site
contact
newsMacvlan bridge in Easy Containers
Yesterday I posted about experiments with a veth bridge:
http://bkhome.org/news/201810/containers-veth-bridge-getting-started.html
...afterward, realised why there was an error when tried to use
'veth1' and 'eth1' -- my midi-tower PC has two physical ethernet ports,
eth0 and eth1, so 'eth1' was already claimed -- I had forgotten about
it.
A note on the side: in EasyOS and Quirky, I have disabled udev renaming of interfaces. I am unimpressed with that and prefer to keep the original names, 'eth0', 'wlan0', etc. (at least in the host system, inside containers, though, I am using my own renaming, see below)
A reservation that I have with the veth bridge method, is that the
active interface on the host changes from 'eth0' to 'br0', which might
have repercussions in some scripts.
With the macvlan method, I can keep 'eth0' as the active host
interface. My understanding of these bridging techniques is superficial,
I have just scanned through online documentation looking for something
simple that will work in Easy Containers. For macvlan, I found this page
useful:
https://sreeninet.wordpress.com/2016/05/29/macvlan-and-ipvlan/
Then I figured out something a bit different, and surprise, surprise,
it actually worked! The script /usr/local/easy_containers/ec-chroot is
where the action is. When the macvlan-bridge option is chosen, the code
looks something like this. Just the essential parts have been pulled out
of the script:
IFcont="$(echo -n "$EXE" | sed -e 's%[^a-zA-Z0-9]%%g' | tr '[A-Z]' '[a-z]')1" #ex: seamonkey1 --just want a unique name
NETNSexe="ip netns exec ${IFcont}ns"
IFIP="$(getlocalip | grep -v '^lo' | grep '^[a-z0-9]*: ' | tail -n 1)" #my veth tests created eth0.5 etc, screen out.
IFhost="${IFIP/:*/}" #ex: eth0
ip link add ${IFcont} link ${IFhost} type macvlan mode bridge
ip netns add ${IFcont}ns
ip link set ${IFcont} netns ${IFcont}ns
ip netns exec ${IFcont}ns ifconfig ${IFcont} up
ip netns exec ${IFcont}ns dhcpcd -b ${IFcont} #-b background immediately
The $EXE is the name of the container, for example "seamonkey", and I
used that to create a unique network interface name, $IFcont, for use
in the container, for example "seamonkey1" -- there is no law that
interface names have to be the conventional "eth0" etc!
'getlocalip' is a handy utility that I posted about awhile back:
I also wanted to generate a unique name for the 'network namespace' in the host, that is ${IFcont}ns, so "seamonkey1ns"
The second-last line brings up the interface in the new network-namespace, and the last line runs dhcpcd to obtain a lease and assign an IP to the interface.
All ready to go... as per the veth example, I did not create a separate network-namespace with 'pflask' -- I tried, but couldn't get it to work. With a separate network-namespace by pflask, then 'dhcpcd' has to be run in the container, or the busybox 'udhcpc' -- but this requires removing some of the security, and I couldn't get it to work anyway (the interface showed up inside the container, and 'udhcpc' ran but was unable to obtain a lease).
So, 'ec-chroot' is running pflask with this appended:
${NETNSexe} pflask ...
It's working. Now looking into some other improvements to Easy Containers, including the GUI. Tags: easy