I'm trying to set up docker macvlan on a hyper v Linux host and it's not working. Do you know of any issues with that? Do you need physical interfaces?
I think the explanation can be improved by adding more on what's happening on the container's host os. I will take an example. Let's suppose I have a container running named `minikube`. To find out the ip of the container, I can issue the following command: `docker inspect minikube --format="{{.NetworkSettings.Networks.minikube.IPAMConfig.IPv4Address}}"`, and the output is: `192.168.49.2` To find out what ports it has published via DNAT, I can issue the following command: `docker port minikube`, and the output is: ` 22/tcp -> 127.0.0.1:32772 2376/tcp -> 127.0.0.1:32771 5000/tcp -> 127.0.0.1:32770 8443/tcp -> 127.0.0.1:32769 32443/tcp -> 127.0.0.1:32768 ` The ports on the left are the ports running inside the container, the port on the right are the ports on the host. But which processes is responsible for creating the iptables rules? That one is called docker-proxy, and we can see it by issuing the following command: `ps auxf | egrep -i docker-proxy | egrep -iv grep`, and the output is: `root 8530 0.0 0.0 1230004 3128 ? Sl Feb26 0:00 \_ /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 32768 -container-ip 192.168.49.2 -container-port 32443 root 8544 0.0 0.0 1303480 3332 ? Sl Feb26 0:00 \_ /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 32769 -container-ip 192.168.49.2 -container-port 8443 root 8559 0.0 0.0 1303480 3244 ? Sl Feb26 0:00 \_ /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 32770 -container-ip 192.168.49.2 -container-port 5000 root 8574 0.0 0.0 1156272 3476 ? Sl Feb26 0:00 \_ /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 32771 -container-ip 192.168.49.2 -container-port 2376 root 8589 0.0 0.0 1230004 3324 ? Sl Feb26 0:00 \_ /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 32772 -container-ip 192.168.49.2 -container-port 22` As we can see we have a perfect match on the 5 container exposed ports and the 5 docker-proxy commands that are generating the iptables rules. This will solidify your explanation, if you accept it.
Hello, really good presentation even after I almost read papers on this then managed to stumble upon your video... Thumbs up! Im still uncertain about that self vs master, as even the manpage is not much descriptive about this, but now its not a obstacle for me to use VLANs. Regarding homework I truly dont have a clue for usecase you questioned :)
Thanks. I don't have time for postproduction with these videos, so I try to deal right away with small issues that might arrise. And on another note I thought a couple of times that people will be more interested in seeing a troubleshooting session, and I am thinking of a format where I should pick a use case from the viewers and treat it in a lab session.
This may sound silly but for a long time I thought of "br0" as being some kind of "bridge interface". And that always confused me and made no sense - for example why would a bridge port have MAC and IP address? Physical bridges don't. And then the lightning struck - "br0" is not a "bridge interface" - it is a *host interface* through which the host is connected to the bridge. It belongs to the host, not to the bridge (but, somewhat confusingly, it is also used to represent and control the bridge).
@@PouriyaJamshidi Yes, you can think of br0 as an SVI, but an even closer analogy would be with the irb interface also from CiSCO, where you take a couple of routing interfaces and make them bridge interfaces, but you still need an ip routed interface into that bridge, so that would be the irb interface.
Hello again. For me is too much information in a video. Of course I have to watch it again and again because I am only a simple Linux user but a user who loves very much GNU Linux and from some months Tiny Core. Thanks
@@routerologyblog1111 i work with it since 1997. When i found your channel i can say you have the right dna to teach. Hope whatever u are doing, is better than all the positive messages you receive when u are teaching here for us. Enjoy life! ✨❤️
When a packet of 5000 bytes is tagged with vlan id, will the packet be fragmented when pushed to the bridge interface? (in our case, this generates a bug because in the bridge interface we have a Hetzner vSwitch which must have the MTU = 1400). Do you know how could we instruct veth to fragment the packages? (I've already set MTU 1400 on veth but it's not working..)
