Connect a container to a local physical interface doesn't work on Centos 6.6 even with iproute from OpenStack

[macrokernel]

Hi Jérôme,

I am having troubles using pipework on CentOS 6.6. I have installed iproute from OpenStack and updated all packages.

When I start a container with the following command, it runs without any error, but it cannot access network through eth0: pipework eth0 $(docker run -d mycontainer /bin/bash) 10.4.1.121/24

Network settings inside the container:

13: eth0: mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:04 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.4/16 scope global eth0
inet6 fe80::42:acff:fe11:4/64 scope link
valid_lft forever preferred_lft forever
15: eth1@if2: mtu 1500 qdisc noqueue state UNKNOWN
link/ether 2a:4c:97:76:61:d6 brd ff:ff:ff:ff:ff:ff
inet 10.4.1.121/24 scope global eth1
inet6 fe80::284c:97ff:fe76:61d6/64 scope link
valid_lft forever preferred_lft forever

Routes:

Destination Gateway Genmask Flags Metric Ref Use Iface
10.4.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 172.17.42.1 0.0.0.0 UG 0 0 0 eth0

ping 10.4.1.120, ping 10.4.1.1 - Destination Host Unreachable.

When I run the following commands on the Docker host, the host looses network connection:

ip addr del 10.4.1.120/24 dev eth0
ip link add link eth0 dev eth0m type macvlan mode bridge
ip link set eth0m up
ip addr add 10.4.1.120/24 dev eth0m
route add default gw 10.4.1.1

The resulting interfaces:

2: eth0: mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:50:56:9d:12:3b brd ff:ff:ff:ff:ff:ff
inet6 fe80::250:56ff:fe9d:123b/64 scope link
valid_lft forever preferred_lft forever
4: docker0: mtu 1500 qdisc noqueue state UNKNOWN
link/ether ca:29:ac:2d:d3:47 brd ff:ff:ff:ff:ff:ff
inet 172.17.42.1/16 scope global docker0
inet6 fe80::c829:acff:fe2d:d347/64 scope link
valid_lft forever preferred_lft forever
5: eth0m@eth0: mtu 1500 qdisc noqueue state UNKNOWN
link/ether d2:1d:f8:4f:82:db brd ff:ff:ff:ff:ff:ff
inet 10.4.1.120/24 scope global eth0m
inet6 fe80::d01d:f8ff:fe4f:82db/64 scope link
valid_lft forever preferred_lft forever

Routes:

10.4.1.0/24 dev eth0m proto kernel scope link src 10.4.1.120
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.42.1
default via 10.4.1.1 dev eth0m

Can you please help?

[jpetazzo]

Oh, just to repeat what I said on the other issue... Are you trying to ping from the Docker host itself? Or form another machine?

[macrokernel]

Hi Jérôme,

I am trying to ping from the Docker container (10.4.1.121). The hosts I am trying to ping are:
10.4.1.121 - Docker host 10.4.1.1 - Router on the physical network

[jpetazzo]

OK!

"After adding a macvlan interface to the container, I cannot ping the container from the host, or the host from the container"

This is (unfortunately) normal. This is linked to how macvlan interfaces work. However, from the container, you should be able to ping other hosts on the network and vice versa.

If you can't ping from another host, then you have a problem. If your Docker host is a VM, you might have to enable switching of unknown addresses (see https://github.com/jpetazzo/pipework#notes).

"After creating a new macvlan interface on the host, and moving the host IP address to the macvlan interface, I lose connectivity"

You should see a short loss of connectivity (due to the MAC address change) but then everything should be back to normal.

Do you have details on your host?

[macrokernel]

Hi Jérôme,

My Docker host runs on a ESXi VM. Thanks for pointing at the promiscuous mode in virtualization host network configuration. It all works fine after I have enabled promiscuous mode on the virtual switch.

Best regards, Sergey

[jpetazzo]

Cool! I wish I knew an easy way to detect that :)