macvlan and ipvlan at Docker Bangalore July 2016 meetup

Transcript

1. macvlan and ipvlan - Suraj Deshmukh @surajd_

2. Introduction • macvlan and ipvlan exposes the underlying host's interfaces

   directly to VMs or Containers. • Both do not use bridge. • Both are implicitly namespace aware. • Traditionally we have been using Linux Bridge to get VM access to the outside network or default gateway, now you don't need that extra NATing overhead. • Lightweight and Fast.

3. • There are two ways normally to connect VMs or

   Containers to external network overlay and underlay: ◦ Overlay is using VXLAN or NVGRE, etc., with extra encapsulation. ◦ Underlay is using Linux Bridge, ipvlan or macvlan by directly exposing it to host's external network. ◦ These implementations are extremely lightweight than the traditional linux bridge.

4. Linux Bridge • Acts similar to the physical layer 2

   switch. • It has learning capabilities. • All the VMs or containers connect to this bridge/switch. • For external connectivity all these are NATed.

5. macvlan • macvlan allows a single interface to have multiple

   MAC and IP addresses using macvlan sub-interfaces. • This is different from creating sub-interfaces on a physical interface using VLAN, here every sub-interface belongs to different Layer-2 domain and all sub-interfaces have different MAC address.

6. • macvlan has been in use with lxc containers before

   docker support was introduced. • Each interface will have different MAC address and will be exposed directly in the underlay network. • This will help people who wanna use the existing network infrastructure with Containers and VMs.

7. • macvlan will only see traffic that has MAC address

   that matches interface’s MAC address. • macvlan has 4 types (private, bridge, passthrough, VEPA(Virtual Ethernet Port Aggregator)) ◦ Commonly used is a macvlan bridge because it allows the Container or VMs on the same host to talk to each other without packet leaving the host. ◦ Bridge mode works like traditional bridge and removes the requirement of learning and STP, learning not needed because it already knows what MAC addresses.

8. ipvlan • Conceptually similar to macvlan but uses layer 3.

   • Unlike macvlan no unique MAC addresses. • Can be used in scenarios where MAC addresses per port are restricted. • Right now supported modes are l2 and l3.

9. When to use ipvlan over macvlan? • These two are

   very similar in many regards and the specific use case could very well define which device to choose. ◦ The Linux host that is connected to the external switch / router has policy configured that allows only one mac per port. ◦ No of virtual devices created on a master exceed the MAC capacity and puts the NIC in promiscuous mode and degraded performance is a concern. ◦ If the slave device is to be put into the hostile / untrusted network namespace where l2 on the slave could be changed / misused.

10. When to use macvlan over ipvlan? • When you have

    a common DHCP server, then macvlan should be used, because DHCP would need unique MAC address for each IP address.

11. Demo Steps a.k.a. Cheatsheet: https://github. com/surajssd/blog_post/tree/master/talks2/20160708DockerBangalore

12. Ref: • Macvlan and IPvlan basics https://sreeninet.wordpress.com/2016/05/29/macvlan-and-ipvlan/ • Macvlan and

    Ipvlan Network Drivers https://github.com/docker/docker/blob/master/experimental/vlan-networks.md • Experimental Docker https://sreeninet.wordpress.com/2016/05/29/experimental-docker-with-docker-machine/ and https: //github.com/docker/docker/tree/master/experimental • Some notes on macvlan/macvtap http://backreference.org/2014/03/20/some-notes-on-macvlanmacvtap/ • Configuring Macvlan and Ipvlan Linux Networking http://networkstatic.net/configuring-macvlan-ipvlan-linux-networking/ • About Veth and Macvlan https://docs.oracle.com/cd/E37670_01/E37355/html/ol_mcvnbr_lxc.html • LXC Macvlan networking https://www.flockport.com/lxc-macvlan-networking/ • MacVTap http://virt.kernelnewbies.org/MacVTap • IPVLAN Driver HOWTO https://www.kernel.org/doc/Documentation/networking/ipvlan.txt • Linux Networking: MAC VLANs and Virtual Ethernets http://www.pocketnix.org/posts/Linux%20Networking:%20MAC% 20VLANs%20and%20Virtual%20Ethernets • macvlan: implement bridge, VEPA and private mode https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/? id=618e1b7482f7a8a4c6c6e8ccbe140e4c331df4e9 • IPVLAN – The beginning http://people.netfilter.org/pablo/netdev0.1/papers/IPVLAN-The-beginning.pdf • Integrating Overlay Networking and the Physical Network http://etherealmind.com/integrating-overlay-networking-and-the- physical-network/