将LAN IP地址分配给Docker容器，与主机的IP地址不同

Question

Am not well versed with Unix networking, adding virtual interfaces etc, trying to learn it now. We are trying to dockerize our application.
My requirement is : To assign an ip to a docker container which is accessible from an external application/browser.

The container ip should be pingable from a different computer in the same network basically.I don't want to use port forwarding.

1. I want to access a docker container just like we access a VM using an ip address.[ Without the port mapping, -p flag. If i run any server like Apache or Tomcat inside the container, it should be accessible using the container ip and port. For example: http://container_ip:8443]
   Is this possible in docker?

2. Running ifconfig on my Unix box(RHEL 7.1) shows docker0, ens,lo and veth interfaces. There is no eth0. Kind of confused on this.

Answer 1

I struggled to get that functionality, and I will share my experience and what I did to get exactly what you need.

The short answer:

You need to create your own bridge , connect your host's physical network interface to that bridge, and as well connect the virtual interfaces of each container you want to behave like a normal bridged vritual machine in your network, and then make the container chooses its own IP address when it starts.

The detailed answer:

Creating Persistence Network Bridge

The Bridge , is a device (in our case virtual device), which behaves similar to network swiches (operates mainly on network layer 2), ie, it can connect two or more network interfaces to be on the same local area network (LAN) if they have the same subnet .

You are going to create new persistence bridge br0 (it will get started automatically on system boot), add your physical network interface into it (in my case it is eth0 ). Note that after you add your interface to the bridge, the interface doesn't need IP address anymore, because the bridge will get IP address and can be used instead of your interface, ie, you can communicate using the bridge as if it were your physical interface and it will forward the in/out data packets to the correct destination. You don't need to assign any hardware (MAC address) to the bridge, it will automatically take the MAC of the first added interface.

Warning: It is highly recommended not to do these steps remotely except you have a physical access to your server! You may lose your connection to your server if you were not careful.

Install bridges managing utility:

 sudo apt install bridge-utils 

The system will not be able to create the bridge without bridge-utils package.

To create persistence bridge, edit interfaces file:

auto br0
iface br0 inet static
    bridge_ports eth0
    address 192.168.1.10
    netmask 255.255.255.0
    broadcast 192.168.1.255
    gateway 192.168.1.1

Add the follwing configuration to the end of the file (adapt them to suit your needs):

sudo systemctl stop docker
sudo ip link set dev docker0 down
sudo brctl delbr docker0

Now remove Docker's default bridge docker0, as we don't need it:

 sudo systemctl stop docker sudo ip link set dev docker0 down sudo brctl delbr docker0 

Edit Docker's service-start script to use your bridge (br0) instead of Docker's default bridge (docker0), and pass some important bridge parameters:

Ubuntu:

[Service]

ExecStart=/usr/bin/dockerd -H fd:// --bridge=br0 --fixed-cidr=192.168.1.32/27 --default-gateway=192.168.1.1

Adapt the file to look like this:

sudo systemctl daemon-reload

Now tell the system about the changes on that file:

sudo reboot

Reboot the system:

ip addr

Now check your bridge, it should be there!

  docker run --name myContainer \
  -it --restart always --memory 100M \
  --network bridge --cap-add NET_ADMIN \
  --hostname client1.noureldin.local \
  --add-host "client1.noureldin.local client1":192.168.1.123 \
  mnoureldin/general-purpose:latest /bin/bash -c " \
  ip addr flush dev eth0; \
  ip addr add 192.168.1.123/24 brd + dev eth0; \
  ip route add default via 192.168.1.1 dev eth0; \
  /bin/bash"

Now create your container like bellow, this will lead to give your container a fix IP :

  --network bridge --cap-add NET_ADMIN \
  ip addr flush dev eth0; \
  ip addr add 192.168.1.123/24 brd + dev eth0; \
  ip route add default via 192.168.1.1 dev eth0; \

The important part related to your network requirements is:

  --network bridge --cap-add NET_ADMIN \\ ip addr flush dev eth0; \\ ip addr add 192.168.1.123/24 brd + dev eth0; \\ ip route add default via 192.168.1.1 dev eth0; \\ 

Of course be sure that you installed iproute2 net-tools iputils-ping packages in your container to be able to execute the common network commands (giving the fixed ip done by ip command).

For the first time you run the container, you may NOT notice any changes in IP address, because your conainer probably doesn't have iproute2 package (ie there is not ip command) , just intall the mentioned packages and then restart the container and everything should be exactly as you want!

Hope that helps.

Answer 2

My current preferred approach with this is to use either the macvlan or ipvlan Docker network driver. I prefer macvlan as each container can have its own MAC address but some things like VMware don't like having multiple Mac addresses for a single virtualized nic and won't route traffic properly.

Setup is pretty straight forward. First you need to determine a few things.

• Subnet of your main network. Using 10.0.0.0/24 for this example
• Gateway of your network. Using 10.0.0.1 for the example
• IP range to use for allocating the ips from (you can statically assign ips outside this range when doing a Docker run if need be). For this example I will use 10.0.0.128/25. You will need a chunk of ips to let Docker manage so you will need to ensure these ips are not in use on your network.
• The name of the device you want to use for the traffic. For the example I will use eth0
• The name of the new Docker network you are going to create. Using “my net” for the example.

Next you create a new Docker network like so:

docker network create -d macvlan —-subnet 10.0.0.0/24 --ip-range 10.0.0.128/25 —-gateway 10.0.0.1 -o parent=eth0 mynet

Now when you start containers use

docker run —-network mynet .....

For more information see the docker docs: https://docs.docker.com/engine/userguide/networking/get-started-macvlan

One caveat to this approach is that macvlan/ipvlan dont seem to work very well with Docker for Mac. The HyperKit vm it creates is a bit of a black box. The macvlan/ipvlan approach requires a more controlled network that Docker for Mac doesn't give you. If you are trying to do this with Docker for Mac then I would suggest setting up a Docker Machine. The docs for how to do that are here: https://docs.docker.com/machine/get-started/ .

In this scenario, unless you like setting up routing rules on your Mac, you should have the docker machine use a bridged interface that the macvlan/ipvlan network can then be attached to. In my experience the need for a second NIC that is NAT'ed through the MacOS host is unnecessary but you may find something otherwise.