{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Anthone 的问题《Docker reverse proxy container on bridged network》','https://www.manongdao.com/q-1023586.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
first of all: I'm aware of this: Unable to access docker containers from host over macvlan network
I'm using a single docker host setup (unraid, but that's irrelevant).
For various reasons, I'm using a mailserver container (poste) on a macvlan network, as I need to have an ip within the LAN (firewall, spamfiltering, experimenting). The mailserver container also contains a webserver & webui. I also want my reverse proxy container (on the docker0 network) to point to my mailserver's webui.
Is there any workaround for this not using 2 networks added to my mailserver container? By adding a route, for example?
Currently, I'm using a second network as a solution for my situation.
So by running
# docker network connect docker0 containername
after the container started, where docker0 is the internal docker network 172.17.0.0/16.
However, this poses some security issues, imho. although I could probably limit access over the bridge network to the mail-container to just the reverse-proxy-container?
I have another path to explore, when I use the second eth adapter on the host
host network adapters:
- eth0: 10.10.0.16/16
- eth1: 10.10.0.17/16
When I do a # docker network inspect br0, this is the result. br0 is the name of the macvlan network.
[
{
"Name": "br0",
"Id": "beb3548b7a4a4fdaba6c3fa2771ea7a8511d44b0e2545abc9b2f7d8ed922",
"Created": "2018-03-09T17:48:09.444567623+01:00",
"Scope": "local",
"Driver": "macvlan",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "10.10.0.0/16",
"Gateway": "10.10.0.99",
"AuxiliaryAddresses": {
"server": "10.10.0.16"
}
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"1c215b70764d198ce95b702f49b1f263a7a68a308f13db2907921d8bd4d9": {
"Name": "poste",
"EndpointID": "7d560d531e4f88472b7cbf96b5f460964bf12bdd478f88840475732215ff",
"MacAddress": "02:42:0a:0a:20:f2",
"IPv4Address": "10.10.32.242/16",
"IPv6Address": ""
}
},
"Options": {
"parent": "br0"
},
"Labels": {}
}
]
And then I can use
# ip link add link eth1 dev eth1m type macvlan mode bridge
# ip link set eth1m up
# ip route add 10.10.32.242 dev eth1m
Now I can ping / communicate to the container (even when only a macvlan network is attached), from the host. The problem is I still cannot reach 10.10.32.242 from my reverse-proxy container (which is, as said, on the docker0 network).