IPvlan network driver Explain
Learn about Docker's IPvlan network driver: Customize container IPs directly from the host network, enhancing performance and network control.
Published Nov 2, 2024
The IPvlan network driver in Docker is a type of network driver that provides network isolation and allows containers to have their own MAC and IP addresses on a network. It operates at Layer 2 of the OSI model and enables containers to communicate directly with the physical network, bypassing the host’s networking stack.
The IPvlan network driver in Docker provides users with extensive control over IPv4 and IPv6 addressing within containers. It allows for the creation of isolated network segments with their own MAC and IP addresses, enhancing network security and segmentation capabilities.
The IPvlan driver gives users total control over both IPv4 and IPv6 addressing. The VLAN driver builds on top of that in giving operators complete control of layer 2 VLAN tagging and even IPvlan L3 routing for users interested in underlay network integration.
IPvlan is a new twist on the tried and true network virtualization technique. The Linux implementations are extremely lightweight because rather than using the traditional Linux bridge for isolation, they are associated to a Linux Ethernet interface or sub-interface to enforce separation between networks and connectivity to the physical network.
IPvlan offers a number of unique features and plenty of room for further innovations with the various modes. Two high level advantages of these approaches are, the positive performance implications of bypassing the Linux bridge and the simplicity of having fewer moving parts. Removing the bridge that traditionally resides in between the Docker host NIC and container interface leaves a simple setup consisting of container interfaces, attached directly to the Docker host interface. This result is easy to access for external facing services as there is no need for port mappings in these scenarios.
The following table describes the driver-specific options that you can pass to
--option when creating a network using the ipvlan driver.ipvlan_mode: Sets the IPvlan operating mode. Can be one of: l2, l3, l3sipvlan_flag: Sets the IPvlan mode flag. Can be one of: bridge, private, vepaparent: Specifies the parent interface to use.IPvlan Linux kernel v4.2+ (support for earlier kernels exists but is buggy). To check your current kernel version, use
uname -rThe driver is specified with
-d driver_name option. In this case -d ipvlan.
The parent interface in the next example
-o parent=eth0 is configured as follows:Use the network from the host's interface as the
--subnet in the docker network create. The container will be attached to the same network as the host interface as set via the -o parent= option.Create the IPvlan network and run a container attaching to it:
The default mode for IPvlan is
l2. If -o ipvlan_mode= is left unspecified, the default mode will be used. Similarly, if the --gateway is left empty, the first usable address on the network will be set as the gateway. For example, if the subnet provided in the network create is --subnet=192.168.1.0/24 then the gateway the container receives is 192.168.1.1.The following will create the exact same network as the network
db_net created earlier, with the driver defaults for --gateway=192.168.1.1 and -o ipvlan_mode=l2.The drivers also support the
--internal flag that will completely isolate containers on a network from any communications external to that network. Since network isolation is tightly coupled to the network's parent interface the result of leaving the -o parent= option off of a docker network create is the exact same as the --internal option. If the parent interface is not specified or the --internal flag is used, a netlink type dummy parent interface is created for the user and used as the parent interface effectively isolating the network completely.To create an IPvlan network in Docker, you can use the
docker network create command with the -d ipvlan option. Below is an example command to create an IPvlan network:Let’s break down the components of this command:
docker network create: This part of the command instructs Docker to create a new network.-d ipvlan: Specifies that the network driver to be used is IPvlan.--subnet=192.168.1.0/24: Defines the subnet range for the IPvlan network. You can adjust this subnet range as needed for your network configuration.--gateway=192.168.1.1: Specifies the gateway IP address for the IPvlan network. Replace192.168.1.1with your desired gateway IP.-o parent=eth0: Indicates the parent interface (physical interface) to which the IPvlan network will be attached. Replaceeth0with the appropriate interface name on your host machine.my_ipvlan_network: Assigns the namemy_ipvlan_networkto the IPvlan network. You can choose a different name if desired.
After running the above command, Docker will create an IPvlan network named
my_ipvlan_network with the specified subnet, gateway, and parent interface.If you want to run a container and attach it to the IPvlan network you created (
my_ipvlan_network), you can use the docker run command with the --network=my_ipvlan_network option:Let’s break down the components of this command:
docker run: This part of the command instructs Docker to run a new container.-d: Runs the container in detached mode (background).--network=my_ipvlan_network: Specifies that the container should be attached to themy_ipvlan_networkIPvlan network that you created.--name my_container: Assigns the namemy_containerto the Docker container. You can replacemy_containerwith your desired container name.nginx: Specifies the Docker image to use for the container, in this case
After running the above command, Docker will create a new container named
my_container and attach it to the my_ipvlan_network IPvlan network.To verify that the container is running and attached to the IPvlan network, you can use the
docker ps command to check the container's status and the network it's connected to.you should see it listed in the output of
docker ps: