From 279cb15d6fa0f063f81479bbc85ea5b50823f5e9 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Tue, 29 Jun 2021 14:09:39 +0200 Subject: Merging upstream version 20210629. Signed-off-by: Daniel Baumann --- CHANGELOG.txt | 20 ++++++ VERSION.txt | 2 +- libexec/container/start | 68 +++++++++---------- libexec/container/stop | 6 ++ share/doc/HOST-SETUP.txt | 168 +++++++++++++++++++++-------------------------- 5 files changed, 133 insertions(+), 131 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 963f218..0951cb4 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,3 +1,23 @@ +2021-06-29 Daniel Baumann + + * Releasing version 20210628. + + * Backward incompatible changes: + - The networking integration on the container host depended on + ifupdown. Now, to support KVM as an additional backend + alongside systemd-nspawn in compute-tools, we're switching + in this version exclusively to openvswitch. + - Moving from ifupdown to openvswitch to manage the bridges + requires manual re-configuration of the networking stack on + the host, otherwise no container will continue to have network + access. + - Configuration examples for systemd-networkd (recommended) on the + host to use openvswitch are documented in HOST-SETUP.txt. + + [ Simon Spöhel ] + * Using openvswitch instead of linux bridges. + * Updating documentation for openvswitch. + 2021-06-28 Daniel Baumann * Releasing version 20210628. diff --git a/VERSION.txt b/VERSION.txt index 47b060d..f814e09 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -20210628 +20210629 diff --git a/libexec/container/start b/libexec/container/start index 08c3611..6b35ea8 100755 --- a/libexec/container/start +++ b/libexec/container/start @@ -367,42 +367,6 @@ then ;; esac - NETWORK_BRIDGES="$(awk -Fcnt.network-bridge= '/^cnt.network-bridge=/ { print $2 }' ${CONFIG}/${NAME}.conf)" - - case "${NETWORK_BRIDGES}" in - "") - ;; - - *) - for BRIDGE_DEFINITION in ${NETWORK_BRIDGES} - do - INTERFACE="$(echo ${BRIDGE_DEFINITION} | awk -F: '{ print $1 }')" - BRIDGE="$(echo ${BRIDGE_DEFINITION} | awk -F: '{ print $2 }')" - - if [ "$(echo ${INTERFACE} | wc -c)" -gt 15 ] - then - echo "'${INTERFACE}': name exceeds maximum of 15 characters, network might be not working." - fi - - if [ -n "${BRIDGE}" ] && [ -n "${INTERFACE}" ] - then - -cat > "/etc/network/interfaces.d/${INTERFACE}" << EOF -allow-hotplug ${INTERFACE} -iface ${INTERFACE} inet manual - pre-up ip link set ${INTERFACE} up - post-up ip link set ${INTERFACE} master ${BRIDGE} - pre-down ip link set ${INTERFACE} nomaster - post-down ip link set ${INTERFACE} down -EOF - - else - echo "Warning bridge definition '${BRIDGE_DEFINITION}' not recognized (expected :): Ignoring" - fi - done - ;; - esac - PRIVATE_USERS="$(awk -Fprivate-users= '/^private-users=/ { print $2 }' ${CONFIG}/${NAME}.conf || echo no)" case "${PRIVATE_USERS}" in @@ -536,3 +500,35 @@ case "${START}" in esac ;; esac + +# waiting for systemd-nspawn to create the veth interfaces +sleep 1 +NETWORK_BRIDGES="$(awk -Fcnt.network-bridge= '/^cnt.network-bridge=/ { print $2 }' ${CONFIG}/${NAME}.conf)" + +case "${NETWORK_BRIDGES}" in + "") + ;; + + *) + for BRIDGE_DEFINITION in ${NETWORK_BRIDGES} + do + INTERFACE="$(echo ${BRIDGE_DEFINITION} | awk -F: '{ print $1 }')" + BRIDGE="$(echo ${BRIDGE_DEFINITION} | awk -F: '{ print $2 }')" + + if [ "$(echo ${INTERFACE} | wc -c)" -gt 15 ] + then + echo "'${INTERFACE}': name exceeds maximum of 15 characters, network might be not working." + fi + + if [ -n "${BRIDGE}" ] && [ -n "${INTERFACE}" ] + then + + ip link set "${INTERFACE}" up + ovs-vsctl --may-exist add-port "${BRIDGE}" "${INTERFACE}" + + else + echo "Warning bridge definition '${BRIDGE_DEFINITION}' not recognized (expected :): Ignoring" + fi + done + ;; +esac diff --git a/libexec/container/stop b/libexec/container/stop index 58fc0e9..52b40d1 100755 --- a/libexec/container/stop +++ b/libexec/container/stop @@ -261,6 +261,12 @@ case "${VERBOSE}" in ;; esac +VETHS="$(awk -Fnetwork-veth-extra= '/^network-veth-extra=/ { print $2 }' ${CONFIG}/${NAME}.conf | awk -F: '{ print $1 }')" +for VETH in ${VETHS} +do + ovs-vsctl --if-exist del-port "${VETH}" +done + machinectl ${MODE} ${NAME} case "${FORCE}" in diff --git a/share/doc/HOST-SETUP.txt