Does this container have to lock up port 22?

[alichaudry]

Specifically, is there a way to bind the 22 inside the container to something else outside the container? The reason is that I don't want to lock away port 22 as that's (obviously) used for SSH, so if this service binds to it I imagine OpenSSH will stop working. 5403 is fine as I'm not really using that.

And for the network setup, does it have to be a macvlan? I ask because the device I'm going to run this on flips to wifi sometimes if the ethernet is disrupted, so I'd want to continue the service when that happens.

[bcleonard]

According to the docs (https://pve.proxmox.com/wiki/Cluster_Manager#_corosync_external_vote_support) during the qdevice setup ssh communication is used (either SSH key or password) communicate with the QDevice. That requires ssh (port 22).

I'm not sure how you would get around that.

Proxmox itself requires sshd running on port 22. See https://pve.proxmox.com/wiki/Cluster_Manager#_requirements

I'm using a macvlan because I needed to bind the container to an external IP that I could set on my proxmox nodes. During my initial testing, I couldn't bind corosync and sshd to the internal container networks. The only way I could get it to work was to set up its own ip address and bind the container to it (using macvlan).

My container is running on a virtual instance running on a separate physical server from my cluster and I'm not worried about running out of IP addresses.

[alichaudry]

Thank you for your response. This did provide some clarity, but I have some follow-up comments/questions:

1. There's no way to get around using port 22, but that's probably okay as it sounds like it doesn't use or lock up the internal IP address/network, but rather, a newly created IP address using the MACVLAN driver. Right?
2. For the MACVLAN network, the MAC should be the MAC of the parent ethernet device? Or can I generate a new ethernet address such that my router will assign a fresh IP to the container, and perhaps I can reserve that MAC/IP combination in my router software?

[bcleonard]

That's correct, the newly created IP address is just used for the container. What I did is create a virtual instance that has two virtual Ethernet adapters. The first is bound to the base OS and the second was used by the container through MACVLAN.

Regarding the MAC/IP address, my network is set up so that portions of my address space are not part of the DHCP scope. The docker compose hard codes the IP address to the MACVLAN which is bound to the 2nd Ethernet adapter. That's whats used by proxmox. I also have the IP Address assigned a host name in my DNS server. Its not needed but it registers its use so I don't reuse the IP address for something else.

[alichaudry]

I was set myself up to test this over the weekend but ran into a hard-block because apparently the MACVLAN driver does not work on Windows (item number two in prerequisites). The only always-on machine I have access to other than my two Proxmox nodes is a Windows machine, so after investing a lot of time trying to learn how to create virtual NICs in Windows and sharing the network with the host OS, it was all a bust as the macvlan driver couldn't be utilized, and I didn't want to lock away the host OSs ports. It's all a bit unfortunate. I'll have to find and spin up another machine to host this, or just use my proxmox cluster with the two nodes that its currently on, and without HA. Maybe my old Raspberry Pi could be of assistance but that's a project for another day.

Thank you for your help with this. And since I can't really test your docker-compose file, there's no point in keeping this issue open, and so we're probably good to close it. Cheers!