#Any docker experts out there?

This is a question about Docker networking where I've come to a halt.
Not specifically HA related, but kinda

Scenario: HA running in docker in a macvlan so all devices can contact it through it's own unique IP

A network monitoring tool runs on the docker host which is checking for uptime availability of devices and locations. It can see other containers on the same host network, LAN devices like the router, cloudflare etc, but it can't see the HA container running in the macvlan network.

Anyone know how to allow the host to access and see the containers in the macvlan?
Or even visa versa - macvlan can't see the docker gateway 172.17.0.1?

@lusty pendant perhaps!

im guessing the host is technically in a different subnet to the containers in the macvlan, so this might be a job for adding some routing in the hosts iptables

ip addr add 192.168.9.252/32 dev foobar
ip link set foobar up
ip route add 192.168.9.228/32 dev foobar```

type thing

Where:

enp7s0 - Name of your physical adapter

192.168.9.252/32 - Genuine new IP on your network

192.168.9.228/32 - IP of the container using macvlan

but it wont survive a reboot

a firewall rule on to connect them would work tho

i have docker HA running on host lan, that'd fix it too 😄

Ta. Funny enough, I tried that all except the last line
Taken from this example: https://collabnix.com/2-minutes-to-docker-macvlan-networking-a-beginners-guide/

In my case the docker host is my Synology NAS. I bonded the ethernet ports so it uses ovs_bond0 rather than eth0 (or enp7s0)

I did suspect that it would be lost after a reboot although easy enough to script to run as a scheduled task after boot-up.

I'll have another poke at it and see if it works.
Cheers for your help

That's kinda the way this all ended up.

Rather than setting up my NAS Network Interface to use a VPN (which interferes with port forwarding and is overkill) I was doing a funky thing with docker and gluetun as a dedicated VPN container (macvlan IP) and attached a series of other containers to it using --network=container:gluetun
They all shared the same IP/subnet with individual ports being the separator, but it meant that other containers running on host/bridge like the monitoring container couldn't access that macvlan subnet.

In the end I moved gluetun to the host and it still works fine as before 🤦‍♂️

Thanks for your help and inspiration.
It was useful to see I was on the right path, but simplifying the topology did the trick 👌

Did you try to run both on the same host?

If that's the case then both containers wont see each other.

A child interface cannot communicate with its parent interface

https://blog.oddbit.com/post/2018-03-12-using-docker-macvlan-networks/

I was looking for exactly that blog post and then when I found it I realised you'd already posted it!

Covers the use of a shim to allow access between a macvlan container and the host

It's not a subnet issue, and the shim technique works whether the host and container are on the same or different subnets

I've used it a couple of times, all of my docker containers (there are 14 of them currently) use macvlan and are spread across three subnets. A couple do need to access the host or vice-versa and this technique works well.