macvlan接口類型簡單說類似于子接口，但相比子接口來說，macvlan接口擁有自己獨立的mac地址，因此使用macvlan接口可以允許更多的二層操作。macvlan有四種模式：VEPA，bridge，Private和Passthru

macvlan接口會監聽并接收鏈路上到達本mac地址的報文，因此macvlan（除bridge外）僅能向外部網絡發送報文，并接受目的為本機mac的報文。

+---------------+| network stack |+---------------+| | | |+---------+ | | +------------------+| | +------------------+ || +------------------+ | || | | || aa +----------+ | | || eth0 +-----| macvlan0 |---+ | || / +----------+ | |Wire +------+ +---------------+ bb +----------+ | | --------| eth0 |------/ if dst mac is /--------| macvlan1 |------+ |+------+ +---------------+ \ +----------+ |\ cc +----------+ |+-----| macvlan2 |---------++----------+

模擬環境：windows主機上安裝vmware centos虛擬機作為host主機，centos上安裝docker

VEPA模式：在這種模式下，macvlan設備不能直接接收在同一個物理網卡的其他macvlan設備的數據包，但是其他macvlan設備可以將數據包通過物理網卡發送出去，然后通過hairpin設備返回的給其他macvlan設備，用于管理內部vm直接的流量，并且需要特殊設備支持。

使用如下命令創建一個容器的vepa模式的macvlan，名稱為vepamv,其中192.168.128.0和192.168.128.2分別為docker所在的host主機eth0的網段和網關。

docker network create -d macvlan --subnet=192.168.128.0/24 --gateway=192.168.128.2 -o parent=eth0 -o macvlan_mode=vepa vepamv

使用上述網絡運行2個容器

docker run -itd --net=vepamv--ip=192.168.128.222 --name=centos1-2 f322035379ab /bin/bash docker run -itd --net=vepamv --ip=192.168.128.233 --name=centos1-3 f322035379ab /bin/bash

查看網絡信息，可以看到驅動類型為macvlan，macvlan模型為vepa，兩個網卡有獨立的mac地址，底層物理網卡為eth0

[root@localhost ~]# docker network inspect evapmv [{"Name": "vepamv","Id": "84af6a040cf1e1063c122ed9b80b421ef2896d31100c87bec9cde7a0e8690833","Created": "2018-09-16T22:16:23.938521926+08:00","Scope": "local","Driver": "macvlan","EnableIPv6": false,"IPAM": {"Driver": "default","Options": {},"Config": [{"Subnet": "192.168.128.0/24","Gateway": "192.168.128.2"}]},"Internal": false,"Attachable": false,"Containers": {"49eb565de8f9ec41ba69285c6ced2971a861a104247dc10c257ce3dd7a74d006": {"Name": "centos1-3","EndpointID": "adc576f3cfa1c5b6649f3d322ba11487e8ef3eadebeed72eb830f55a8a5768f6","MacAddress": "02:42:c0:a8:80:e9","IPv4Address": "192.168.128.233/24","IPv6Address": ""},"5f0fe3a769ca17717afea9f1d444b00a4380289b2744d02d5ade260e7e687868": {"Name": "centos1-2","EndpointID": "caa0766bb243e43986c1ee435b9d2666c615b92c06964c749d5e93ba7ef8849f","MacAddress": "02:42:c0:a8:80:de","IPv4Address": "192.168.128.222/24","IPv6Address": ""}},"Options": {"macvlan_mode": "vepa","parent": "eth0"},"Labels": {}} ]

在centos1-2中ping centos1-3發現無法ping通，因為本地環境上并沒有開啟hairpin模式的交換機或路由器，報文發送到鏈路上之后無法返回來。即無法在internal內部進行報文傳輸

[root@0dd61dcf26f3 /]# ping 192.168.128.222 PING 192.168.128.222 (192.168.128.222) 56(84) bytes of data. From 192.168.128.233 icmp_seq=1 Destination Host Unreachable From 192.168.128.233 icmp_seq=2 Destination Host Unreachable

但在external network的機器（192.168.128.1）是可以直接訪問該容器的（首先該容器的IP屬于external network）

D:/> ping 192.168.128.222 PING 192.168.128.222 (192.168.128.222) 56(84) bytes of data. 64 bytes from 192.168.128.222: icmp_seq=1 ttl=64 time=0.080 ms 64 bytes from 192.168.128.222: icmp_seq=1 ttl=64 time=0.080 ms

抓包如下，可以看到centos1-2的源mac地址與上述的mac地址是一致的。

?

使用IPOP構包模擬hairpin的交換機，模擬從192.168.128.233 發送arp請求192.168.128.222，報文如下：

使用抓包工具可以看到192.168.128.222回復了來自192.168.128.223的arp請求

?

private模式：該模式類似于VEPA，但在VEPA基礎上添加了新的特性，即如果兩個macvlan在同一個網卡上，這兩個macvlan接口無法通信，即使使用啟用hairpin的交換機或路由器。仍然使用上述條件構造從192.168.128.222到192.168.128.233的arp請求報文，可以看到192.168.128.222并沒有回復192.168.128.233的arp請求。但是從windows機器直接ping 192.168.128.222是可以ping通的。private模式下隔離了來自同網卡的macvlan的廣播報文。

?

passthru模式：該模式僅允許一塊網卡上面部署一個macvlan接口，其他使用macvlan的容器將啟動失敗，但只要不使用macvlan，該容器還是可以正常啟動。如果需要在單個物理網卡上啟動多個macvlan_mode=passthru的容器，可以使用子接口方式，參見 https://blog.csdn.net/daye5465/article/details/77412619。

