Creating v-interfaces for use as part of docker-compose networking

[hllhll]

Hi,

My personal holy grail is to make openwrt as a router+fw, where I can place different docker containers behind and configure routes and fw via openwrt. I wouldn't like for the containers to be exposed to the "default" docker/compose stack,rather be as sort of "virtual" interface that the open wrt would see it as a real one hence can route and fw each independently. in your make run script your doing all sort of magic in the networking that works awesome! how do you think I could go around and combine similar functionality of the make run script, with more containers, running as a docker-compose suite that would tie the interfaces the way described above? (+also allow raw wifi access as make run does now)

[oofnikj]

Hi @hllhll, you can define your docker-compose network like the following:

services:
  some-service:
  ...
    networks:
      openwrt-lan:
        ipv4-address: '192.168.whatever.some_valid_address'
networks:
  openwrt-lan:
    external: true

This will connect some-service to your pre-existing openwrt-lan network, and be visible to any hosts, containerized or physical, who are on the same network.

As for raw wifi access, assuming you mean access to the physical wifi interface, that interface (and all associated virtual interfaces) can only be present in one network namespace at a time, meaning it can only be accessed by one container (or the actual host) at a time. But as long as your wifi interface is bridged to the OpenWrt LAN bridge (true by default), all resources that are accessible over the wifi network should be available to containers attached to the openwrt-lan Docker network.

[hllhll]

Hi, Thank you very much,

Can I do everything in compose and not have to do things "externally"? In other words what i'm trying to say is that run.sh scripts performs a lot of things I don't really understand how to simulate in compose:

1. Creates LAN network (macvlan? bridge?)
2. Creates WAN network
3. Connects WAN and LAN network to the container
4. Setups some command line parameters for the container here
5. Moves wifi phy into the container (that is what I was referring to as "raw wifi access")
6. Sets hairpin mode
7. More?

I Would like to simulate the entire script in docker-compose (as that make run works perfectly as I would like it to). And I guess. For 5 and 6 I guess I could add shell commands as part of the service, however the other docker parts I'm not so sure how to configure into compose. Is this even possible?

In addition, the configuration you added seem to add containerized hosts to an existing openwrt interfaces (hence network). What I want to do is add, additional networks that would look as additional interfaces to the openwrt, while the members of this network are such "some service". (For example: DMZ network with some services etc)

If you could point me out in the proper direction that would be great, thanks! :)

[oofnikj]

I don't think you can implement all of the networking functionality in docker-compose. There are a couple of steps that need to be performed on the host networking stack that Docker can't handle, like changing the network namespace of existing network interfaces.

It might be possible to wrap this script into its own Docker container, and run it in privileged + host network mode with docker-compose. I haven't tried that, but it might be over-complicating things.

You could always create a new Docker network and attach it to a running container as is done in the script. This will create a new bridge in the host's network namespace, and an additional veth pair of interfaces connecting the host and the container. Then, in OpenWrt, you can add these additional interfaces to the relevant firewall groups.

[hllhll]

I'm trying to connect another network "DMZ" (overlay driver?) to the container as part of the run script and setup the service as you mentioned that would also participate in that network.

Thanks for the references!