diff --git a/client/driver/docker.go b/client/driver/docker.go
index eba137b5fe7..b8dac5e4e03 100644
--- a/client/driver/docker.go
+++ b/client/driver/docker.go
@@ -166,6 +166,7 @@ type DockerDriverConfig struct {
 	Volumes          []string            `mapstructure:"volumes"`            // Host-Volumes to mount in, syntax: /path/to/host/directory:/destination/path/in/container
 	VolumeDriver     string              `mapstructure:"volume_driver"`      // Docker volume driver used for the container's volumes
 	ForcePull        bool                `mapstructure:"force_pull"`         // Always force pull before running image, useful if your tags are mutable
+	MacAddress       string              `mapstructure:"mac_address"`        // Pin mac address to container
 	SecurityOpt      []string            `mapstructure:"security_opt"`       // Flags to pass directly to security-opt
 }
 
@@ -204,6 +205,7 @@ func NewDockerDriverConfig(task *structs.Task, env *env.TaskEnv) (*DockerDriverC
 	dconf.DNSServers = env.ParseAndReplace(dconf.DNSServers)
 	dconf.DNSSearchDomains = env.ParseAndReplace(dconf.DNSSearchDomains)
 	dconf.ExtraHosts = env.ParseAndReplace(dconf.ExtraHosts)
+	dconf.MacAddress = env.ReplaceEnv(dconf.MacAddress)
 	dconf.SecurityOpt = env.ParseAndReplace(dconf.SecurityOpt)
 
 	for _, m := range dconf.LabelsRaw {
@@ -367,6 +369,9 @@ func (d *DockerDriver) Validate(config map[string]interface{}) error {
 			"ipv6_address": &fields.FieldSchema{
 				Type: fields.TypeString,
 			},
+			"mac_address": &fields.FieldSchema{
+				Type: fields.TypeString,
+			},
 			"pid_mode": &fields.FieldSchema{
 				Type: fields.TypeString,
 			},
@@ -1033,6 +1038,11 @@ func (d *DockerDriver) createContainerConfig(ctx *ExecContext, task *structs.Tas
 			hostConfig.NetworkMode, driverConfig.IPv4Address, driverConfig.IPv6Address)
 	}
 
+	if driverConfig.MacAddress != "" {
+		config.MacAddress = driverConfig.MacAddress
+		d.logger.Printf("[DEBUG] driver.docker: using pinned mac address: %q", config.MacAddress)
+	}
+
 	return docker.CreateContainerOptions{
 		Name:             containerName,
 		Config:           config,
diff --git a/website/source/docs/drivers/docker.html.md b/website/source/docs/drivers/docker.html.md
index e60576a19d7..15579953d41 100644
--- a/website/source/docs/drivers/docker.html.md
+++ b/website/source/docs/drivers/docker.html.md
@@ -182,10 +182,17 @@ The `docker` driver supports the following configuration in the job spec.  Only
   nomad agent and docker daemon to be configured to allow privileged
   containers.
 
+* `mac_address` - (Optional) The mac address for the container to use
+  (e.g. "02:68:b3:29:da:98").
+
+* `dns_search_domains` - (Optional) A list of DNS search domains for the container
+  to use.
+
 * `security_opt` - (Optional) A list of string flags to pass directly to
   [`--security-opt`](https://docs.docker.com/engine/reference/run/#security-configuration).
   For example:
 
+
     ```hcl
     config {
       security_opt = [