvlan is the solution used by Docker, but from a GUI perspective this is hidden and the user is just presented with some additional network choices and doesn't need to worry about the underlaying translation.

 

0

Share this post


Link to post
Share on other sites
 
Your firewall solution is good, but with macvlan support you can do more...
 
E.g. it allows you to give individual dockers their own IP address (either dynamically or statically).
Say you want to run two web servers and both use port 80, this becomes a very easy task.
Docker isolation is also made very easy, e.g. run a docker within its own (local) network segment

Oh yeah, absolutely, I just don't need to.... yet. Never say never.

Sent from my LG-H815 using Tapatalk

0

Share this post


Link to post
Share on other sites
1 minute ago, CHBMB said:


Oh yeah, absolutely, I just don't need to.... yet. Never say never.
 

 

Yeah right... you don't have two or more dockers claiming the same TCP port :) 

0

Share this post


Link to post
Share on other sites

I do, but atm it's as easy to change port as it is to change the ip. What macvlan will help me out with is testing. Currently got 4 instances of MariaDB and 3 instances of Nextcloud.

Sent from my LG-H815 using Tapatalk

0

Share this post


Link to post
Share on other sites

You know what they say about Rome... there are several ways to go there!

 

Not sure if that is true after Brexit ;)

 

0

Share this post


Link to post
Share on other sites
18 hours ago, bonienl said:

 

Your firewall solution is good, but with macvlan support you can do more... :)

 

E.g. it allows you to give individual dockers their own IP address (either dynamically or statically).

Say you want to run two web servers and both use port 80, this becomes a very easy task.

Docker isolation is also made very easy, e.g. run a docker within its own (local) network segment

 

The only thing needed is fitting this nicely in the interface, now if we could find someone who would be amazin at that....

0

Share this post


Link to post
Share on other sites
1 hour ago, Helmonder said:

 

The only thing needed is fitting this nicely in the interface, now if we could find someone who would be amazin at that....

 

Just a little more patience...

1

Share this post


Link to post
Share on other sites

I just can't get this to work. When I try to access the WebUI of my container it times out. 

 

Here's a link to my network page; Picture

 

The IP address details are:
unRAID = 192.168.1.216
Gateway/router = 192.168.1.1
Subnet = 192.168.1.0/24

 

The command I wrote;

docker network create \
-o parent=br1 \
--driver macvlan \
--subnet 192.168.1.0/24 \
--ip-range 192.168.1.128/25 \
--gateway 192.168.1.1 \
docker1

 

Here's a link to the docker settings in question; Picture

 

Update; Here's the output of the commands listed in the OP. And yes, the container is started fully (green play button).

 

root@HTPC:~# docker inspect duplicati | grep IPAddress
            "SecondaryIPAddresses": null,
            "IPAddress": "",
                    "IPAddress": "192.168.1.213",
root@HTPC:~# docker exec duplicati ping www.google.com
rpc error: code = 2 desc = containerd: container not started

 

This is the output of a different container I tried it on. Gives a different result.

 

root@HTPC:~# docker exec observium ping www.google.com
ping: unknown host www.google.com
root@HTPC:~# docker exec observium ping 8.8.8.8
connect: Network is unreachable

 

Edited by zin105
0

Share this post


Link to post
Share on other sites
11 hours ago, zin105 said:

I just can't get this to work. When I try to access the WebUI of my container it times out. 

 

Here's a link to my network page; Picture

 

The IP address details are:
unRAID = 192.168.1.216
Gateway/router = 192.168.1.1
Subnet = 192.168.1.0/24

 

The command I wrote;

docker network create \
-o parent=br1 \
--driver macvlan \
--subnet 192.168.1.0/24 \
--ip-range 192.168.1.128/25 \
--gateway 192.168.1.1 \
docker1

 

Here's a link to the docker settings in question; Picture

 

Update; Here's the output of the commands listed in the OP. And yes, the container is started fully (green play button).

 


root@HTPC:~# docker inspect duplicati | grep IPAddress
            "SecondaryIPAddresses": null,
            "IPAddress": "",
                    "IPAddress": "192.168.1.213",
root@HTPC:~# docker exec duplicati ping www.google.com
rpc error: code = 2 desc = containerd: container not started

 

This is the output of a different container I tried it on. Gives a different result.

 


root@HTPC:~# docker exec observium ping www.google.com
ping: unknown host www.google.com
root@HTPC:~# docker exec observium ping 8.8.8.8
connect: Network is unreachable

Do it like this instead FPA0ZpW.png

 

0

Share this post


Link to post
Share on other sites
11 hours ago, zin105 said:

I just can't get this to work. When I try to access the WebUI of my container it times out. 