The thing with fragmentation is that it happens at multiple layers, but the one that can become problematic is IP or Layer3; that's why is also called packet fragmentation, and usually is better to not have excesive packet fragmentation, especially with VoIP and realtime streaming protocols. There are two ways to control this. Either you increase the MTU to allow bigger packets without fragmentation, or you decrease the MSS which will segment the data in smaller chunks at the TCP level, so when it is encapsulated in IP is under the MTU size. To answer on point to your question, yes you can set MTU for a veth interface. Here is an example using the ip link command: ip link set dev my_veth mtu 1501
I am running ubuntu-VM on MacHost in bridge adapter mode. On ubuntu VM, I am running docker containers using macvlan network. I have enabled promisc mode on parent interface of VM. The containers are reachable from macHost, but not from ubuntu-VM. How ? Also containers can ping machost, but cannot ping Ubuntu-VM. How is this possible ?
Hi, thank you for this video. I have a question: For example I create Ipvlan L3 network on my enp6s0 with external ip address, and start nginx container, how to map port 80 from external IP to nginx container?
All is perfectly clear. Thanks! In my view, ip a add # would be very much acceptable, according to target audience. I understand, that is your (perfect) way to nail a things, but it takes a long time. and I'm waiting for a word from you about macvlan let say. It would be admirable. Thanks again Daniel(?)
much cleaer video than other i've found so far. And i see, ipvlan is a tricky stuff. Would like to see 'under the hood' ipvlan l2 802.1q tagged from you
Hello, this is a very nice tutorial. Really appreciate it. Would it be possible to also do one tutorial on a L3 network with IPV6? More specifically I am interested in how to make the containers be able to reach the outside from such a network over ipv6.
what is veth? ... is this different from when i use virsh attach-interface ... ? i'm having a really hard time understanding what this KVM, QEMU stuff are ? .. is this veth you created the same thing created in a VM by virsh when setting a bridge interface? are the namespaces the same as a LAN? is that what they're for .. creating a LAN and adding domains to it ?
Hi, thanks for your video, it was very helpful for me. A question: Do you know how to configure the screen resolution in command line only? I installed tiny core with no GUI, only CLI and, like you, I use virtual box, but the screen is very reduced small, just like you were working in the video.
I don't remember well how I recorded this, but I am pretty sure the CLI is normal terminal window that I had on my debian host, and in that terminal window I did ssh into the tinybox host, so this way I can have good control over the font size. If you want to change the resolution of the console window right from the vm I think you have to look at kernel support for different console resolutions. I haven't done that in years but there were some options that you could compile in the kernel (some vesa drivers and stuff), that you can call with linux boot parameters. I wouldn't go this route but if you want to, have a look at the following boot line from grub: linux /boot/vmlinuz-xxx root=/dev/sda1 ro quiet vga=791 Mode codes: +--------------+---------+---------+----------+-----------+-----------+ | Colour depth | 640x480 | 800x600 | 1024x768 | 1280x1024 | 1600x1200 | +--------------+---------+---------+----------+-----------+-----------+ | 8 bit | 769 | 771 | 773 | 775 | 796 | | 15 bit | 784 | 787 | 790 | 793 | 797 | | 16 bit | 785 | 788 | 791 | 794 | 798 | | 24 bit | 786 | 789 | 792 | 795 | 799 | +--------------+---------+---------+----------+-----------+-----------+
For me, container to container is pingable.. i cant ping container to physical network even i have enabled promicuous mode on.. how to solve this? need your help
hello, i am using centos7 in vmbox i turned on the promisc mode on in vmbox by bridge mode and in centos in followed the command that you have used but it didnt worked for me when i ping host and it can ping the colleage container but it cannot ping host. could you please help me !
Thanks alot for this informative vid! Can U tell me how to set up the ipvlan l3 mode in docker-compose? E.g. how does command 3:14 and 4:06 looks like in the .yaml file? Would be AWESOME!
Hey man, great video. One question, are you doing this on wsl2 and if not is it possible to create an ipvlan on Docker under WSL2 engine. Thank you in advance!
sorry im a bit new to this. When you specify what gateway to use, are you specifying the host machine or are you specifying the actual, physical gateway on the LAN?
i wish i saw this video 2 days ago, i have been struggling to add a docker container to a specific network to deploy DVWA and play around with kali as a suspicious machine , thanks for the video keep it rocking!!