2

I've got a docker host with a interface on network 10.0.1.0/24 and ip address 10.0.1.9. I created a docker network as follows:

docker network create -d ipvlan \
--subnet=10.0.2.0/24 \
-o host_iface=ens3 \
-o ipvlan_mode=l3 \
ipvlan_net

I then create a container as follows:

docker run -itd --rm --network ipvlan_net --ip 10.0.2.10 --name test busybox

If I create multiple containers each container can ping each other, but no container can ping the host at 10.0.1.9, nor can the host ping the containers. I've searched online but none of the (what little) instruction I found was helpful.

Improve this question
1

1 Answer 1

Reset to default
2

You can't ping the host because this is a security feature present on both macvlan/ipvlan networks. Traffic originated from the host to containers (and vice-versa) is filtered to enforce a strong network isolation.

If you want to have host-to-container connectivity (and vice-versa), you must manually create an ipvlan subinterface in the default namespace on the host. Try this:

ip link add ipvl0 link ens3 type ipvlan mode l3
ip link set ipvl0 up
ip addr add 10.0.250.0/24 dev ipvl0
ip route add 10.0.2.0/24 dev ipvl0

See this https://github.com/moby/moby/issues/21735#issuecomment-205904902.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .