-
Notifications
You must be signed in to change notification settings - Fork 195
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for VETH interfaces #368
Conversation
d5c4a39
to
b2d5483
Compare
Schema wise, I like the proposal from the PR description. I think it makes sense to introduce a new interface type for @vorlonofportland What's your stance on this? network:
veths:
IFACE1:
peer: IFACE2
...
IFACE2:
peer: IFACE1
... The implementation details are a bit tricky on this one, due to the cross-linking of interfaces and the declarative vs imperative architectural differences with NetworkManager. I think it's an elegant solution to make the validation a bit less strict for the NM backed in order to support this. Will do a full review soon. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, this is looking very good implementation wise!
I added a few inline remarks, but no major changes required, IMO.
+1 (but let's block merging util we have the new YAML schema approved)
doc/netplan-yaml.md
Outdated
|
||
Virtual Ethernets acts as tunnels forwarding traffic from one interface to the other. | ||
They can be used to connect two separate virtual networks such as network namespaces and | ||
bridges. It's not possible to move `veths` to different namespaces through Netplan at the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thought (non-blocking): We could mention using hooks as described in https://netplan.io/faq#use-pre-up-post-up-etc-hook-scripts as a workaround for moving it into a namepsace.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hm I don't know how the backends would react after moving the interface to another namespace... we might want to investigate it before adding to the documentation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK.
What if they were just called |
Regarding the name, One argument against generalizing |
I'd also be fine with
Exactly. This is a problem Danilo and I discussed previously. So I'd suggest going with |
4f33530
to
9a684bc
Compare
Yes, +1 from me for |
The new function validate_veth_pair is intended to be used by the backend code to do the final validation as we might have missed something during parsing
When generating configuration for veth, only one .netdev file should be created for the pair. The logic used to select which netdef will be used to generate the file is simple: we sort the pair names and use the first one. If the veth's pair wasn't defined in the YAML file we don't hard fail, just skip it.
9a684bc
to
c313812
Compare
I replaced The
|
+1 Thanks for the renaming. I've adopted the PR description accordingly for LGTM. |
Design: Netplan support for VETH
Rationale
Veths are Virtual Ethernet interfaces that are commonly used to
connect bridges or network namespaces. They act like a link between
two networks, simply bypassing traffic from one veth peer to the other.
Veths work in peers, meaning that users will always create two of them.
This implementation allows users to create peers of veths, configure them with
IPs, routes and etc, change their MAC addresses and use them as member
interfaces for bridges and bonds for example. It doesn't support adding veths
to different network namespaces, although it could be done by an external tool.
Changes in the schema
As both peers are configurable with IPs and etc, they must be defined in
separate stanzas.
A new type of network called
virtual-ethernets
was created and one extra key calledpeer
was introduced.Even though
veth
only work in pairs, it's not mandatory to define the peerstanza (the
peer
key is mandatory) when using NetworkManager as renderer. Thepeer
interface is not requiredbecause Network Manager requires the creation of two connections, one for each
peer. As our keyfile parser maps a keyfile to a YAML file (a 1:1 mapping), if
we forced the creation of both peers, we'd had problems with the
Netplan-NetworkManager integration.
systemd-networkd backend
Networkd requires a single
.netdev
file to create both veths.So the configuration above will generate the
.netdev
file below:If further configuration is required, one
.network
file per veth peer must becreated.
As only one
.netdev
is needed, we sort both peer names and use the first one.If the peer stanza is not defined, it will not generate any files.
Network Manager backend
On Network Manager, one keyfile per peer is required. So, creating a
veth
pairrequires 2 connections.
veth-peer1.nmconnection
:veth-peer2.nmconnection
:Netplan Everywhere
One of the implications of these changes is that Network Manager will
create YAML files for
virtual-ethernets
automatically.veth
devices will be seen as unmanaged by Network Manager until the file/var/run/NetworkManager/conf.d/10-globally-managed-devices.conf
iscreated by the generator and Network Manager is restarted. The implication
is that,
veth
pairs created with NM on a system that is not alreadymanaged by NM will not come up online until the user either calls
netplan apply
or restart NM.Keyfile parser
The keyfile parser will create a 1:1 mapping between the keyfile
and the interface in the YAML file it generates. That's the main
reason why it's not mandatory to defined both peers at once.
That approach enable Netplan Everywhere to work out of the box
with
virtual-ethernets
.Alternative solution
with the integration with Network Manager, we used the approach described
above.
We could make it mandatory to define both peers at once. It makes sense
because
virtual-ethernets
only work in pairs.When creating the
veth
interface from the keyfile, a stanza for the peeris also created and linked to the
veth
. That basically means that a keyfilefor a
veth
interface will generate 2 interfaces in the YAML file, theinterface itself and its peer. The same will happen when the second
veth
(the peer) is created in a second API call to Network Manager. In the end,
2 Netplan YAML files will be created. When the generator is called, it will
merge both files, creating the full
veth
configuration.This approach will require some changes in the Network Manager integration with Netplan.
Currently, Network Manager assumes a single netdef is present in the
Netplan state, but now we will have 2 netdefs. Both netdefs must be part of
the same YAML file so, instead of writing the netdef to the file, we will
need to write the entire netplan state (which will contain 2 netdefs).
After some changes to the Network Manager's integration patch,
that's the results:
Adding the first
veth
interface:This will create the file
/etc/netplan/90-NM-d4afd034-9634-4a67-a3ee-0c52154eefa3.yaml
with thefollowing content:
Now, adding the
veth
peer with the following command:This will create the file
/etc/netplan/90-NM-505fc532-a910-4346-8bd8-19e849b696e6.yaml
with thefollowing content:
Network Manager now has both connections:
netplan get
will then produce the following result:Deleting connections
Netplan's
netplan_delete_connection()
will try to remove one of the peersfrom the Netplan's state. As a
veth
peer cannot exist without the other,netplan_delete_connection()
will need to remove both connections whenany one of them is deleted.
The problem with this approach is that, after deleting one of the veths,
both of them will disappear from the YAML files but one connection will be kept
in the Network Manager's state.
So, deleting an interface, would require the deletion of both of them. If
we delete a single interface, Netplan will fail to parse the one that's left.
If we delete both of them from netplan, after running
nmcli con del
, one wouldstill be in the Network Manager's state so it would be out of sync with netplan.
Checklist
make check
successfully.make check-coverage
).