Containers in docker swarm with IPvLan network are not accessible from the swarm host itself #1959
Description
I am using docker swarm and have created a network by using IPvLan driver, as folllows:
# docker network create --config-only --subnet=172.23.0.0/16 --gateway=172.23.15.254 --ip-range=172.23.0.0/20 -o parent=ens224 --opt encrypted ipvlan-network-config
# docker network create --driver ipvlan --scope=swarm --config-from ipvlan-network-config --attachable ipvlan-network
# docker network ls
NETWORK ID NAME DRIVER SCOPE
06486bbedf0b bridge bridge local
1f662d4166d1 docker_gwbridge bridge local
12b2109fd427 host host local
vm71lx9ocu73 ingress overlay swarm
apfyfvnbadqc ipvlan-network ipvlan swarm
885ca9ba5c54 ipvlan-network-config null local
b196b9f16a01 none null local
As you can see, in the following, when I create a service by using ipvlan network, It creates it for me and assign the tasks the IP address that we expect:
# docker service create --replicas 3 --name test-ipvlan --network ipvlan-network -td alpine sh
# docker network inspect ipvlan-network
[
{
"Name": "ipvlan-network",
"Id": "apfyfvnbadqc5dijcbctqqs2b",
"Created": "2017-09-29T17:10:29.420836854-05:00",
"Scope": "swarm",
"Driver": "ipvlan",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.23.0.0/16",
"IPRange": "172.23.0.0/20",
"Gateway": "172.23.15.254"
}
]
},
"Internal": false,
"Attachable": true,
"Ingress": false,
"ConfigFrom": {
"Network": "ipvlan-network-config"
},
"ConfigOnly": false,
"Containers": {
"19d854cbfc478425f105f7c39200ce2b2a737f0a7d3b3308b91033e86e9b167b": {
"Name": "test-ipvlan.3.cbhbzcn9f71nj1o238orcbjn6",
"EndpointID": "4ea0a8badaa315caa8de846a5126780a3f2fdb5f09f4fd4f3927afc3e3a9a9d7",
"MacAddress": "",
"IPv4Address": "172.23.0.2/16",
"IPv6Address": ""
},
"929ce69ddcc49860cfd7f159d05c0b6fb6af5e713b93d96a7e42ec0e44276f2a": {
"Name": "test-ipvlan.2.hxm28m8bcl2mdjdpz3xsml645",
"EndpointID": "1df5cdc018d4b28f50c63a9e24ebf992b949edee9da71b13186128408a8779e6",
"MacAddress": "",
"IPv4Address": "172.23.0.1/16",
"IPv6Address": ""
},
"bd05b125f4fa2b758d4fb9ef4bce821f0e8f4fef0cf2222ab6b9e58e5a051a3c": {
"Name": "test-ipvlan.1.hrye687snc23yp4iuemh7esev",
"EndpointID": "c0332ee44c83683d160266a68fbaeb56e7b3d6a8e786a5bd17061e70d630c049",
"MacAddress": "",
"IPv4Address": "172.23.0.3/16",
"IPv6Address": ""
}
},
"Options": {
"encrypted": "",
"parent": "ens224"
},
"Labels": {},
"Peers": [
{
"Name": "DC-Simulation-32bac4e51cd1",
"IP": "127.0.0.1"
}
]
}
]
all the tasks (containers) in the swarm are accessible from different machines in the same network (172.23.0.0./16), But they are not accessible from the swarm host itself.
Other info:
docker version:
# docker version
Client:
Version: 17.06.0-ce
API version: 1.30
Go version: go1.8.3
Git commit: 02c1d87
Built: Fri Jun 23 21:20:36 2017
OS/Arch: linux/amd64
Server:
Version: 17.06.0-ce
API version: 1.30 (minimum version 1.12)
Go version: go1.8.3
Git commit: 02c1d87
Built: Fri Jun 23 21:21:56 2017
OS/Arch: linux/amd64
Experimental: true
kernel version:
# uname -r
4.4.82-1.el7.elrepo.x86_64
distro version:
cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)