Connecting VM guest with Docker containers running on the same host

Question

Summary

I'm a backend developer with a limited networks knowledge. I'm in a situation where I need to test a SIP system consisting of several components (various SIP and media elements, SIP UAs) locally on my machine (Linux host). The challenge is that some of the system elements are accessible to me as VirtualBox VMs (Windows and Linux guests) while others as Docker containers (running via Docker Engine). What I'm trying to achieve is a configuration of my local host (not the local network router) and/or VM and Docker guests (if needed) to ensure that VMs can talk to the Docker containers and vice-versa. I don't have any strong requirements for whether all system components must reside in the same subnet or several different ones as long as:

each system component can be accessible using it's own IP address (many SIP components rely on the default 5060 port)
- ideally (not mandatory, but will simplify the setup greatly) IP addresses can be specified upfront (like with Docker custom bridges) since many SIP servers must be configured upfront with IP address on which they shall listen
cross-communication without NAT is possible (NAT makes things especially difficult when dealing with media protocols).

Details

What I have so far:

Linux host (PopOS 22.04)

Local network IP: 192.168.200.232

$ netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         192.168.200.1   0.0.0.0         UG        0 0          0 wlp1s0
link-local      0.0.0.0         255.255.0.0     U         0 0          0 wlp1s0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
192.168.200.0   0.0.0.0         255.255.255.0   U         0 0          0 wlp1s0

VirtualBox 6.1
- Windows 11 guest
- Firewall: disabled
- Network settings: Bridge Adapter, wlp1s0, Intel PRO/1000 MT Server, Promiscuous mode enabled
- IP address: 192.168.200.88

Docker 24.0.2

Linux container
Network settings: using default Docker bridge network
IP address: 172.17.0.4

# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         _gateway        0.0.0.0         UG        0 0          0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 eth0

I am able to ping VM from the Docker container:

# ping 192.168.200.88
PING 192.168.200.88 (192.168.200.88) 56(84) bytes of data.
64 bytes from 192.168.200.88: icmp_seq=1 ttl=127 time=0.476 ms
64 bytes from 192.168.200.88: icmp_seq=2 ttl=127 time=0.677 ms

but not the other way around:

> ping 172.17.0.4

Pinging 172.17.0.4 with 32 bytes of data:
Request timed out.

I tried adding a static route to the Windows guest like this (here 192.168.200.232 is my host machine IP):

route add 172.17.0.0 MASK 255.255.0.0 192.168.200.232

which led to the following Windows guest netstat -r output:

PS C:\Users\User> netstat -r
===========================================================================
Interface List
 15...08 00 27 7c 0c be ......Intel(R) PRO/1000 MT Network Connection
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.200.1   192.168.200.88     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
       172.17.0.0      255.255.0.0  192.168.200.232   192.168.200.88     26
    192.168.200.0    255.255.255.0         On-link    192.168.200.88    281
   192.168.200.88  255.255.255.255         On-link    192.168.200.88    281
  192.168.200.255  255.255.255.255         On-link    192.168.200.88    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link    192.168.200.88    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link    192.168.200.88    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
 15    281 fe80::/64                On-link
 15    281 fe80::b2b0:9f8f:be31:e695/128
                                    On-link
  1    331 ff00::/8                 On-link
 15    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

but it does not work (possibly because I'm missing additional static routes on my home router but I want to avoid making any changes at the router level as I'll need to replicate this solution in different environments and I want to contain all changes to the host machine alone)

Summary

Here is the diagram of the configuration that I am trying to achieve:

Is what I'm trying to achieve doable using VMs and Docker containers running directly in the host machine? If so, any pointers would be greatly appreciated!

Could you please add the output of netstat -r of your Windows host ? - As your docker containers are not in the same subnet of your host machine, you should have NAT rules in iptables on your PopOS host. — hidigoudi, Commented Jan 13 at 11:38
@hidigoudi I assume you meant the output of netstat -r from the Linux (PopOS) host? Added above. — IvanR, Commented Jan 13 at 14:47
No I mean netstat -r inside your Windows guest, but all information are good to know. — hidigoudi, Commented Jan 13 at 14:50
Ok thank you, could you please add also the routes with ip route or netstat -r of your docker container ? — hidigoudi, Commented Jan 13 at 15:01

bbaassssiiee · Accepted Answer · 2024-01-15 11:01:35Z

0

Run all containers with --net=host network host driver That way all of your components will be on the same network, and will be able to communicate

edited Jan 15 at 11:01

bbaassssiiee

1,4851 gold badge12 silver badges17 bronze badges

answered Jan 11 at 16:45

ofirule

1691 silver badge8 bronze badges

1

From the question: "each system component can be accessible using it's own IP address (many SIP components rely on the default 5060 port)", in the description of the host-only network driver: "container doesn't get its own IP-address allocated" - something doesn't add up...
– IvanR
Commented Jan 11 at 16:59
You can probably do it with --net=ipvlan See: docs.docker.com/network/drivers/ipvlan I will try to play with it a little later to give a fuller answer
– ofirule
Commented Jan 15 at 11:26

Add a comment |

Netan · Accepted Answer · 2024-01-20 20:30:34Z

EDIT: Totally missed that you need it locally. You can probably achive the exact same with VMWare networking.

