[systemd-devel] Setting up network interfaces for containers with --private-network
Lennart Poettering
lennart at poettering.net
Tue Apr 21 04:02:17 PDT 2015
On Mon, 20.04.15 22:50, Spencer Baugh (sbaugh at catern.com) wrote:
> Lennart Poettering <lennart at poettering.net> writes:
> > On Mon, 20.04.15 15:25, Spencer Baugh (sbaugh at catern.com) wrote:
> > So far I'd recommend running networkd on the host and in the
> > container. If you run it on the host, then it will automatically
> > configure the hos side of each of nspawn's veth links with a new IP
> > range, and be a DHCP server on it, as well as do IP
> > masquerading. Connectivity will hence "just work", if you use networkd
> > in most cases.
>
> This is in the case where I use --network-bridge, right? Because
> otherwise there is no veth to be automatically configured.
No, not with --network-bridge, but with --network-veth, i.e. -n or
what systemd-nspawn at .service uses by default.
> Yes, in that case, it is of course very simple, but it is not at all
> configurable. I have one thing and one thing only that I want to
> configure: The IP address that a given container receives. This seems
> like a reasonable thing to want to configure; ultimately there have to
> be fixed IP addresses somewhere, and I have a use for containers that
> would benefit from having fixed IP addresses.
>
> The way I currently fix the IP address that the container receives is by
> fixing the MAC address of the veth; since I am using IPv6 and radvd, the
> IP address is deterministically generated from the MAC address. So it
> would be helpful if there was a way to do fix the MAC address in
> nspawn. Would you accept a patch to add an option to nspawn to specify a
> MAC address for the veth? Or is there a better way to go about this?
The MAC address is currently generated as hash value from the
container name, it hence should be completely stable already as long
as you keep using the same name for the container?
maybe the ipvlan stuff could work for you?
> > Another option could be to use write a service that sets up the
> > interface, uses PrivateNetwork= and then use JoinsNamespaceOf= on the
> > container service towards that service, and turn off nspawn's own
> > private networking switch. That way PID1 would already set up the
> > joint namespace for your container, and ensure it is set up properly
> > by your setup service. And as long as either the setup service or the
> > container is running the network namespace will stay referenced.
>
> Hmm, that is an interesting approach... it would be nice to be able to
> have networkd be setting up the interface here, though.
Well, it can, but only if you run it inside of the container. I am
pretty sure the networkd of the host should not configure the
interfaces inside of it...
> I am interested in using networkd to do these things, but at the moment
> it doesn't seem to have the required level of power.
what do you mean precisely with this?
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list