[systemd-devel] Asking for advice - two network interfaces in a container

[Richard Maw]

On Tue, Jul 14, 2015 at 12:26:23PM +0300, Peter Lemenkov wrote:
> Hello All!
> 
> My system has two network planes - control plane (several 10.0.0.0/8
> networks) and data plane (non-RFC1918 network, visible to end-users).
> These two networks separated by two different bridges and some
> iptables magic. All my business logic is handled using control plane
> (using various network protocols).
> 
> So far all my containers connected to a control plane only - I have a
> lot of them actually. They work fine, orchestrated properly (with high
> availability, load balancing etc).
> 
> Also I've got three VMs (KVM if it matters) which provides a different
> services to the end-users. Thus they has to be connected to a data
> plane. So all of them have two separate NICs - one for end user
> interaction, and another one for control plane. Although it's possible
> to handle all the business logic via "data plane" I'd rather to avoid
> that.
> 
> Could anyone give me an advice/hint on how to design something like
> this properly? So far I don't see a standard method for systemd-nspawn
> to assign more that one NIC to the container.

There's --network-interface=INTERFACE, which can be specified multiple
times to *move* interfaces from your host network namespace into your
guest network namespaces.

So you could do this by setting up those interfaces externally and moving them
in. e.g. make some veth pairs and bridge them onto the data plane interface.

Alternatively if your networking is simple enough, you can use
--network-{mac,ip}vlan=$DATA_PLANE_INTERFACE to have systemd "bridge" the
container onto an existing device, similar to how KVM's macvtap works.