Docker network + IP addr management + DNS = ideas?

What I have (relevant stuff):

  • NanoPi R5s with 4GiB RAM and 1TiB SSD (Samsung 980 NVME)
  • Running FriendlyWRT (23.03.3)
  • Docker(-compose) with its own network (
  • My own (fake) TLD populated with service names (e.g., traefik.bruc)
  • Traefik
  • AdGuard Home (port:54; redirects to port:53 for unknown addresses)

Each docker container has its own IP address, so I can avoid fiddling with port mappings. Since docker can't use my DHCP, once I create a container in docker-compose, I manually assign it an IP address.

Then I go to /etc/hosts and add it there (e.g., traefik.bruc).

Then I go to Traefik/providers directory and clone a config for the new service (e.g., cp whois.yml newservice.yml, then edit it). So it's three places to maintain, which is tiresome.

I could write a script to monitor docker-compose, locate new IP-address lines, and export new data to hosts & providers, but maybe there's a cleaner/better way?


First, let me say that I find your question interesting from a technical/automation perspective. While I am not going to make the claim this is the wrong forum for it, I would humbly submit that it is not specifically OpenWrt related as I see it. OpenWrt in this case just happens to be the OS you're running on top of, whereas Docker + Traefik are really the target variables in your scenario, if I understand correctly. In other words, if you were running atop Ubuntu or Fedora, you would still be in the same situation solving for this, yes?

That said, I wonder if you might get more ideas from Docker/Traefik specific forums in this particular instance.

But, in the interest of automation... how are you creating the new container, adding its IP to hosts, etc. today? Is it all by hand? Do you have existing, but modular scripts for these steps?

Have you weighed the possibility and advantages of just setting up a macvlan to allow the containers to use DHCP from your host machine? This would reduce two points of contention from your scenario by eliminating the need for static IP assignment and the corresponding host entry creation for each.

1 Like

I certainly agree. And will ask around other forums.

It is all by hand.

I am indeed using docker/macvlan, but since I have no control over IP assignment there, and no way of getting IP <=> hostname relation data outside of docker, I do it manually.

I considered doing docker network inspect <mynetworkname> and parsing the output, but for now, it's a static IP assignment. You're probably right that this way is easier.

In OpenWRT/FriendlyWRT, you could theoretically create a new VIF that doesn't correspond to a physical device interface, but could be set to allow dnsmasq to serve DHCP on it. Then base your Docker macvlan upon that VIF. Would that not allow you to utilize DHCP + DNS from your host?

Serving DHCP is not a problem - but docker can not use an external DHCP for anything. One'd have to hack & recompile docker itself, which is too much effort for this task :slight_smile:

I only use docker for containers I intend to export to share. All my personal container services are in my proxmox lxc for the issues you are seeing ie ip address from dhcp and dns visibilty. Openwrt has no problems assigning dhcp ip to my lxc and I have no problems accessing them via their hostname.

Like @_FailSafe said, your problem is not specific to openwrt but to your container setup mostly.

1 Like

I beg to differ :slight_smile: There are solutions such as this that prove otherwise:

Ultimately, there are a number of ways to tackle this, and @genuser1 just provided another example. A lot depends on how deep you wish to go based on your use-case and comfort level.

Interesting! Thank you, I'll dig into it.

1 Like

What is traefik doing in your current setup?

Reverse proxying externally and internally accessible services (depending on the middleware used).

Is it reverse proxying the docker containers you have running?

Yes, among other things. Some containers (critical infrastructure - traefik, lldap, node-red, etc.) are running on my WRT, other services (not all containerized) are running on other hosts (Synology - torrents, stats, jellyfin, etc), (r/pi-4 - home assistant, z2m, etc.).

For now, following the path of least resistance, I made a node-red/JSONata flow that finds container IP addresses not present in /etc/hosts; this way I can stop assigning IP addresses manually, and just put container names as hostnames in /etc/hosts.

I will fiddle with it some more. The docker-net-dhcp driver is next on my list.


I'm a little confused as to why the docker containers need an IP address outside the docker network if they're being reverse proxied through traefik? Or why, it appears, you're manually creating service definitions in traefik for docker containers.

Could you expand on this?

Because they aren't used just through traefik, but directly from LAN as well. As I said, I have multiple services on multiple hosts.

Because I mostly use services/containers from different hosts through dynamic traefik configuration.