[arch-general] bridge with netctl
Dear list, I am running a machine "hortensia" with a container "dahlia". As the container will be a server, I want to have one IP for hortensia and another one for dahlia. On hortensia, with dhcpcd.service and systemd-networkd both disabled, I start at boot two netctl profiles. /etc/netctl/bridge-hortensia Description="Bridge connection to container" Interface=br0 Connection=bridge BindsToInterfaces=() IP=no /etc/netctl/static-hortensia Description='hortensia static ethernet connection' Interface=enp7s0 Connection=ethernet IP=static Address=('192.168.1.87/24') Gateway=('192.168.1.254') DNS=('192.168.1.254') Then here is the result: $ ip addr 2: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 14:da:e9:b5:7a:88 brd ff:ff:ff:ff:ff:ff inet 192.168.1.87/24 brd 192.168.1.255 scope global enp7s0 valid_lft forever preferred_lft forever inet6 fe80::16da:e9ff:feb5:7a88/64 scope link valid_lft forever preferred_lft forever 3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether 22:6d:8b:ac:6e:31 brd ff:ff:ff:ff:ff:ff inet6 fe80::206d:8bff:feac:6e31/64 scope link valid_lft forever preferred_lft forever Two questions : - is the command output correct for br0 ? - all wiki said to bind bridge interface to my ethernet device (enp7s0). But if I modified the /etc/netctl/bridge-hortensia this way : BindsToInterfaces=(enp7s0) I have no working network on machine hortensia. Is this behavior correct ? Now let's start the dahlia container # systemd-nspawn --machine=dahlia --network-bridge=br0 -bD /dahlia' On hortensia, now a new ip addr output, as supposed it shall be (vb-dahlia): $ ip addr 2: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 14:da:e9:b5:7a:88 brd ff:ff:ff:ff:ff:ff inet 192.168.1.87/24 brd 192.168.1.255 scope global enp7s0 valid_lft forever preferred_lft forever inet6 fe80::16da:e9ff:feb5:7a88/64 scope link valid_lft forever preferred_lft forever 3: br0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 1a:2d:eb:58:8e:db brd ff:ff:ff:ff:ff:ff inet6 fe80::206d:8bff:feac:6e31/64 scope link valid_lft forever preferred_lft forever 5: vb-dahlia: <BROADCAST,MULTICAST> mtu 1500 qdisc noop master br0 state DOWN group default qlen 1000 link/ether 1a:2d:eb:58:8e:db brd ff:ff:ff:ff:ff:ff My issue is that br0 is DOWN and can't make it up with this command: # ip link set dev br0 up This has no effect. Then, I can see NO-CARRIER in the br0 status. Is it the expected output ? Why is br0 DOWN ? Why can't I bring it UP ? All this leaves me with a broken network on the container dahlia: $ ip addr 2: host0: <NO-CARRIER,BROADCAST,MULTICAST,ALLMULTI,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether b2:25:69:eb:ea:a9 brd ff:ff:ff:ff:ff:ff inet 192.168.1.94/24 brd 192.168.1.255 scope global host0 valid_lft forever preferred_lft forever host0 is DOWN with again NO-CARRIER I have no idea what part of the setup is missing. I run a custom kernel, so is there any wrong configuration on it ? The kernel is moderately customized, but maybe did I disabled some needed flag ? Thank you for help.
Am 06.03.2014 14:03, schrieb arnaud gaboury:
Dear list,
I am running a machine "hortensia" with a container "dahlia". As the container will be a server, I want to have one IP for hortensia and another one for dahlia.
On hortensia, with dhcpcd.service and systemd-networkd both disabled, I start at boot two netctl profiles.
/etc/netctl/bridge-hortensia Description="Bridge connection to container" Interface=br0 Connection=bridge BindsToInterfaces=() IP=no
/etc/netctl/static-hortensia Description='hortensia static ethernet connection' Interface=enp7s0 Connection=ethernet IP=static Address=('192.168.1.87/24') Gateway=('192.168.1.254') DNS=('192.168.1.254')
This configuration make no sense whatsoever. 1) You create a bridge with no ports. What purpose does it serve? 2) If you want to add enp7s0 as a port, why do you have a configuration for enp7s0? If an interface is a bridge port, it cannot be used for IP traffic, so assigning it an IP is pointless.
This configuration make no sense whatsoever.
1) You create a bridge with no ports. What purpose does it serve? 2) If you want to add enp7s0 as a port, why do you have a configuration for enp7s0? If an interface is a bridge port, it cannot be used for IP traffic, so assigning it an IP is pointless.
If I understand correctly, in fact I took the set up upside down. I tried br0 ---> enp7s0 when in fact the scheme is |-----> dev 1 enp7s0 ----> bridge br0 ----| |------> dev 2 Am I correct in this scheme?
