New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Broken network support in systemd networkd+nspawn #404

Closed
LEW21 opened this Issue Jul 4, 2015 · 7 comments

Comments

Projects
None yet
4 participants
@LEW21

LEW21 commented Jul 4, 2015

Nspawn-based containers executed on CoreOS (with systemd-nspawn@.service) currently are unable to access the network. There are 2 reasons:

  1. /usr/lib/systemd/network/50-docker-veth.network has a higher priority than systemd's 80-container-ve.network - which means it's used instead of the systemd's one, and networkd does not try to setup the containers network.
    • This can be easily workarounded by symlinking 80-container-ve.network to /etc/systemd/network/40-container-ve.network, so it's not a big problem (but still probably should get fixed).
  2. systemd-networkd is built without iptables support ("nat" portage flag), which means it's unable to provide IP masquerading support for containers.
    • This is a deal breaker, as manually setting up masquerading is quite hard.
@mischief

This comment has been minimized.

mischief commented Jul 4, 2015

@LEW21 can you give a simple example to reproduce the problem?

@LEW21

This comment has been minimized.

LEW21 commented Jul 4, 2015

cd /var/lib/machines
mkdir archlinux
cd archlinux
wget http://lew21.net/archlinux.tar.xz
tar -xf archlinux.tar.xz

machinectl start archlinux
machinectl login archlinux
#archlinux login: root
#Password: a
ping 8.8.8.8

Without the first part, networkctl reports "degraded" status:

networkctl status -a # on host
# Output contains: State: degraded (configured)

networkctl status -a # on container
# Output contains: State: degraded (configuring)

Without the second part, networkd cries about IP masquerading:

journalctl -u systemd-networkd -b # on host
# Output contains: ve-archlinux: Could not enable IP masquerading: Operation not supported

Additional note: Container's networkd also complains that
host0: Cannot configure IPv4 forwarding for interface host0: Read-only file system
But this is not a problem, on my home Arch host I also get those warnings in containers - and everything works. So this can be ignored.

@mischief

This comment has been minimized.

mischief commented Mar 23, 2016

@LEW21 have you tried to reproduce this since nat flag was enabled?

@LEW21

This comment has been minimized.

LEW21 commented Mar 23, 2016

Flag fixed the 2nd problem, and I'm now constantly using nspawn containers on CoreOS.

However, the 1st problem still exists (and I'm using the symlink workaround).

@mischief

This comment has been minimized.

mischief commented Mar 23, 2016

do you know what (if anything) happens to docker containers launched when you make that symlink?

i'm worried that if it is changed, there will be unintended side effects for other folks.

@LEW21

This comment has been minimized.

LEW21 commented Mar 23, 2016

container-ve.network matches devices named "ve-", and docker calls them "veth" - so they never get matched, and those settings are not applied to them.

Therefore there should be no side effects.

@crawford

This comment has been minimized.

Member

crawford commented Mar 23, 2016

Yeah, let's move Docker to /usr/lib/systemd/network/81-docker-veth.network.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment