modzilla
Posts: 4
Joined: Wed Feb 26, 2020 10:39 am

Macvlan + Docker + Rasbian

Wed Feb 26, 2020 11:02 am

Hey,

I've got a problem with macvlan IPV4 and 6 on docker. After some time the connection will just drop and the container isn't available on my local net anymore. Rebooting solves the problem for a few seconds/minutes. The only thing that works is chrooting into the container and ping the computer that needs access to pihole (the container in question).

The network and container are created like this:

Code: Select all

docker network create --subnet 10.0.1.0/24 --gateway 10.0.1.1 --ipv6 --subnet "fd00::/64" --gateway fd00::de39:6fff:fedb:cc2e --driver macvlan -o parent=eth0 -o macvlan_mode=bridge homenet

Code: Select all

docker create --name pihole --hostname=pihole --restart=unless-stopped --dns=127.0.0.1 --dns=1.1.1.1 --ip 10.0.1.2 --ip6 'fd00::de39:6fff:fedb:cc2f' --net homenet -e "TZ=Europe/Berlin" -e "VIRTUAL_HOST=pihole.mydomain.com" -e "ServerIP=10.0.1.2" -e "ServerIPv6=fd00::de39:6fff:fedb:cc2f" -e "IPv6=True" -v /data/Pihole1/conf:/etc/pihole -v /data/Pihole1/dnsmasq:/etc/dnsmasq.d/ pihole/pihole:latest
I'm not sure but when the container is running I'm unable to see the macvlan device in ip a :

Code: Select all

[email protected]:~# docker ps
CONTAINER ID        IMAGE                  COMMAND             CREATED             STATUS                PORTS               NAMES
17342755b122        pihole/pihole:latest   "/s6-init"          9 days ago          Up 7 days (healthy)                       pihole
[email protected]:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether dc:a7:32:3c:44:e8 brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.5/24 brd 10.0.1.255 scope global dynamic noprefixroute eth0
       valid_lft 642910sec preferred_lft 534910sec
    inet6 fd00::5be2:2327:8f80:aeaf/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 6803sec preferred_lft 3203sec
    inet6 2003:d0:c724:8a00:245b:1a7b:8fa4:2e21/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 6803sec preferred_lft 1403sec
    inet6 fe80::ceb0:4333:727a:bb8d/64 scope link 
       valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether dc:a3:72:3c:21:ea brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:41:5f:5f:53:6f brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1::1/64 scope global tentative 
       valid_lft forever preferred_lft forever
    inet6 fe80::1/64 scope link tentative 
       valid_lft forever preferred_lft forever
Am I missing sth? Because when running a VM on my server the macvlantap shows up in ip a:

Code: Select all

[[email protected] ~]$ ip a | grep macv
55: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 500
My docker daemon.json:

Code: Select all

{
  "ipv6": true,
  "fixed-cidr-v6": "2001:db8:1::/64"
}
Dmesg:

Code: Select all

[   14.488649] bcmgenet fd580000.genet eth0: Link is Up - 1Gbps/Full - flow control off
[   14.488671] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   16.491189] ICMPv6: process `dhcpcd' is using deprecated sysctl (syscall) net.ipv6.neigh.eth0.retrans_time - use net.ipv6.neigh.eth0.retrans_time_ms instead
[   22.600113] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[   22.604209] Bridge firewalling registered
[   23.511893] IPv6: ADDRCONF(NETDEV_UP): docker0: link is not ready
[   24.782786] device eth0 entered promiscuous mode
[   25.716738] device eth0 left promiscuous mode
[   25.879936] eth0: renamed from vethcbd174e
[   26.132578] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[   26.138144] device eth0 entered promiscuous mode

epoch1970
Posts: 4478
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Macvlan + Docker + Rasbian

Wed Feb 26, 2020 11:59 am

I haven’t used Raspbian in a while but if you’re looking in the host, you should see the macvlan interface with “ip link” (not ip address)
In the container, “ip a” should return something useful.

Is it possible that Docker does not load the macvlan module for you?
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

modzilla
Posts: 4
Joined: Wed Feb 26, 2020 10:39 am

Re: Macvlan + Docker + Rasbian

Thu Feb 27, 2020 3:33 pm

Thanks! But that's what I meant! The ip a command on raspbian says that there is no macvlan interface but the connection from inside the container kinda "works".

The mod is loaded:

Code: Select all

lsmod | grep macv
macvlan                24576  0
ip a inside the container:

Code: Select all

docker exec pihole ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
6: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:0a:00:01:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.0.1.2/24 brd 10.0.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fd00::de39:6fff:fedb:cc2f/64 scope global nodad 
       valid_lft forever preferred_lft forever
    inet6 fe80::42:aff:fe00:102/64 scope link 
       valid_lft forever preferred_lft forever

twentythreeandyou
Posts: 1
Joined: Sun Mar 01, 2020 1:16 am

Re: Macvlan + Docker + Rasbian

Sun Mar 01, 2020 1:20 am

I've got the same issue with the (almost) exact same use case. Have a Pihole container on my RPi 4 using a macvlan docker network. It's been working great until today when I updated the container image and docker engine, now LAN devices can't resolve the container's MAC unless it pings them first. Rolling back the container image to v4.3 didn't help so I'm assuming it's something about the updated docker engine or something else I've missed.

Hoping someone is able to find the cause, I'll update if I do as well.

modzilla
Posts: 4
Joined: Wed Feb 26, 2020 10:39 am

Re: Macvlan + Docker + Rasbian

Mon Mar 02, 2020 8:49 pm

The issue seems to be a kernel bug, which is apparently already fixed upstream, but I don't know if it's in the rpi kernel yet. I can't find it on the bugtracker right now, tho…

I actually tried the same on my fedora server with the latest 5.5.6-201.fc31 kernel. It's working as just fine there. The docker version is the same also.

Maybe compiling an older kernel should work. There was a commit to macvlan in January: https://github.com/raspberrypi/linux/co ... 44879f6687

modzilla
Posts: 4
Joined: Wed Feb 26, 2020 10:39 am

Re: Macvlan + Docker + Rasbian

Mon Mar 02, 2020 8:57 pm

Nice just found that GitHub issue https://github.com/raspberrypi/linux/issues/3470

EDIT: can't say for sure, but seems to work now, just run rpi-update and reboot, that's it. It's pre-release, but I don't care if it works.

EDIT2: Yay it works! :D

Return to “Raspbian”