MacVLAN Docker Configuration and Virtual Switch Setup in VMware ESXi
If you are working with Docker containers, one of the challenges and skills that you need to effectively spin up containerized workloads is understanding Docker networking. There is a neat docker network configuration with Docker that allows connecting Docker containers to VLAN networks you have configured in your environment. This is called the Docker macvlan configuration. Let’s understand the macvlan network configuration better, what it is, how you configure it, and how you can connect containers to it for efficient network communications.
Table of contents
- A brief introduction to the Docker macvlan network
- How do Docker macvlan networks work?
- Docker macvlan network driver prerequisites
- Create a Docker macvlan network
- Modes of macvlan network driver
- Managing and macvlan networks
- Connecting a container to a macvlan network
- Advanced Macvlan Network Configuration
- DHCP
- VMware ESXi virtual switch configuration
- Troubleshooting
- Wrapping up
A brief introduction to the Docker macvlan network
First, let’s understand the Docker macvlan network better. The docker macvlan network configuration is a type of network that allows you to connect containers and their network interfaces directly with Docker host interfaces.
This type of Docker network configuration means you don’t have to worry about Linux bridging or mapping ports as part of your container configuration. Instead, your containers are assigned their own IP addresses on the subnet you have configured on the external network.
It means they have their own IP address like any other host, client, or resource on the network. There are some advantages to setting up your Docker containers this way. One of the advantages is reduced latency as your containers have a direct communication path between themselves and the host interface.
How do Docker macvlan networks work?
You may wonder how the macvlan network configuration works. The macvlan driver assigns the Docker containers a MAC address on the container’s virtual network interface. This configuration makes it look like it has a physical network interface directly connected to the physical network.
The way you do this is when the macvlan is configured, you specify the physical network interface on the Docker host you want to use for the macvlan. You also configure the subnet and gateway of the network. The macvlan network driver takes care of handling the traffic between the container and the Docker container host.
Docker macvlan network driver prerequisites
There are a few requirements and prerequisites to be aware of with Docker macvlan networks. These include the following:
- When you work with Docker in cloud provider networks, most don’t allow you to work with macvlans since it requires physical access to your networking stack like physical network interfaces
- You can only use macvlan network driver on Linux hosts. You can’t use it in Docker Desktop for mac, Windows, or Docker EE for Windows Server
- You need version 3.9 and higher of the Linux kernel, with 4.0+ recommended
- It isn’t supported in rootless mode for Docker containers
Create a Docker macvlan network
Let’s look at the steps to create a Docker macvlan network. These aren’t difficult to spin up. You just have to know the command’s requirements. Note the command below and we will look at the requirements
docker network create -d macvlan --subnet=10.3.33.0/24 --gateway=10.3.33.1 -o parent=ens192.333 Mgmt
In the command we tell Docker to create the new network and specify we using the –driver macvlan option. You have to specify the subnet and gateway along with the parent interface (physical interface). The parent interface on my Ubuntu Server host is ens192. Here I am telling it we want to do 802.1q trunk mode since we are adding a VLAN tag. Finally, you tell it the name of the new macvlan. Here I am naming it Mgmt.
Modes of macvlan network driver
There are two modes you can configure for the macvlan network driver. You can configure it in bridge mode and 802.1q trunk bridge mode. When you configure the bridge mode for macvlan, it allows your containers to communicate directly with the physical network.
The 802.1q trunk bridge mode enables a sub-interface. Use the –driver macvlan option with the docker network create command to specify the mode.
Managing and macvlan networks
You can se the docker network ls command to list all available networks in Docker. It will list your networks, including macvlan networks.
You can use the docker network inspect command to inspect the configuration of a macvlan network.
Monitor network traffic using tools such as tcpdump or Wireshark. Troubleshoot common issues such as IP address conflicts and network connectivity problems.
Connecting a container to a macvlan network
You can easily connect a container to a Docker macvlan network, using the docker run command and specifying the network you want to use:
docker run -d --name nginx \
--network Mgmt \
--ip 192.168.1.10 \
nginxThe –network Mgmt configuration attaches the new container to the macvlan network we created.
Advanced Macvlan Network Configuration
There are several advanced macvlan network configurations you can use, such as using multiple mac addresses to assign multiple IP addresses to a single container. You can also setup the host interface to allow traffic from the host to containers and vice versa.
You can use the –ip-range option to specify a range of IP addresses for the macvlan network. Configure the macvlan driver to use a specific IP route or network traffic routing.
DHCP
Note there are conflicting reports and documentation about getting macvlan networks to work with DHCP servers. In a lab environment, I didn’t have success getting the DHCP server to hand out an IP address to my container spun up on a macvlan network that was operating in trunked mode.
From what I can tell, Docker hands out an IP from the network range found within the subnet when you configure the macvlan network. For instance, I had a range setup as:
- 10.3.33.200-250 on my firewall
- Docker handed my container a 10.3.33.2 address that isn’t found in the DHCP range
- It didn’t hand out .1 since this is configured as the gateway
VMware ESXi virtual switch configuration
When you use macvlan network driver configuration in a Docker host running inside a virtual machine, there is additional configuration you need to make to the virtual switch. You must enable promiscuous mode and forged transmits in your vSwitch to allow the macvlan configuration to work for your attached containers.
Troubleshooting
The Docker macvlan networking driver is a more complicated setup than the default networking driver used in Docker when you don’t specify a network for your Docker containers. Note the following when troubleshooting:
- Make sure if you are using trunked mode with macvlan that you have switch ports tagged with the appropriate VLANs you are trying to use
- If you are using a tagged interface for your Docker container host, you can’t spin up a macvlan network tagged with the same VLAN, you will get an error that the “file already exists”
- DHCP is not really supported from my testing
Wrapping up
Docker networking is extremely powerful and there are many different types of configurations you can use to connect your containers to your virtual and physical networks. The Docker macvlan network configuration allows you to connect your containers to a physical network interface that is either bridged or uses 802.1q trunk bridge mode that allows you to use VLANs effectively with your other networking equipment.
