Merge pull request #185 from Jip-Hop/veth-extra

Veth extra
This commit is contained in:
Jip-Hop 2024-05-25 23:31:40 +02:00 committed by GitHub
commit 4974cf8a9a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 64 additions and 3 deletions

View File

@ -42,6 +42,28 @@ systemctl status systemd-networkd
ifconfig ifconfig
``` ```
### Multiple Bridge Interfaces
[Systemd-nspawn](https://www.freedesktop.org/software/systemd/man/latest/systemd-nspawn.html), the technology on which jailmaker is built, [currently](https://github.com/systemd/systemd/issues/11087) only supports the definition and automatic configuration of a single bridge interface via the [`--network-bridge`](https://www.freedesktop.org/software/systemd/man/latest/systemd-nspawn.html#--network-bridge=) argument. In some cases however, for instance when trying to utilize different vlan interfaces, it can be useful to configure multiple bridge interfaces within a jail. It is possible to create extra interfaces and join them to host bridges manually with systemd-nspwan using a combination of the [`--network-veth-extra`](https://www.freedesktop.org/software/systemd/man/latest/systemd-nspawn.html#--network-veth-extra=) argument and a service config containing `ExecStartPost` commands as outlined [here](https://wiki.csclub.uwaterloo.ca/Systemd-nspawn#Multiple_network_interfaces).
The `--network-veth-extra` argument instructs system-nspawn to create an addition linked interface between the host and jail and uses a syntax of
```
--network-veth-extra=<host_interface_name>:<jail_interface_name>
```
The service config constaining `ExecStartPost` commands is then used to add the host side of the interface link to an existing host bridge and bring the interface up. Jailmaker has simplified this process by including a `post_start_hook` configuration parameter which can automate the creation of the service config by including the `ExecStartPost` commands as below.
```
post_start_hook=#!/usr/bin/bash
set -euo pipefail
echo 'POST_START_HOOK'
ip link set dev ve-docker-1 master br40
ip link set dev ve-docker-1 up
ip link set dev ve-docker-2 master br70
ip link set dev ve-docker-2 up
```
With the new `--network-veth-extra` interface link created and the host side added to an existing host bridge, the jail side of the link still needs to be configured. Jailmaker provides a network file in the form of `/etc/systemd/network/vee-dhcp.network` which will automatically perform this configuration. In order for `vee-dhcp.network` to successfully match and configure the link's jail side interface, the `<jail_interface_name>` must begin with a ***vee-*** prefix. An example jailmaker config with properly named `--network-veth-extra` interfaces and `post_start_hook` commands is available [here](https://github.com/Jip-Hop/jailmaker/discussions/179#discussioncomment-9499289).
## Macvlan Networking ## Macvlan Networking
Some services require the use of port 80 or 443, or would benefit from a separate IP. For these situations the easiest network configuration is the MAC VLAN configuration. This creates a virtual interface with its own separate randomly generated MAC address and IP. The default config uses DHCP by default, but can easily be set to a Static IP. Some services require the use of port 80 or 443, or would benefit from a separate IP. For these situations the easiest network configuration is the MAC VLAN configuration. This creates a virtual interface with its own separate randomly generated MAC address and IP. The default config uses DHCP by default, but can easily be set to a Static IP.
@ -91,4 +113,4 @@ apt update && apt -y install resolvconf
- [systemd-nspawn](https://manpages.debian.org/bullseye/systemd-container/systemd-nspawn.1.en.html)- [Setting up Systemd-nspawn](https://www.cocode.se/linux/systemd_nspawn.html#orge360318) - [systemd-nspawn](https://manpages.debian.org/bullseye/systemd-container/systemd-nspawn.1.en.html)- [Setting up Systemd-nspawn](https://www.cocode.se/linux/systemd_nspawn.html#orge360318)