Create a new "Host Only" network in VMWare network editor
- There, disable the DHCP server
Set the VMs NIC to that network. Assign IP addresses manually
Create a new docker network ( macVLAN or ipVLAN ) within the same network
Assign IP addresses manually to deployed containers

Here's a network creation-command example:

docker network create --driver ipvlan --subnet 192.168.0.1/24 --gateway 192.168.0.254 --ip-range 192.168.0.254/28 --attachable --opt mode=l2 --opt parent=eth0 externalNetwork

Allowing me to use 192.168.0.254/28 ( which means 192.168.0.240 to 192.168.0.253 ) with my dockers. I reserved this segment in my router, so it wont allocate this segment.

Here's a command my Unraid ( virtualizaiton and hosting server ) runs for a DNS-resolver docker. Said docker should be accessed by the rest of the physical devices in my home, on the network of 192.168.0.1-192.168.0.254

docker run
  -d
  --name='piholedocker'
  --net='externalNetwork'
  --ip='192.168.0.250'
  -e TZ="TIMEZONE"
  -e HOST_OS="Unraid"
  -e HOST_CONTAINERNAME="piholedocker"
  -e 'TCP_PORT_53'='53'
  -e 'UDP_PORT_53'='53'
  -e 'UDP_PORT_67'='67'
  -e 'TCP_PORT_80'='80'
  -e 'TCP_PORT_443'='443'

I'll leave my initial comment here for reference:

You can set "External" networking for VMs and use ipVLAN ( or macVLAN ) for the containers. This is what I'm doing in my home, so I can contact Vaultwarden and pihole dockers from all the devices within the network.

You can either:

Limit your router DHCP server segment to something like 100 hosts, leaving 50 for VMs and another 100 for containers ( numbers are just for example )
YOLO by running everything on the usual segment ( recommended for lazy home-users )
Create a whole new segment in the router. Then, assign it to VMs/Containers based on their MAC address ( or just assign it manually )

Anyhow, in an office network environment, contact the IT beforehand. Worest case scenerio, the'll buy a cheap TP-Link router, plug it within their network, then give you your whole segment there ( something like, if your work is using 192.168.x.x/24, then you'll get something like 172.16.x.x/24 ).

Off-topic: Allways try to consult with IT about this stuff! They are mostly good people, with very good understanding of networking ( and many other things ).

Thanks for sharing your experience in the matter. I realize now I might have not been very clear when phrasing the question, but I really don't want to mess with local network. Why? Because I change offices/locations often, do demos on client sites and I'm looking for a setup that can work 100% locally, with no Internet access or local network admin rights. I tried to cover this with this sentece "What I'm trying to achieve is a configuration of my local host (not the local network router) and/or VM and Docker guests (if needed)" but I appreciate that it might not have been clear enough... — IvanR, Commented Jan 13 at 23:12
> Create a new docker network ( macVLAN or ipVLAN ) within the same network @Netan is this referring to the "parent" option? docs.docker.com/network/drivers/macvlan/#options — IvanR, Commented Jan 18 at 9:25
> Assign IP addresses manually to deployed containers Does this mean the "--ip" flag passed to "docker run" won't have any effect? If so, it's going to be an issue since App starts running as soon as contain is running and if IP is not configured, the app will probably fail to start as it won't be able to listen on the configured IP (app's configured IP, not container's). — IvanR, Commented Jan 18 at 9:27
@IvanR Sorry about the delay, haven't had internet connection lately ( don't even ask hahaha ) ; 1. Yes, "parent" is the parent interface. 2. "--ip" will work. IP Assignment is different than the phisycal NIC which will be used. — Netan, Commented Jan 20 at 20:10

Stack Exchange Network

Connecting VM guest with Docker containers running on the same host

Summary

Details

Summary

2 Answers 2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
networking
virtualbox
docker
sip
.

Hot Network Questions

Connecting VM guest with Docker containers running on the same host

Summary

Details

Summary

2 Answers 2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged networkingvirtualboxdockersip.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
networking
virtualbox
docker
sip
.