search

dockur / windows

Windows inside a Docker container.
MIT License
16.91k stars 1.43k forks source link

[Feature]: Separated/Dedicated interfaces for VNC & VM #531

Open EHRETic opened 3 months ago

EHRETic commented 3 months ago

Is there no existing feature request for this?

Is your proposal related to a problem?

Not a problem

Describe the solution you'd like.

Hi there,

First, lovely concept, I use it to test a few things and I find it amazing :-)

I have a question/probably a feature request for multiple interfaces : is it possible to have a macvlan IP in network macvlan_A and the Windows docker to have an interface (IP with DHCP or fixed) in a macvlan_B

What I plan : secure the VNC on port 8006 behind a reverse proxy on a subnet dedicated to containers and have my Windows server on my normal LAN.

Both macvlan A & B are available on the host with multiple VLANs/docker networks.

Thanks in advance for your answer!

Describe alternatives you've considered.

For now on, I use 2 different IPs in the same subnet, but I can't secure VNC on my LAN because it is not behind my firewall/reverse proxy.

Additional context

No response

kroese commented 3 months ago

This is already exactly how it works when you enable DHCP=Y. The VNC port will be reachable under the macvlan IP of the container, and Windows itself will only be reachable under another interface and IP. This is a macvtap interface. They do not have to be on the same subnet at all.

So instead of a macvlan A and macvlan B, it currently works as macvlan A and macvtap B.

That aside, if the only reason is that you want to secure the VNC port, it makes more sense to just add nginx authentication on port 8006 (see https://github.com/dockur/windows/issues/301#issuecomment-2018610554 ). That way it even works with bridge networking, without any need for macvlan or macvtap.

EHRETic commented 3 months ago

So instead of a macvlan A and macvlan B, it currently works as macvlan A and macvtap B.

This is what I'm using currently, but that would more compare to something like macvlan A & macvtap A no? (as macvtap is bridged to macvlan if I understood correctly)

What I would like to be able to do is:

2 completely different subnets linked to 2 different macvlan interfaces.

(don't worry, I can live without, but that could be a nice addition)

kroese commented 3 months ago

The macvlan and the macvtap are completely seperated, as far as I remember. The macvtap is not bridged over macvlan, it becomes a new and directly attached client on the network.

The macvtap just asks the DHCP server for an IP and this can be on a totally different subnet as where the container itself (macvlan) is running, as far as I remember.

You can even set a static IP for your Windows VM inside the Control Panel, and do not use a DHCP server at all. Therefore the name DHCP is a bit misleading for this mode, because it can be used with a static configuration also.

Did you already try different subnets or did you just assume it wouldnt work?

To support multiple network interfaces would make the already complicated network code, even more complicated. So unless it would provide a significant advantage in some way, I would rather not get myself into that :)

EHRETic commented 3 months ago

Hi,

I just tried and I soon as I change my macvlan, the VM interface is also switched to the same subnet (confirmed by DHCP) This confirms my theory of macvtap is bridged to the macvlan interface (but remains a separate one)

Would be a nice addition, but if I'm the only one requesting it... well... 😊

kroese commented 3 months ago

Okay, I understand what you mean then and I agree it would be a nice addition.

I will see if I can add dual macvlan in the future, but it wont be anytime soon.

EHRETic commented 3 months ago

I will see if I can add dual macvlan in the future, but it wont be anytime soon.

I would scale it straight to "multiple" ! 😊