Understanding Recent Changes to TrueNAS Scale Apps & Viability of MACVLANs

Apps and Virtualization
1

Hi everyone,

I’m looking to better understand the recent changes to Apps in TrueNAS Scale and determine whether my desired setup is feasible. Currently, the apps can be assigned their IP, but due to a bug, ports aren’t allowed to overlap despite being on separate IPs eg 80/443.

Goal: I’d like to have apps function similarly to jails in TrueNAS Core. I want all my apps to host their web interface on 80/443. Furthermore, I’d like to VPN traffic of that specific IP regardless of port at the router level.

Current Understanding: After researching, it seems that achieving this behaviour may require the use of MACVLANs. However, I’d appreciate further insights from the community regarding:

  • How MACVLANs work in the context of TrueNAS Scale. Will it be added to Scale in the future?
  • Whether they would provide the level of isolation and network control that jails offer in Core.

Really appreciate it for those who know better to explain things to me. Also curiously am I the only one who had this misconception about the new IP’s for apps?

If anyone has experience with this approach or alternative solutions, I’d love to hear your thoughts. Thanks in advance!

1 Like
2

There’s a Feature Request you can vote for.

1 Like
3

Recently I tried a little something regarding MACVLAN, could be interesting for you or someone, so I post it here. Most of the time I use Portainer and write my docker compose files myself to have full control over everything. And with that one can get around the TN GUI limitations/bugs.

  1. Create a macvlan interface:
docker network create -d macvlan \
  --subnet=192.168.1.0/24 \
  --gateway=192.168.1.1 \
  -o parent=enp8s0 \
  macvlan_enp8s0
  1. docker compose file example:
services:
  pihole:
    image: pihole/pihole
    restart: unless-stopped
    networks:
      macvlan_enp8s0:
        ipv4_address: 192.168.1.9
        
networks:
  macvlan_enp8s0:
    external: true

And so the “pihole” container has it’s LAN IP. Port mapping in the compose file is inherently irrelevant, because the container has it’s own IP. In this case, pihole web gui will be on 192.168.1.9:80

2 Likes
4

Yes, this is similar to what stux and others posted in the previously linked Feature Request thread.

It works, but the hope is that iXsystems adds actual support for the infrastructure.

2 Likes