Painless Docker - 2nd Edition

The Macvlan Network

Docker's Macvlan network lets a container have its own MAC address and IP on your Layer-2 network, so it appears as a separate physical device on the LAN. This is useful for legacy apps, appliances, or any service that must be reachable directly on the physical network.

Imagine you want to deploy a "Honeypot" container (a trap for hackers) that looks exactly like a real, physical server on your corporate network. To make it convincing, you want it to have its own MAC address and IP address, just like any other server on the network. Using Docker's Macvlan network, you can do just that. The honeypot container will appear as a separate device on the network, which makes it more believable to potential attackers.

Let's see an example. Start by identifying the physical network interface on your Docker host that will carry container traffic (often eth0; names vary by distribution).

ip addr show eth0

You might see output like this (your addresses will differ):

2: eth0:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 0e:b8:69:da:42:ae brd ff:ff:ff:ff:ff:ff
    inet 64.225.99.27/20 brd 64.225.111.255 scope global eth0
       valid_lft forever preferred_lft forever

Find the gateway for that interface:

ip route show dev eth0

Example:

default via 64.225.96.1 dev eth0

The three pieces of information you need are:

• Parent interface: eth0 (or whichever interface is correct on your host)
• Subnet CIDR: 64.225.96.0/20. You can use a tool like ipcalc to calculate this from your host's IP and netmask (ipcalc 64.225.96.0/20).
• Gateway: 64.225.96.1

Now create the macvlan network. Tip: reserve a subset of the subnet for containers, so you avoid IP conflicts with other devices on the network. Ensure the --ip-range you choose lies inside the --subnet.

docker network create -d macvlan \
  --subnet=64.225.96.0/20 \
  --gateway=64