b/share/doc/HOST-SETUP.txt index 6b368f0..8603a06 100644 --- a/share/doc/HOST-SETUP.txt +++ b/share/doc/HOST-SETUP.txt @@ -5,7 +5,7 @@ compute-tools: Host Setup 1. Debian Packages ------------------- -apt install bridge-utils ifenslave vlan +apt install openvswitch-switch 2. Boot Parameters @@ -53,128 +53,108 @@ sysctl -p 3.2.1 Bridge: 1 Interface, standalone, DHCP ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -cat > /etc/network/interfaces << EOF -# /etc/network/interfaces +cat > /etc/systemd/network/eno1.network << EOF +[Match] +Name=eno1 -source /etc/network/interfaces.d/* - -auto lo -iface lo inet loopback +[Network] +BindCarrier=bridge0 +LinkLocalAddressing=no +EOF -iface eno1 inet manual +cat > /etc/systemd/network/bridge0.network << EOF +[Match] +Name=bridge0 -auto bridge0 -iface bridge0 inet dhcp - bridge_ports eno1 - bridge_fd 0 - bridge_maxwait 0 - bridge_stp 0 +[Network] +DHCP=ipv4 EOF +ovs-vsctl add-br bridge0 +ovs-vsctl add-port bridge0 eno1 + 3.2.2 Bridge: 1 Interface, standalone, static ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -cat > /etc/network/interfaces << EOF -# /etc/network/interfaces - -source /etc/network/interfaces.d/* - -auto lo -iface lo inet loopback - -iface eno1 inet manual +cat > /etc/systemd/network/eno1.network << EOF +[Match] +Name=eno1 -auto bridge0 -iface bridge0 inet static - address 10.0.0.2 - gateway 10.0.0.1 - netmask 24 - - pre-up ip link set eno1 down - pre-up ip link set eno1 up - - bridge_ports eno1 - bridge_fd 0 - bridge_maxwait 0 - bridge_stp 0 +[Network] +BindCarrier=bridge0 +LinkLocalAddressing=no EOF +cat > /etc/systemd/network/bridge0.network << EOF +[Match] +Name=bridge0 -3.2.3 Bridge: 2 logical Interfaces, subnet, static -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -cat > /etc/network/interfaces << EOF -# /etc/network/interfaces - -source /etc/network/interfaces.d/* - -auto lo -iface lo inet loopback - -allow-hotplug eno1 -iface eno1 inet dhcp - -auto bridge0 -iface bridge0 inet static - address 10.0.0.1 - netmask 24 - - pre-up ip link add name bridge0 type bridge - post-down ip link delete bridge0 type bridge - - bridge_fd 0 - bridge_maxwait 0 - bridge_stp 0 +[Network] +DHCP=no +Address=10.0.0.2/24 +Gateway=10.0.0.1 EOF +ovs-vsctl add-br bridge0 +ovs-vsctl add-port bridge0 eno1 -3.2.4 Bridge: 3 physical Interfaces, vlan, bonding, static -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -cat > /etc/network/interfaces << EOF -# /etc/network/interfaces - -source /etc/network/interfaces.d/* +3.2.3 Bridge: 3 physical Interfaces, vlan, bonding, static +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -auto lo -iface lo inet loopback +cat > /etc/systemd/network/eno1.network << EOF +[Match] +Name=eno1 -allow-hotplug eno1 -iface eno1 inet dhcp +[Network] +DHCP=ipv4 +EOF -iface eno2 inet manual +cat > /etc/systemd/network/eno2.network << EOF +[Match] +Name=eno2 -iface eno3 inet manual +[Network] +BindCarrier=bridge0 +LinkLocalAddressing=no +EOF -auto bond0 -iface bond0 inet manual - up ip link set bond0 up - down ip link set bond0 down +cat > /etc/systemd/network/eno3.network << EOF +[Match] +Name=eno3 - slaves eno2 eno3 +[Network] +BindCarrier=bridge0 +LinkLocalAddressing=no +EOF - bond-mode 4 - bond-miimon 100 - bond-downdelay 200 - bond-updelay 200 - bond-lacp-rate 1 - bond-xmit-hash-policy layer2+3 +cat > /etc/systemd/network/bridge0.network << EOF +[Match] +Name=bridge0 -iface bond0.100 inet manual - vlan-raw-device bond0 +[Network] +LinkLocalAddressing=no +EOF -auto bridge-100 -iface bridge-100 inet static - address 10.100.0.2 - netmask 24 +cat > /etc/systemd/network/bridge-100.network << EOF +[Match] +Name=bridge-100 - bridge_ports bond0.100 - bridge_fd 0 - bridge_maxwait 0 - bridge_stp 0 +[Network] +Address=10.100.0.2/24 EOF +ovs-vsctl add-br bridge0 +ovs-vsctl add-bond bridge0 bond0 eno2 eno3 \ + bond_mode=balance-tcp \ + lacp=active \ + other_config:lacp-time=fast \ + other_config:bond-detect-mode=miimon \ + other_config:bond-miimon-interval=100 \ + other_config:bond_updelay=200 + trunks=100 \ +ovs-vsctl add-br bridge-100 bridge0 100 4. Enabling user namespace for unprivileged containers ------------------------------------------------------ -- cgit v1.2.3