libnetwork icon indicating copy to clipboard operation
libnetwork copied to clipboard

Published 20 hours ago verified publisher icon moby

swarm + macvlan + port publish mode=host is not working

Open blop opened this issue 7 years ago • 4 comments
trafficstars

Trying to publish ports using the "host" mode on my swarm service, but it seems it's not supported when using a macvlan network driver. We get logs like "macvlan driver does not support port mappings".

I need this to workaround this issue : https://github.com/moby/moby/issues/25526

This is not working if "mynetwork" is macvlan based : docker service create --network mynetwork --publish mode=host,target=80,published=80,protocol=tcp --name=web --mode=global nginx:alpine

blop avatar Jan 10 '18 18:01 blop

In case of macvlan, the container IPs are directly accessible from outside the host (without having to go through NAT). So publishing ports in macvlan is not necessary and we report an error when you try to publish.

ddebroy avatar Jan 10 '18 21:01 ddebroy

Indeed, the service ports are already accessible directly through it's IP inside the macvlan network. However, in this case I'd like to have incoming connections from another network through a mapping on the host. I understand it's not a popular use case but I don't see why Docker should not support it.

blop avatar Jan 11 '18 07:01 blop

More details : this would be useful when you want high performance networking between your containers (by using macvlan on a dedicated network for clustering instead of the slower overlay network), and high performance ingest (by using a simple iptables rules that DNAT the traffic on each node the service is running instead of the slower standard swarm ingress), also working around moby/moby#25526.

For now I need to script the iptables DNAT rules creation outside of docker, with a lookup of the local container ip (which is dynamic).

Currently, as soon as the container is present in at least 1 macvlan network, no ports mapping is performed. Even if you put that container in multiple network and in the default network too.

blop avatar Apr 09 '18 14:04 blop

I encountered two variants of this problem (just using Docker Engine, not Swarm), I would be greatly appreciative if this could be resolved:

  1. I want to have a macvlan network to keep a collection of containers firewalled off, and use an Nginx Proxy attached to both the default and the macvlan networks to expose selected containers for access. As soon as I attach the macvlan network, the Nginx Proxy removes its published port on the default bridge and becomes inaccessible.

  2. Containers in the macvlan network, while they are indeed natively accessible, do not populate the published NetworkSettings.Ports map, which is required so that Nginx Proxy can find them and create links to them.

hufman avatar May 07 '20 18:05 hufman