How to Pass-through Physical NIC to Docker Container?

Question

Is it possible to pass-through eth(n) to Docker Container without additional plugin installation?

In LXC/LXD it is easy by this command:

lxc config device add CONTAINER-NAME eth2 nic nictype=physical parent=eth2 name=eth2

Answer 1

It is possible to move network interface to the container NET NAMESPACE (example based on my experience moving SR-IOV VF interfaces to container):

HOST_IFACE=enp4s6f5
CONT_IFACE_NAME=eth255
CONTAINER=debian-test

NSPID=$(docker inspect --format='{{ .State.Pid }}' $CONTAINER)

ip link set "$HOST_IFACE" netns "$NSPID"

In case when interface name matters it is possible to change it before set up:

ip netns exec "$NSPID" ip link set "$HOST_IFACE" name "$CONT_IFACE_NAME"

Bring it up:

ip netns exec "$NSPID" ip link set "$CONT_IFACE_NAME" up

Answer 2

As of now, there is no mode or mechanism to pass a network interface directly to a container. However, there are network plugins that allow to have direct/passthrough access to the Ethernet networking device to the Docker container(s)

The bridge mode has one interface to host namespace and all containers on the host are attached to docker0 via veth-pair. Here, docker0 is a linux bridge created by docker daemon. The docker assigns private IP to the containers

In host mode, the networking namespace of host shall be shared with outside world. Here port mapping can be used to reach services. Here, the container shares the IP of docker host. Kindly refer to Networking using host network. Host mode networking can be useful in situations where a container needs to handle a large range of ports.

Here is reference to a sample application based on macvlan which can be helpful as well. You can use the macvlan network driver to assign a MAC address to each container’s virtual network interface, making it appear to be a physical network interface directly connected to the physical network. This ensures that for the network devices on your network, your container appears to be physically attached to the network.

Answer 3

You can't directly attach a NIC to a container, but you can use a MACVLAN network and use the NIC as the parent interface

Check your NIC subnet

ip addr show eth2

Should return something like

3: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP       group default qlen 1000
inet 172.16.86.250/24 brd 172.16.86.255 scope global eth2

Now create a MACVLAN network in the same subnet. I'm using 172.16.86.1 as the network gateway/router

docker network create -d macvlan \
--subnet=172.16.86.0/24 \
--gateway=172.16.86.1  \
-o parent=eth2 docker_macvlan

Then start a container and attach it to the MACVLAN network, and give it an IP address in the same subnet as your NIC, say 172.16.86.15

docker run -itd --net=docker_macvlan --name macv1 --ip=172.16.86.15 ubuntu /bin/bash 

Answer 4

It is not possible to pass a network interface directly to a container. The Docker daemon has a number of networks which containers can be attached to. These are usually virtual networks called bridge networks. The Daemon acts as a router to the outside world.

There is however a host network which can be specified with the --network host option to docker run. The host network allows the container to access the host networking. This only works on Docker for Linux and not for Docker for Mac or Window.

The usual way of accessing a container from outside is to map a port from the container to a port on the host. Requests to the mapped host port are routed to the container port.