[SOLVED]bridge connection to container with static IP

gabx · 2014-02-27 15:26:01

I have been messing for many days now trying to do a clean setup for a bridge br0 for a linux container managed with systemd-nspawn.

I run a custom kernel (as I need user space set) 3.13.5-1, systemd-git. The container boots fine. This container is a test server and so aimed at various network services, basically http, ftp, ssh,smtp. This will then be bind to a domain name. Thus I need to "cleanly" separate the container network traffic from my host network one. My idea is then to give each one a specific static IP.

First question : is it correct to give two IP on the same network or shall I create a sub-network for the container ? (I am looking for a simple configuration).

I loaded the needed iptable modules as they are not loaded at boot.

$ lsmod
iptable_nat
ip_tables
iptable_filter

Now on the host, dhcpcd.service is disabled, iptables is enabled, and here is my netctl profile:

Description='hortensia static ethernet connection'
Interface=enp7s0
Connection=ethernet
IP=static
Address=('192.168.1.87/24')
Gateway='192.168.1.254'
DNS=('212.147.10.180' '212.147.10.162')

network is ok. Below some command outputs:

gabx@hortensia ➤➤ ~ % ip addr                           
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 14:da:e9:b5:7a:88 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.87/24 brd 192.168.1.255 scope global enp7s0
       valid_lft forever preferred_lft forever
gabx@hortensia ➤➤ ~ % route                             
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         dsldevice.lan   0.0.0.0         UG    202    0        0 enp7s0
192.168.1.0     *               255.255.255.0   U     202    0        0 enp7s0
hortensia.lan   localhost.local 255.255.255.255 UGH   202    0        0 lo
gabx@hortensia ➤➤ ~ # iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 90 packets, 18862 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 91 packets, 18210 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Now things start to be messy when I want to start the bridge netctl profile

Description="Bridge connection to container"
Interface=br0
Connection=bridge
BindsToInterfaces=(enp7s0)
IP=static
Adress=('192.168.1.94/24')

when I start this profile, this leave me with a broken network and I can not browse the web. Below some command outputs:

gabx@hortensia ➤➤ ~ % ip addr                           
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: enp7s0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether 14:da:e9:b5:7a:88 brd ff:ff:ff:ff:ff:ff
8: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 14:da:e9:b5:7a:88 brd ff:ff:ff:ff:ff:ff
gabx@hortensia ➤➤ ~ % route  
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

Why can't I see the br0 and enp7s0 IP in the $ ip addr command output ?
I tried some other profiles, but it didn't change. I tried : BindsToInterface0(); adding Gateway and DNS

Some user tolde me on the mailing

Leonid Isaev wrote:

* Populate the iptables FORWARD chain to route traffic from your physical
interface to the bridge and back.

but I am not sure how to do this.

Thank you for some help as I already spent days and days on this issue.

Last edited by gabx (2014-02-28 18:26:07)

andy123 · 2014-02-27 16:16:46

Hi,

for the bridge to work, the network interface needs to be bound to it. For that to happen/be successfull you need to "stop" it (as in netctl stop enp7s0).

The DNS server should be added to the bridge profile in that case. One question: what do you need the iptables modules for? As far as I know a bridge is a network element on osi layer2, aka below the ip layer.

A note, use ip route (or short "ip r") instead of the route command, which has, like ifconfig and so on been deprecated for a looong time.

gabx · 2014-02-27 16:21:32

I do not need any iptables, but as already mentioned, I have been answered to use it.
Thank you for your hint, I will try to bring down enp7s0 thus.

As for the depreciated command, ty. I was reading an old reference : "TCP/IP Administration" in the O'reilly collection, dated 1998 !!

EDIT: I am not sure about what you suggest. May you please write the netcl profile you would write for bridging ? And how to bring down in a persistent manner enp7s0 ?

Last edited by gabx (2014-02-27 16:41:17)

gabx · 2014-02-28 18:25:14

After playing with many netctl profiles in many orders, I found that the bridge profile has to started first and not bind to Ethernet device.
The two following profiles do the job :

/etc/netctl/bridge-hortensia 
Description="Bridge connection to container"
Interface=br0
Connection=bridge
BindsToInterfaces=()
IP=no
SkipNoCarrier=yes

/etc/netctl/static-hortensia
Description='hortensia static ethernet connection'
Interface=enp7s0
Connection=ethernet
After=(bridge-hortensia)
IP=static
Address=('192.168.1.87/24')
Gateway='192.168.1.254'
DNS=('212.147.10.180' '212.147.10.162')

andy123 · 2014-02-28 18:34:38

Interesting… I have one profile that looks like this

Description="bridge@enp7s5"
Interface=br0
Connection=bridge
BindsToInterfaces=(enp7s5)
IP=static
Address=('10.0.0.1/24')
SkipNoCarrier=yes

This is a "secondary" interface on my machine, as in, I don't connect to the internet via this NIC

I seem to have missed your edit yesterday, sorry for the late reply.

gabx · 2014-02-28 18:38:15

I am not trying to give a IP to the container using systemd-networkd.

The network is up on container, but no Ip.

gab@dahlia ➤➤ ~ % ip route
default via 192.168.1.254 dev enp7s0 
192.168.1.0/24 dev enp7s0  proto kernel  scope link  src 192.168.1.87

I need to investigate now this part.

alphaniner · 2014-02-28 18:48:11

When I used a bridge for qemu VMs I had one profile:

ForceConnect=1
Description="LOLnet bridge"
Interface=net0b
Connection=bridge
BindsToInterfaces=(net0)
IP=dhcp

In which case, both the host and guest got an IP from the DHCP server and both were able to access the internet.

gabx · 2014-02-28 19:54:02

Interesting indeed. Only one netcl profile.

Nothing on the systemd-networkd side ?

Arch Linux

#1 2014-02-27 15:26:01

[SOLVED]bridge connection to container with static IP

#2 2014-02-27 16:16:46

Re: [SOLVED]bridge connection to container with static IP

#3 2014-02-27 16:21:32

Re: [SOLVED]bridge connection to container with static IP

#4 2014-02-28 18:25:14

Re: [SOLVED]bridge connection to container with static IP

#5 2014-02-28 18:34:38

Re: [SOLVED]bridge connection to container with static IP

#6 2014-02-28 18:38:15

Re: [SOLVED]bridge connection to container with static IP

#7 2014-02-28 18:48:11

Re: [SOLVED]bridge connection to container with static IP

#8 2014-02-28 19:54:02

Re: [SOLVED]bridge connection to container with static IP

Board footer