On Thursday 06 Mar 2014 16:14:19 arnaud gaboury wrote:
This configuration make no sense whatsoever.
1) You create a bridge with no ports. What purpose does it serve? 2) If you want to add enp7s0 as a port, why do you have a configuration for enp7s0? If an interface is a bridge port, it cannot be used for IP traffic, so assigning it an IP is pointless.
If I understand correctly, in fact I took the set up upside down. I tried br0 ---> enp7s0 when in fact the scheme is
|-----> dev 1
enp7s0 ----> bridge br0 ----|
|------> dev 2
Am I correct in this scheme?
What do you mean by dev 1 and dev 2? Paul
Am 06.03.2014 16:19, schrieb Paul Gideon Dann:
If I understand correctly, in fact I took the set up upside down. I tried br0 ---> enp7s0 when in fact the scheme is
|-----> dev 1
enp7s0 ----> bridge br0 ----|
|------> dev 2
Am I correct in this scheme?
What do you mean by dev 1 and dev 2?
Independently of what dev1 and dev2 are, the answer is 'no'.
To say it out in a manner as straight as possible, you have to include every device that the bridge should have any effect on in your bridge. And if you still think a device doesn't go in there, I'd have to listen to your reason and read up if that is actually valid. No, include all those devices already and let us move on.
Op 6 mrt. 2014 14:15 schreef "Thomas Bächler" <thomas@archlinux.org> het volgende:
Am 06.03.2014 14:03, schrieb arnaud gaboury:
Dear list,
I am running a machine "hortensia" with a container "dahlia". As the container will be a server, I want to have one IP for hortensia and another one for dahlia.
On hortensia, with dhcpcd.service and systemd-networkd both disabled, I start at boot two netctl profiles.
[...]
1) You create a bridge with no ports. What purpose does it serve? 2) If you want to add enp7s0 as a port, why do you have a configuration for enp7s0? If an interface is a bridge port, it cannot be used for IP traffic, so assigning it an IP is pointless.
In fact: make enp7so a port of br0 and then you can use the bridge as the network interface for Hortensia. For either static or dhcp: use the bridge device. Ip forwarding: a bridge is a OSI layer 2 device, not a router, so ip forwording can be turned off (Ip is layer 3). As for Dahlia; i don't know exactly how containers work in Linux, but i guess you'll need to configure some virtual network device and then add that to the bridge. My best guess would be to look up how this is done with LXC. mvg, Guus
2014-03-06 18:40 GMT+01:00 Guus Snijders <gsnijders@gmail.com>:
Op 6 mrt. 2014 14:15 schreef "Thomas Bächler" <thomas@archlinux.org> het volgende:
[...]
As for Dahlia; i don't know exactly how containers work in Linux, but i guess you'll need to configure some virtual network device and then add that to the bridge. My best guess would be to look up how this is done with LXC.
Actually, the man page for systemd-nspawn explains it nicely. Look for the options network-veth and network-bridge mvg, Guus
On Thursday 06 Mar 2014 14:03:54 arnaud gaboury wrote:
I am running a machine "hortensia" with a container "dahlia". As the container will be a server, I want to have one IP for hortensia and another one for dahlia.
On hortensia, with dhcpcd.service and systemd-networkd both disabled, I start at boot two netctl profiles.
/etc/netctl/bridge-hortensia Description="Bridge connection to container" Interface=br0 Connection=bridge BindsToInterfaces=() IP=no
/etc/netctl/static-hortensia Description='hortensia static ethernet connection' Interface=enp7s0 Connection=ethernet IP=static Address=('192.168.1.87/24') Gateway=('192.168.1.254') DNS=('192.168.1.254')
Hi Arnaud. This doesn't seem right to me. The purpose of a bridge is to connect several interfaces together. Your bridge is not bound to any interfaces, so it's effectively useless, unless there's some special use of bridges I'm not familiar with. Although I haven't played with containers much at all, I would expect it to work in one of 2 ways: 1) Two new virtual interfaces are create: one that is visible to the container, and one that is visible to the host. The host now has two interfaces, which may be bridged, or it may act as a NAT router on the interface that goes to the container. The container only sees the one interface, and uses perfectly normal means to obtain an IP address. 2) No new interfaces are defined, and the host's interface is shared with the container. In this case, you will need to add another IP to the interface so that it'll respond to both the host's IP and the container's IP, and then either perform some kind of packet filtering, or simply ensure that the services on host and client are each configured to respond only to the desired IP. Paul
On 06-03-2014 13:23, Paul Gideon Dann wrote:
Hi Arnaud. This doesn't seem right to me. The purpose of a bridge is to connect several interfaces together. Your bridge is not bound to any interfaces, so it's effectively useless, unless there's some special use of bridges I'm not familiar with.
