Docker Networking and VLANs

Question

I have a question regarding docker networking over (host) VLAN interfaces.

I tried to ssh out of a docker container to a server over a VLAN network, but the connection could not be established (time-out).

Setting:

I have two machines (lets call them server and laptop) connected by

• A network using vlan (lets call it "private")
• A "normal" network (lets call it "public")

I tried to connect from a container on the laptop to the server via SSH, using the private network

Diagnostics steps:

• A "native" SSH connection works fine, using both the private and the public network.
• An SSH connection from within the container on the laptop to the server using the public network is possible.

• wireshark (listening on the laptops vlan interface) told me that a [SRV] package was sent, and the server responded with a [SRV, ACK]. However, the container seems to not have received this, which led to a [SRV, ACK] re-transmission of the server AND also to new [SRV] packages from the container.

• I started a nginx container listening on 0.0.0.0 (on all interfaces) - it was reachable from the public network, but not from the private network

• I installed nginx natively on the laptop, again listening on all interfaces. It was reachable over both networks, private and public.

So the problem seems to be related to "docker and vLANs": wireshark moreover suggests that "outgoing" is possible, but "incoming" not.

Any ideas?

Answer 1

At the moment the best option to do that is using the (currently) experimental feature "Ipvlan Network".

The Linux implementations are extremely lightweight because rather than using the traditional Linux bridge for isolation, they are simply associated to a Linux Ethernet interface or sub-interface to enforce separation between networks and connectivity to the physical network.

The documentation is quite large and can't be copied here, however, once installed the experimental version, to create the ipvlan network and run a container attaching to it you should run:

Ipvlan

docker network  create -d ipvlan \
  --subnet=192.168.1.0/24 \ 
  --gateway=192.168.1.1 \
  -o ipvlan_mode=l2 \
  -o parent=eth0 db_net

Start a container on the db_net network

docker  run --net=db_net -it --rm alpine /bin/sh

On that page there is much more to read.

Few notes:

1. -o ipvlan_mode= defaults to L2 mode if not specified

2. The containers cannot ping the underlying host interfaces as they are intentionally filtered by Linux for additional isolation.

3. Experimental means it's considered not ready for production and could have some bugs. The documentation states that it's "provided for test and evaluation in your sandbox environments."