- [Debian Reference - Chapter 5. Network setup](https://www.debian.org/doc/manuals/debian-reference/ch05.en.html#_the_hostname_resolution) - [Debian Reference - Chapter 5. Network setup](https://www.debian.org/doc/manuals/debian-reference/ch05.en.html#_the_hostname_resolution)
- [Disabling link-local addressing](https://jerrington.me/posts/2017-08-06-systemd-nspawn-disabling-link-local-addressing.html#disabling-link-local-addressing) - [Disabling link-local addressing](https://jerrington.me/posts/2017-08-06-systemd-nspawn-disabling-link-local-addressing.html#disabling-link-local-addressing)

View File

@ -4,7 +4,7 @@
with full access to all files via bind mounts, \ with full access to all files via bind mounts, \
thanks to systemd-nspawn!""" thanks to systemd-nspawn!"""
__version__ = "1.4.2" __version__ = "1.5.0"
__author__ = "Jip-Hop" __author__ = "Jip-Hop"
__disclaimer__ = """USE THIS SCRIPT AT YOUR OWN RISK! __disclaimer__ = """USE THIS SCRIPT AT YOUR OWN RISK!
IT COMES WITHOUT WARRANTY AND IS NOT SUPPORTED BY IXSYSTEMS.""" IT COMES WITHOUT WARRANTY AND IS NOT SUPPORTED BY IXSYSTEMS."""
@ -63,6 +63,16 @@ pre_start_hook=
# echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables # echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
# echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables # echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables
# Specify command/script to run on the HOST after starting the jail
# For example to attach to multiple bridge interfaces
# when using --network-veth-extra=ve-myjail-1:veth1
post_start_hook=
# post_start_hook=#!/usr/bin/bash
# set -euo pipefail
# echo 'POST_START_HOOK_EXAMPLE'
# ip link set dev ve-myjail-1 master br2
# ip link set dev ve-myjail-1 up
# Specify a command/script to run on the HOST after stopping the jail # Specify a command/script to run on the HOST after stopping the jail
post_stop_hook= post_stop_hook=
# post_stop_hook=echo 'POST_STOP_HOOK_EXAMPLE' # post_stop_hook=echo 'POST_STOP_HOOK_EXAMPLE'
@ -633,7 +643,7 @@ def start_jail(jail_name):
"--capability=all", "--capability=all",
] ]
# Add hooks to execute commands on the host before starting and after stopping a jail # Add hooks to execute commands on the host before/after starting and after stopping a jail
add_hook( add_hook(
jail_path, jail_path,
systemd_run_additional_args, systemd_run_additional_args,
@ -641,6 +651,13 @@ def start_jail(jail_name):
"ExecStartPre", "ExecStartPre",
) )
add_hook(
jail_path,
systemd_run_additional_args,
config.my_get("post_start_hook"),
"ExecStartPost",
)
add_hook( add_hook(
jail_path, jail_path,
systemd_run_additional_args, systemd_run_additional_args,
@ -1499,6 +1516,28 @@ def create_jail(**kwargs):
file=open(os.path.join(network_dir_path, "mv-dhcp.network"), "w"), file=open(os.path.join(network_dir_path, "mv-dhcp.network"), "w"),
) )
# Setup DHCP for veth-extra network interfaces
# This config applies when using the --network-veth-extra option of systemd-nspawn
# https://www.debian.org/doc/manuals/debian-reference/ch05.en.html#_the_modern_network_configuration_without_gui
print(
cleandoc(
"""
[Match]
Virtualization=container
Name=vee-*
[Network]
DHCP=yes
LinkLocalAddressing=ipv6
[DHCPv4]
UseDNS=true
UseTimezone=true
"""
),
file=open(os.path.join(network_dir_path, "vee-dhcp.network"), "w"),
)
# Override preset which caused systemd-networkd to be disabled (e.g. fedora 39) # Override preset which caused systemd-networkd to be disabled (e.g. fedora 39)
# https://www.freedesktop.org/software/systemd/man/latest/systemd.preset.html # https://www.freedesktop.org/software/systemd/man/latest/systemd.preset.html
# https://github.com/lxc/lxc-ci/blob/f632823ecd9b258ed42df40449ec54ed7ef8e77d/images/fedora.yaml#L312C5-L312C38 # https://github.com/lxc/lxc-ci/blob/f632823ecd9b258ed42df40449ec54ed7ef8e77d/images/fedora.yaml#L312C5-L312C38