Although for a different use I setup a bridge that doesn't bind to any interfaces, it is meant to be used by qemu later where several tap interfaces will be connected. I suppose that now systemd-nspwan might also be able to make use of a similar setup, as it seems Arnaud is trying to use, I haven't tried it myself though (and it seems to be a recently added functionality). -- Mauro Santos
1) Two new virtual interfaces are create: one that is visible to the container, and one that is visible to the host. The host now has two interfaces, which may be bridged, or it may act as a NAT router on the interface that goes to the container. The container only sees the one interface, and uses perfectly normal means to obtain an IP address.
That's correct. When I boot the container, a new interface "vb-dahlia" appears on the host, and on the container side, i have a "host0" interface. So I guess I must have a netctl br0 profile with this line : BindsToInterface=(enp7s0 vb-dhalia) -- google.com/+arnaudgabourygabx
On Thu, Mar 6, 2014 at 8:00 PM, arnaud gaboury <arnaud.gaboury@gmail.com> wrote:
1) Two new virtual interfaces are create: one that is visible to the container, and one that is visible to the host. The host now has two interfaces, which may be bridged, or it may act as a NAT router on the interface that goes to the container. The container only sees the one interface, and uses perfectly normal means to obtain an IP address.
That's correct. When I boot the container, a new interface "vb-dahlia" appears on the host, and on the container side, i have a "host0" interface.
So I guess I must have a netctl br0 profile with this line :
BindsToInterface=(enp7s0 vb-dhalia)
It took me a while, but I have now a working bridge on Host machine, with a static IP and a working ethernet connection on container, with a static IP. Thank you for your help
On Thursday 06 Mar 2014 23:01:30 arnaud gaboury wrote:
On Thu, Mar 6, 2014 at 8:00 PM, arnaud gaboury <arnaud.gaboury@gmail.com> wrote:
1) Two new virtual interfaces are create: one that is visible to the container, and one that is visible to the host. The host now has two interfaces, which may be bridged, or it may act as a NAT router on the interface that goes to the container. The container only sees the one interface, and uses perfectly normal means to obtain an IP address.> That's correct. When I boot the container, a new interface "vb-dahlia" appears on the host, and on the container side, i have a "host0" interface.
So I guess I must have a netctl br0 profile with this line :
BindsToInterface=(enp7s0 vb-dhalia)
It took me a while, but I have now a working bridge on Host machine, with a static IP and a working ethernet connection on container, with a static IP.
Thank you for your help
You're welcome, Arnaud. Glad you got it working in the end. Paul
On Thu, 6 Mar 2014 14:03:54 +0100 arnaud gaboury <arnaud.gaboury@gmail.com> wrote:
I have no idea what part of the setup is missing.
I run a custom kernel, so is there any wrong configuration on it ? The kernel is moderately customized, but maybe did I disabled some needed flag ?
I can't help you with your specific problem, but one thing is that you need to do, is to enable the machine to forward ip packets from one interface to another. Create something like a /etc/sysctl.d/99-sysctl.conf and add this: # Enable packet forwarding net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 If you run a firewall like iptables you'll also have to enable packet forwarding between the interfaces in the firewall. -- Joakim
I can't help you with your specific problem, but one thing is that you need to do, is to enable the machine to forward ip packets from one interface to another. Create something like a /etc/sysctl.d/99-sysctl.conf and add this:
# Enable packet forwarding net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1
It is. gabx@hortensia ➤➤ ~ % cat /etc/sysctl.d/30-ipforward.conf net.ipv4.ip_forward=1 net.ipv6.conf.default.forwarding=1 net.ipv6.conf.all.forwarding=1
On 06-03-2014 13:03, arnaud gaboury wrote:
My issue is that br0 is DOWN and can't make it up with this command: # ip link set dev br0 up This has no effect.
I use a systemd service file to setup a bridge for somewhat similar purposes, the sequence of commands I use is this: /usr/sbin/brctl addbr brkvm /usr/sbin/ip addr add 192.168.56.1/24 dev brkvm /usr/sbin/ip link set dev brkvm up after that, ip a s brkvm shows: 4: brkvm: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether fe:83:79:56:a3:a2 brd ff:ff:ff:ff:ff:ff inet 192.168.56.1/24 scope global brkvm valid_lft forever preferred_lft forever I have never used netctl so I can't help you there, in case you are wondering the complete service file is use is: [Unit] Description=Sets up a bride for use with virtual machines. [Service] Type=oneshot ExecStart=/usr/sbin/brctl addbr brkvm ExecStart=/usr/sbin/ip addr add 192.168.56.1/24 dev brkvm ExecStart=/usr/sbin/ip link set dev brkvm up RemainAfterExit=yes [Install] WantedBy=multi-user.target -- Mauro Santos
participants (7)
-
arnaud gaboury
-
Guus Snijders
-
Joakim Hernberg
-
Martti Kühne
-
Mauro Santos
-
Paul Gideon Dann
-
Thomas Bächler