[systemd-devel] systemd-nspawn: cannot join existing macvlan

Kai Krakow hurikhan77 at gmail.com
Sun May 3 10:16:24 PDT 2015 

Kai Krakow <hurikhan77 at gmail.com> schrieb:

Hello again!

Amended below...

> I'm not sure about this but I suspect that I cannot start a second nspawn
> container with --network-macvlan when another nspawn instance has created
> it before:
> 
> # systemd-nspawn -b --network-macvlan=enp4s0
> Spawning container gentoo-mysql-base on
> /var/lib/machines/gentoo-mysql-base. Press ^] three times within 1s to
> kill container. Failed to add new macvlan interfaces: File exists
> 
> To my surprise it works when adding machines to machines.target. While you
> cannot start them through means of systemd because of the same error, it
> works during boot of the whole system: All containers boot up properly -
> but stop one and you cannot restart it.
> 
> So it looks like there's an unintentional race condition during boot which
> allows to create this interface but when the system is up, it no longer
> works because the race condition is no longer present.
> 
> systemd-nspawn should probably just allow joining existing macvlan
> bridges. I would fix it in the code but I don't know the implications why
> this check is in there in the first place.
> 
> A second fix should maybe do something about such race conditions if it is
> such one. I suspect there are cases where the interface presence check
> makes actually sense.

I installed something which is called a stable v219 snapshot, I could not 
find out which changes are included, tho:

*systemd-219_p112 (26 Apr 2015)

  26 Apr 2015; Mike Gilbert <floppym at gentoo.org> +systemd-219_p112.ebuild:
  Add a snapshot from the v219-stable branch upstream.

The behavior described above has changed with this snapshot: Machines using 
macvlan no longer start, even not a boot-up (which worked before).

The error is still the same:

# systemd-nspawn -b --link-journal=try-guest --network-macvlan=enp4s0 --
bind=/usr/portage --bind-ro=/usr/src --machine=test
Spawning container test on /var/lib/machines/test.
Press ^] three times within 1s to kill container.
Failed to add new macvlan interfaces: File exists

I still don't think that systemd-nspawn should insist on creating the host-
side macvlan bridge and fail, if it cannot. It should just accept that it is 
already there.

Actually I even created this device in the host with networkd because by 
design macvlan and parent device cannot communicate with each other without 
switch support and won't communicate directly locally either. Thus, you need 
to attach a host-side macvlan device to your physical parent device to 
communicate with the other virtual MAC addresses on the same host, and then 
setup your IP configuration on this device.

Of course one could argue that this is a security feature of nspawn to 
isolate containers and hosts from each other. So maybe, put an option to 
allow nspawn to join an existing macvlan, maybe "--network-join-macvlan".

-- 
Replies to list only preferred.

More information about the systemd-devel mailing list