[root@localhost home]# docker run -itd --net=passmv f322 /bin/bash 17b0f2c446671f716bcf136e9c9d8c781ec84901c87e1d4ae0a20aa98e5fb710 /usr/bin/docker-current: Error response from daemon: failed to create the macvlan port: invalid argument. [root@localhost home]# docker run -itd f322 /bin/bash 6aac5b6a284b1d5c2294936d7943007947a602fc7cdcc133c32b5e861ed17865

　

bridge 模式（docker默認模式）：在這種模式下，寄生在同一個物理設備的macvlan設備可以直接通訊，不需要外接的hairpin設備幫助，使用如下的命令創建一個bridge的macvlan網絡

docker network create -d macvlan --subnet=192.168.226.0/24 --gateway=192.168.226.2 -o parent=eth0 -o macvlan_mode=bridge bridmv

使用bridge可以保證在不使用hairpin設備的前提下實現inter-network和external-network的連通，查看docker的bridge信息如下

[root@localhost netns]# docker network inspect bridmv [{"Name": "bridmv","Id": "b2920c8721701d47ac891aa8528d95f60e6a71a1a7485d0e2f21bae30f8604bf","Created": "2018-09-18T09:16:34.549499448+08:00","Scope": "local","Driver": "macvlan","EnableIPv6": false,"IPAM": {"Driver": "default","Options": {},"Config": [{"Subnet": "192.168.226.0/24","Gateway": "192.168.226.2"}]},"Internal": false,"Attachable": false,"Containers": {"031e1de7ed2cf13c25083e98d9cee131ea00a466fd169a0531c70818a25c7a7f": {"Name": "centos2","EndpointID": "b95efe7ddb8d2c4ce9228c06f019601c18daedbf7fc79462939efba128e84936","MacAddress": "02:42:c0:a8:80:e9","IPv4Address": "192.168.128.233/24","IPv6Address": ""},"8e23e7011f7cbc0962ba975974ae313dd4dab10a4114775b689ba70ae88dac72": {"Name": "centos1","EndpointID": "d2fb36b842f89128e3a862fc70624d4946b703bf0bb921fd11839d7f775fa8e0","MacAddress": "02:42:c0:a8:80:de","IPv4Address": "192.168.128.222/24","IPv6Address": ""}},"Options": {"macvlan_mode": "bridge","parent": "eth0"},"Labels": {}} ]

查看/var/run/docker/netns，有2個ns，這兩個就是192.168.128.222和192.168.128.233的容器網絡空間

[root@localhost netns]# ll /var/run/docker/netns/ total 0 -r--r--r--. 1 root root 0 Sep 18 09:18 59b305d0d01e -r--r--r--. 1 root root 0 Sep 18 09:18 a41362fa7ed2

macvlan的bridge無法使用brctl show獲得相關信息。查看容器網卡信息如下，可以看到Ip地址是與兩個容器對應的，在容器的eth后面有一個@if2，表示有一個接口與該接口對應，根據macvlan的原理，該接口為macvlan所在的host主機的eth0接口

[root@localhost netns]# ip netns exec 59b305d0d01e ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever 18: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether 02:42:c0:a8:80:e9 brd ff:ff:ff:ff:ff:ff link-netnsid 0inet 192.168.226.233/24 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::42:c0ff:fea8:e2e9/64 scope link valid_lft forever preferred_lft forever [root@localhost netns]# ip netns exec a41362fa7ed2 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever 19: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether 02:42:c0:a8:80:de brd ff:ff:ff:ff:ff:ff link-netnsid 0inet 192.168.226.222/24 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::42:c0ff:fea8:e2de/64 scope link valid_lft forever preferred_lft forever

在host主機上查看，網卡序號為2的正是macvlan接口所在的網卡eth0，即使用host的eth0作為了bridge(--parent指定)

[root@localhost netns]# ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000link/ether 00:0c:29:f1:38:bf brd ff:ff:ff:ff:ff:ff 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000link/ether 52:54:00:51:d1:17 brd ff:ff:ff:ff:ff:ff 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN mode DEFAULT group default qlen 1000link/ether 52:54:00:51:d1:17 brd ff:ff:ff:ff:ff:ff 5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default link/ether 02:42:71:8b:5a:6e brd ff:ff:ff:ff:ff:ff

相比與docker 的bridge，macvlan類型的bridge下，只要多個容器在同一個子網IP范圍內就可以通信，而無需在同一個bridge下，也即macvlan模擬真實物理網卡的功能。macvlan同bridge一樣，都是linux原生支持的，可以手動實現自己的macvlan通信，具體配置操作參見：linux 網絡虛擬化：macvlan

?

總結：通過以上示例可以看出，macvlan類型的接口可以當作正常的host接口使用，如果要組建跨網絡訪問，則需要路由器或交換機的支持，如hairpin，以及路由等。

參考：

https://blog.csdn.net/daye5465/article/details/77412619

https://blog.csdn.net/dog250/article/details/45788279

https://backreference.org/2014/03/20/some-notes-on-macvlanmacvtap/

https://superuser.com/questions/1205346/macvtap-interface-created-on-top-of-macvlan-interface-of-a-docker-container-cann

https://docs.docker.com/network/macvlan/#8021q-trunk-bridge-mode

https://docs.docker.com/v17.09/engine/userguide/networking/get-started-macvlan/#macvlan-bridge-mode-example-usage

https://hicu.be/bridge-vs-macvlan

轉載于:https://www.cnblogs.com/charlieroro/p/9656769.html

總結

以上是生活随笔為你收集整理的docker网络之macvlan的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。