 

Here's a link to my network page; Picture

 

The IP address details are:
unRAID = 192.168.1.216
Gateway/router = 192.168.1.1
Subnet = 192.168.1.0/24

 

The command I wrote;

docker network create \
-o parent=br1 \
--driver macvlan \
--subnet 192.168.1.0/24 \
--ip-range 192.168.1.128/25 \
--gateway 192.168.1.1 \
docker1

 

Here's a link to the docker settings in question; Picture

 

Update; Here's the output of the commands listed in the OP. And yes, the container is started fully (green play button).

 


root@HTPC:~# docker inspect duplicati | grep IPAddress
            "SecondaryIPAddresses": null,
            "IPAddress": "",
                    "IPAddress": "192.168.1.213",
root@HTPC:~# docker exec duplicati ping www.google.com
rpc error: code = 2 desc = containerd: container not started

 

This is the output of a different container I tried it on. Gives a different result.

 


root@HTPC:~# docker exec observium ping www.google.com
ping: unknown host www.google.com
root@HTPC:~# docker exec observium ping 8.8.8.8
connect: Network is unreachable

 

Can you also show the outputs of

docker ps -a

and

docker exec [container] ip route

 

The errors seem to be related to something else.

 

Also, your unraid server is in the same group of addresses you told docker to use.

This is not a problem yet, but could be when something decides to use the same address by chance (unless all your dockers will have static ips)

Edited by ken-ji
0

Share this post


Link to post
Share on other sites
9 hours ago, ken-ji said:

Can you also show the outputs of

docker ps -a

and

docker exec [container] ip route

 

The errors seem to be related to something else.

 

Also, your unraid server is in the same group of addresses you told docker to use.

This is not a problem yet, but could be when something decides to use the same address by chance (unless all your dockers will have static ips)

 

Here you go; https://pastebin.com/eH0a3wi9

It's the HandBrake-container I'm doing my testing on atm, just to see if it works.

 

Ip-route shows eth0 which is strange since docker network inspect docker1 show's me "parent": "br1"

 

And yes I will use static IPs for everything.

0

Share this post


Link to post
Share on other sites
10 hours ago, Porkie said:

 

The only things I see in that screenshot is that you have a manual WebUI adress and --restart on-failure?

0

Share this post


Link to post
Share on other sites
1 hour ago, zin105 said:

The only things I see in that screenshot is that you have a manual WebUI adress and --restart on-failure?

Yes and look at your web ui link, it will not work with the [port] part, its needs a real link like mine. So just remove the brackets and the word port.

Edited by Porkie
0

Share this post


Link to post
Share on other sites
3 hours ago, Porkie said:

Yes and look at your web ui link, it will not work with the [port] part, its needs a real link like mine. So just remove the brackets and the word port.

 

I wrote the webui manually when I tried. Anyways I changed it to a real link but made no difference. When I try to ping websites through the container it doesn't work so the problem is earlier than that.

Edited by zin105
0

Share this post


Link to post
Share on other sites

Did you add the mac address and ip of the container as a static ip in your router? Im using PFSense and I had to manually add them for them to show up in the dhcp leases. It might not even be that but worth a try. 

0

Share this post


Link to post
Share on other sites
1 hour ago, Porkie said:

Did you add the mac address and ip of the container as a static ip in your router? Im using PFSense and I had to manually add them for them to show up in the dhcp leases. It might not even be that but worth a try. 

It shouldn't show up in DHCP lease because if you're using a static IP you don't have a lease. I use multiple computers in my network static without a DHCP lease and it works fine.

0

Share this post


Link to post
Share on other sites

SOLVED!

 

Thanks everyone for the help and sorry for taking your time, I should have mentioned I'm running unRAID under Esxi. This was the solution that I found;

 

If you use vCenter / VSphere / ESX / ESXi, set or ask your administrator to set Network Security Policies of the vSwitch as below:

  • Promiscuous mode: Accept
  • MAC address changes: Accept
  • Forged transmits: Accept
Edited by zin105
0

Share this post


Link to post
Share on other sites

Hmm. Kinda assumed those were set since you were running a VM/container host under a hypervisor. But yeah. that's the last thing most people will think off.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

Copyright © 2005-2017 Lime Technology, Inc. unRAID® is a registered trademark of Lime Technology, Inc.