Skip to content

Network

Jump to bottom
arnaud gaboury edited this page Sep 6, 2018 · 4 revisions

Network

The whole setup will be managed by systemd-networkd. A bridge will be created on host, with a virtual bridge for container attached to it. Fixed IP

Network on host

create these files:

/etc/systemd/network/bridge.netdev

[NetDev]
Name=br0
Kind=bridge

/etc/systemd/network/eth.network

[Match]
Name=en*

[Network]
Bridge=br0

/etc/systemd/network/bridge.network

[Match]
Name=br0
[Network]
DNS=192.168.1.254

[Address]
Address=192.168.1.87/24

[Route]
Gateway=192.168.1.254

Verify:

$ ip a
2: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether 14:da:e9:b5:7a:88 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::16da:e9ff:feb5:7a88/64 scope link 
       valid_lft forever preferred_lft forever
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether b6:0c:00:22:f1:4a brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.87/24 brd 192.168.1.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::b40c:ff:fe22:f14a/64 scope link 
       valid_lft forever preferred_lft forever

When container is booted:

$ ip a
................
7: vb-poppy: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether 0e:9a:d7:18:a3:59 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c9a:d7ff:fe18:a359/64 scope link 
       valid_lft forever preferred_lft forever
$ brctl show
bridge name	bridge id		STP enabled	interfaces
br0		8000.b60c0022f14a	no		enp7s0
							vb-poppy

Network on container

  • Fedora networking is managed by NetworkManager. We need to disable this service in profit of systemd-networkd. In container:
# systemctl disable NetworkManager
Removed symlink /etc/systemd/system/multi-user.target.wants/NetworkManager.service.
Removed symlink /etc/systemd/system/dbus-org.freedesktop.NetworkManager.service.
Removed symlink /etc/systemd/system/dbus-org.freedesktop.nm-dispatcher.service.
  • We enable systemd-networkd
# systemctl enable systemd-networkd
  • create this file:
/etc/systemd/networkd/poppy.network
-----------------------------------
[Match]
Name=host0

[Network]
DNS=192.168.1.254
Address=192.168.1.94/24
Gateway=192.168.1.254
  • prevent default container-host0.network to be activated
# ln -sf /dev/null /etc/systemd/network/80-container-host0.network
  • Verifiy:
$ ip a
2: host0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 0e:7f:c3:fb:25:b1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.94/24 brd 192.168.1.255 scope global host0
       valid_lft forever preferred_lft forever
    inet6 fe80::c7f:c3ff:fefb:25b1/64 scope link 
       valid_lft forever preferred_lft forever

hostname, domainname

Our computer is part of a DNS domain name, thetradinghall.com. The FQDN, or Fully Qualified Domain Name. It is is the complete domain name for a specific computer, or host, on the Internet. The FQDN consists of two parts: the hostname and the domain name.

In our case:

  • hostname = poppy
  • domain name = thetradinghall.com
  • fqdn = poppy.thetradinghall.com

Boot container with bridge

To permanently make this change, create this file:

/etc/systemd/system/systemd-nspawn@service
-------------------------------------------
[Unit]
Description=Container %I
Documentation=man:systemd-nspawn(1)
PartOf=machines.target
Before=machines.target

[Service]
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-bridge=br0 --machine=%I
KillMode=mixed
Type=notify
RestartForceExitStatus=133
SuccessExitStatus=133
Delegate=yes

[Install]
WantedBy=machines.target

Then stop the service, reload daemon and start the service

# systemctl stop systemd-nspawn@poppy
# systemctl daemon-reload
# systemctl start systemd-nspawn@poppy

Start the bridge before the container

Systemd parallelize all wanted services at boot. It may be sometimes needed to start a service before another one. Thus the Before and After options in Systemd unit files.

In our setup, the Br0 bridge interface needs to be up before our container starts. If not, [email protected] will not be started with this error:

$ systemctl status systemd-nspawn@poppy
● [email protected] - Container poppy
   Loaded: loaded (/etc/systemd/system/[email protected];
enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2015-05-01 19:34:56
CEST; 50s ago
     Docs: man:systemd-nspawn(1)
  Process: 544 ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit
--boot --link-journal=try-guest --net

 work-bridge=br0 --machine=%I (code=exited, status=1/FAILURE)
 Main PID: 544 (code=exited, status=1/FAILURE)

May 01 19:34:55 hortensia systemd[1]: Starting Container poppy...
May 01 19:34:55 hortensia systemd-nspawn[544]: Failed to resolve
interface br0: No such device
May 01 19:34:56 hortensia systemd[1]: [email protected]:
main process exited, code=exite...LURE
May 01 19:34:56 hortensia systemd[1]: Failed to start Container poppy.
May 01 19:34:56 hortensia systemd[1]: Unit
[email protected] entered failed state.
May 01 19:34:56 hortensia systemd[1]: [email protected] failed.

This error is normal as the container need the bridge interface to get its network works. This issue is solved this way:

On host, create this file:

 /etc/systemd/system/network.target
--------------------------------------------------
[Unit]
Description=Network
Documentation=man:systemd.special(7)
Documentation=http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget
After=network-pre.target
RefuseManualStart=yes

[Install]
WantedBy=machines.target

Enable this target:

# systemctl enable machines.target

Then modify the systemd-networkd.service when adding a Before option : machines.target. Custom unit files have to be placed in /etc/systemd/system to take precedent over the regular ones in /usr/lib/systemd/system.

/etc/systemd/system/systemd-netwrokd.service
---------------------------------------------
[Unit]
Description=Network Service
Documentation=man:systemd-networkd.service(8)
ConditionCapability=CAP_NET_ADMIN
DefaultDependencies=no
# dbus.service can be dropped once on kdbus, and systemd-udevd.service can be
# dropped once tuntap is moved to netlink
After=systemd-udevd.service dbus.service network-pre.target systemd-sysusers.service
Before=network.target multi-user.target shutdown.target machines.target
Conflicts=shutdown.target
Wants=network.target

[Service]
Type=notify
Restart=on-failure
RestartSec=0
ExecStart=/usr/lib/systemd/systemd-networkd
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
ProtectSystem=full
ProtectHome=yes
WatchdogSec=1min

[Install]
WantedBy=multi-user.target
Also=systemd-networkd.socket

Stop and disable the service, start and enable it again.

Ressources

Clone this wiki locally