容器内的 Docker Macvlan 网络未到达其自己的主机

Question

我在 2 个 docker 主机之间设置了 Macvlan 网络，如下所示:
主机设置:HOST_1 ens192: 172.18.0.21创建 macvlan 网桥接口(interface)

docker network  create  -d macvlan \
--subnet=172.18.0.0/22 \
--gateway=172.18.0.1 \
--ip-range=172.18.1.0/28 \
-o macvlan_mode=bridge \
-o parent=ens192 macvlan

创建macvlan接口(interface)HOST_1

ip link add ens192.br link ens192 type macvlan mode bridge
ip addr add 172.18.1.0/28 dev ens192.br
ip link set dev ens192.br up

主机设置:HOST_2 ens192: 172.18.0.23创建 macvlan 网桥接口(interface)

docker network  create  -d macvlan \
--subnet=172.18.0.0/22 \
--gateway=172.18.0.1 \
--ip-range=172.18.1.16/28 \
-o macvlan_mode=bridge \
-o parent=ens192 macvlan

在 HOST_2 中创建 macvlan 接口(interface)

ip link add ens192.br link ens192 type macvlan mode bridge
ip addr add 172.18.1.16/28 dev ens192.br
ip link set dev ens192.br up

容器设置
在两个主机中创建容器

HOST_1# docker run --net=macvlan -it --name macvlan_1 --rm alpine /bin/sh
HOST_2# docker run --net=macvlan -it --name macvlan_1 --rm alpine /bin/sh

HOST_1 中的 CONTAINER_1

24: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 02:42:ac:12:01:00 brd ff:ff:ff:ff:ff:ff
    inet 172.18.1.0/22 brd 172.18.3.255 scope global eth0
       valid_lft forever preferred_lft forever

HOST_2 中的 CONTAINER_2

21: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 02:42:ac:12:01:10 brd ff:ff:ff:ff:ff:ff
    inet 172.18.1.16/22 brd 172.18.3.255 scope global eth0
       valid_lft forever preferred_lft forever

CONTAINER_1 和 CONTAINER_2 中的路由表

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.18.0.1      0.0.0.0         UG    0      0        0 eth0
172.18.0.0      0.0.0.0         255.255.252.0   U     0      0        0 eth0

设想 HOST_1 (172.18.0.21) <-> HOST_2 (172.18.0.23) = 好的(反之亦然) HOST_1 (172.18.0.21) -> CONTAINER_1 (172.18.1.0) and CONTAINER_2 (172.18.1.16) = 好的 HOST_2 (172.18.0.23) -> CONTAINER_1 (172.18.1.0) and CONTAINER_2 (172.18.1.16) = 好的 CONTAINER_1 (172.18.1.0) -> HOST_2 (172.18.0.23) = 好的 CONTAINER_2 (172.18.1.16) -> HOST_1 (172.18.0.21) = 好的 CONTAINER_1 (172.18.1.0) <-> CONTAINER_2 (172.18.1.16) = 好的(反之亦然) CONTAINER_1 (172.18.1.0) -> HOST_1 (172.18.0.21) = 失败 CONTAINER_2 (172.18.1.16) -> HOST_2 (172.18.0.23) = 失败
问题
除了这 1 个问题外，我非常接近我想要实现的解决方案。我怎样才能使容器连接到它自己的主机。如果有解决方案，我想知道如何在 ESXi 虚拟化角度进行配置，如果有任何区别，我也想知道裸机

Answer 1

这个问题“有点老了”，但其他人可能会觉得它很有用。 中描述了一种解决方法主机访问 USING DOCKER MACVLAN NETWORKS BY LARS KELLOGG-STEDMAN部分.我可以确认 - 它正在工作。

Host access With a container attached to a macvlan network, you willfind that while it can contact other systems on your local networkwithout a problem, the container will not be able to connect to yourhost (and your host will not be able to connect to your container).This is a limitation of macvlan interfaces: without special supportfrom a network switch, your host is unable to send packets to its ownmacvlan interfaces.

Fortunately, there is a workaround for this problem: you can createanother macvlan interface on your host, and use that to communicatewith containers on the macvlan network.

First, I’m going to reserve an address from our network range for useby the host interface by using the --aux-address option to dockernetwork create. That makes our final command line look like:

docker network create -d macvlan -o parent=eno1 \
  --subnet 192.168.1.0/24 \
  --gateway 192.168.1.1 \
  --ip-range 192.168.1.192/27 \
  --aux-address 'host=192.168.1.223' \
  mynet

This will prevent Docker from assigning that address to a container.

Next, we create a new macvlan interface on the host. You can call itwhatever you want, but I’m calling this one mynet-shim:

ip link add mynet-shim link eno1 type macvlan  mode bridge

Now we need to configure the interface with the address we reservedand bring it up:

ip addr add 192.168.1.223/32 dev mynet-shim
ip link set mynet-shim up

The last thing we need to do is to tell our host to use that interfacewhen communicating with the containers. This is relatively easybecause we have restricted our containers to a particular CIDR subsetof the local network; we just add a route to that range like this:

ip route add 192.168.1.192/27 dev mynet-shim

With that route in place, your host will automatically use thsmynet-shim interface when communicating with containers on the mynetnetwork.

Note that the interface and routing configuration presented here isnot persistent – you will lose if if you were to reboot your host. Howto make it persistent is distribution dependent.