docker swarm model networks support --network host or not?

[fanux]

First of all, the docker swarm model is very convenient for us, easy to use and deploy.
But our application need share host network witch swarm model is not support now.

The reason why we need share host network is:

• Our application is audio engine, each node only run one container, overlay or other network model drop down network speed and consume more CPU.
• There are two network interfaces on our machine，independence from each other, for example, eth0:172.0.0.3 for command transmission and eth1:192.168.0.4 for data transmission, both of then are physics network interface, and link to different switch. An application container will use then at a same time. How overlay network solve this problem, two overlay networks on same node?
• We don't have the load balance requirement.

We need the --network host model badly, it is the simplest way to solve all the problems of us，and the achieve best performance.

@thaJeztah

[discoverkl]

@thaJeztah
I have the same problem too.

# docker service create --name demo --network host alpine /bin/sh    
Error response from daemon: network host is not eligible for docker services

We REALLY need '--net host' in Docker Swarm, because iptables's NAT module is missing in out company, for security reasons.
Overlay network is not working due to similar restrictions. I got an error when starting service which has a overlay network:

 "Status": {
            "Timestamp": "2016-08-25T07:39:08.978136533Z",
            "State": "failed",
            "Message": "starting",
            "Err": "starting container failed: could not add veth pair inside the network sandbox: could not find an appropriate master \"ov-000101-8k36r\" for \"veth0b09909\"",
            "ContainerStatus": {
                "ContainerID": "d54432bb70d1651f017c3fc90b62ee346ed7cdf91ca8bd2587b8f6ec27288e31",
                "ExitCode": 128
            }
        },

So, '--net host' may be our only hope now. And we don't have the load balance requirement too.

[kyhavlov]

I'd find this useful as well, mostly for running high performance things. We use swarm to schedule one database container per host with --net=host and not having this option is holding us back from using 1.12's services (which we'd really like because of the update/rolling restart feature).

[jpetazzo]

The corresponding issue in SwarmKit is moby/swarmkit#989.

[xiaods]

please close it as the swarmkit moby/swarmkit#989 is created

[thaJeztah]

@xiaods I think it's ok to keep this open for the docker side

[rootsongjc]

@theJeztah Does docker has any road plan for swarm mode to support host network?

[thaJeztah]

@rootsongjc this is the issue tracking it, also see the swarm kit issue linked above (moby/swarmkit#989) that has more details on the current status

[sm0svx]

Already wrote this in #25303 but adding it here as well for easy reference.

+1 on network=host. The lack of this option is basically a showstopper for me since my application connect out to a specific hardware unit using TCP. The unit then send data back using UDP to the originating IP address for the TCP connection. This works well in docker run with net=host but of course fail using the docker0 bridge in swarm mode.

[wanghongfei]

+1 for the need of host mode. The overlay network of swarm mode has performance penalty

[OnlySlon]

+1 for host mode @swarm

[hkvemuri]

+1 for exposing host network namespace to a swarm service

[adventurer2008]

+1 for host mode @swarm

[m4r10k]

Yes we need this too, because without it it is not possible to dynamically add host network devices (VIP's) from inside a container through swarm service configuration.

[sulphur]

+1

[marcellodesales]

+1

[xiaods]

+1

[mavenugo]

#32981 is addressing this requirement.

[mmariani]

still not supported in yml files afaik - works in docker service create, not in docker stack deploy

[robbatt]

+1

[thaJeztah]

@mmariani @robbatt I think this will work with the upcoming 17.06.1 release (haven't tested on 17.06.0 yet), but this looks to work;

version: '3.3'

services:
  web:
    image: "nginx:alpine"
    networks:
      - outside

networks:
  outside:
    external:
      name: "host"

[mmariani]

@thaJeztah I already tried that, I got "container cannot be disconnected from host network or connected to host network"

[thaJeztah]

@mmariani are you trying to publish a port (does your service have the ports: option set)? If so, that's expected; when using "host" networking, the container's process runs directly in the host's network stack, thus all ports that the container listens on are accessible. (The error message could be improved 😄)

[mmariani]

@thaJeztah thanks, the ports: option was indeed the reason, now it works!

The similar pid: host option, by the way, is silently ignored for swarm services (works with docker-compose). It should be honored or forbidden, I guess

[rdxmb]

works for me with
Docker version 17.07.0-ce

Thanks to @thaJeztah

[realcbb]

@thaJeztah
I also got "container cannot be disconnected from host network or connected to host network".
docker 17.06.1-ee-2 on rhel 7.2

[thaJeztah]

I re-tested this on Docker 17.10, and this should now work (see my previous example in #25873 (comment))

@realcbb if the example I gave doesn't work on the latest 17.06.x EE release, please contact your support representative

[svscorp]

@thaJeztah in 17.11-ce deploying a Swarm Mode stack via docker-compose v3.3 I am getting this error. In my case I also have ports published in docker-compose. Any ideas? :)

Rejected less than a second ago   "container cannot be disconnected from host network or connected to host network"

[thaJeztah]

@svscorp can you check if you're publishing a port for a service connected to the host network? When using host networking, you can't publish ports (any port exposed by the service is accessible, because it's running directly on the host's network stack); that error message is printed in that case

[svscorp]

Hi @thaJeztah thank you for quick response. Okay, now I see - my mistake. You are right. May I ask one more question then, if I want to attach a service (nginx in my case) to two networks - host and a custom overlay (to have services talking to each other across the Swarm). Is my assumption correct - I should be able to access a service on exposed port(s) directly accessing the node AND other services can connect to this "host service" thru the overlay normally?

UPD: I got "container sharing network namespace with another container or host cannot be connected to any other network" :) Apparently my question above is obsolete.

What I am trying to achieve is to have 2-3 "frontend" nodes where I will spin open-source "nginx" image that will serve as a reverse-proxy for backend services. I ran into the routing mesh situation, when request comes to frontend-node-1 but then routes to nginx container running on frontend-node-2. I need to lock requests coming to node-1 to be served by nginx running on node-1, and same for node-2. Plus, I want other backend services to be able to reach nginx service via service-name.

[zsz1990ustc]

@thaJeztah Thank you for providing that way to use host network in docker compose file! But when I did docker stack deploy to swarm, only the master machine is good to run. Other machines on swarm will show the error "only one instance of "host" network is allowed".

So if host network is only allowed in one machine, the docker compose file for swarm will be useless, since I can do docker run on one machine.

[grigored]

spent a few hours on this, and it does not seem to work in docker for mac! Worked fine on linux though, after i removed the ports.

[thaJeztah]

host networking unfortunately cannot work on Docker for Mac, due to the way that Docker for Mac runs; on Docker for Mac, the docker daemon (and containers) run in a lightweight VM, and networking traffic from the Mac "host" network is proxied to the VM's network.

[grikdotnet]

Host network works in Mac.

Though, one has to set routing requests to the docker VM

[mohsenasm]

In swarm mode, you can also use networks like this:

version: '3.6' # not 3.4

services:
  a_service:
    image: "nginx:alpine"
    command: sleep 10000
    networks:
      - outside

networks:
  outside:
    name: host
    external: true

with docker stack deploy -c filename.yml temp_stack