Linux-Networking
無法使用 networkd 將帶有網橋的容器連接到 Internet
我有一台執行 Ubuntu 20.04 LTS 的伺服器,通過一個物理乙太網介面連接到網際網路。我的供應商為我分配了一個靜態主 IP4(我將在這裡使用 AAAA 作為該 IP),所以我的 systemd-networkd 配置文件之前看起來像這樣(禁用 netplan 以直接與 systemd-networkd 一起使用):
# /etc/systemd/network/20-enp7s0.network [Match] Name=enp7s0 [Network] LinkLocalAddressing=ipv6 Address=A.A.A.A/32 Gateway=fe80::1 DNS=X.X.X.1 DNS=X.X.X.2 [Route] Destination=0.0.0.0/0 Gateway=Y.Y.Y.Y GatewayOnlink=true我的提供商向我的伺服器添加了一個額外的 IP 地址,該地址被路由到與主 IP 相同的介面。將第二個 IP 添加到我的介面時,我可以 ping 它。因為我使用的是 systemd-nspawn 容器,所以我正在考慮使用這個額外的 IP 來為我的一個容器提供一個專有的靜態 IP4(將在此處使用 BBBB)。將 DNS 條目直接映射到我的伺服器上的容器會很棒,而伺服器上的所有其他應用程序仍使用主 IP 地址。
所以我開始遵循 Arch wiki 關於systemd-nspawn和systemd -networkd 的良好說明。我配置了一個網橋並將所有地址從物理介面移到它:
/etc/systemd/network/br0.netdev
[NetDev] Name=br0 Kind=bridge MACAddress=xx:xx:xx:xx:xx:xx # same as my phys. interface/etc/systemd/network/20-br0.network
[Match] Name=br0 [Network] LinkLocalAddressing=ipv6 Address=A.A.A.A/32 Gateway=fe80::1 DNS=X.X.X.1 DNS=X.X.X.2 [Route] Destination=0.0.0.0/0 Gateway=Y.Y.Y.Y GatewayOnlink=true/etc/systemd/network/20-enp7s0.network
[Match] Name=enp7s0 [Network] Bridge=br0IP4 轉發已啟用:
$ sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1我使用以下配置啟動我的 nspawn 容器:
/etc/systemd/nspawn/mycontainer.nspawn
[Network] VirtualEthernet=yes Bridge=br0在容器內(Debian 11 Bullseye),我啟用了 systemd-networkd 並使用以下配置進行聯網:
# /etc/systemd/network/80-container-host0.network [Match] Name=host0 [Network] Address=B.B.B.B/32 DNS=X.X.X.1 DNS=X.X.X.2 [Route] Destination=0.0.0.0/0 Gateway=Y.Y.Y.Y GatewayOnlink=true這是此配置的結果。在主機上:
$ ip a 2: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000 link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff 3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff inet A.A.A.A/32 scope global br0 valid_lft forever preferred_lft forever 6: vb-mycontainer@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000 link/ether yy:yy:yy:yy:yy:yy brd ff:ff:ff:ff:ff:ff link-netnsid 0 $ networkctl status -a ● 1: lo [...] ● 2: enp7s0 Link File: /usr/lib/systemd/network/99-default.link Network File: /etc/systemd/network/20-enp7s0.network Type: ether State: enslaved (configured) Path: pci-0000:07:00.0 Driver: igb Vendor: Intel Corporation Model: I210 Gigabit Network Connection HW Address: xx:xx:xx:xx:xx:xx MTU: 1500 (min: 68, max: 9216) Queue Length (Tx/Rx): 8/8 Auto negotiation: yes Speed: 1Gbps Duplex: full Port: tp Activation Policy: up Required For Online: yes ● 3: br0 Link File: /usr/lib/systemd/network/99-default.link Network File: /etc/systemd/network/20-br0.network Type: bridge State: routable (configured) Driver: bridge HW Address: xx:xx:xx:xx:xx:xx MTU: 1500 (min: 68, max: 65535) Forward Delay: 15s Hello Time: 2s Max Age: 20s Ageing Time: 5min Priority: 32768 STP: no Multicast IGMP Version: 2 Queue Length (Tx/Rx): 1/1 Address: A.A.A.A Gateway: Y.Y.Y.Y (Juniper Networks) fe80::1 (Juniper Networks) DNS: X.X.X.1 X.X.X.2 Activation Policy: up Required For Online: yes ● 6: vb-mycontainer Link File: /usr/lib/systemd/network/99-default.link Network File: n/a Type: ether State: degraded (unmanaged) Driver: veth HW Address: yy:yy:yy:yy:yy:yy MTU: 1500 (min: 68, max: 65535) Queue Length (Tx/Rx): 1/1 Auto negotiation: no Speed: 10Gbps Duplex: full Port: tp Address: fe80::xxxx:xxxx:xxxx:xxxx Activation Policy: up Required For Online: yes $ ip route default via Y.Y.Y.Y dev br0 proto static onlink在我的容器內:
# ip a 1: lo: [...] 2: host0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether yy:yy:yy:yy:yy:yy brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet B.B.B.B/32 scope global host0 valid_lft forever preferred_lft forever inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link valid_lft forever preferred_lft forever # networkctl status -a ● 1: lo [...] ● 2: host0 Link File: n/a Network File: /etc/systemd/network/80-container-host0.network Type: ether State: routable (configured) HW Address: zz:zz:zz:zz:zz:zz MTU: 1500 (min: 68, max: 65535) QDisc: noqueue IPv6 Address Generation Mode: eui64 Queue Length (Tx/Rx): 1/1 Auto negotiation: no Speed: 10Gbps Duplex: full Port: tp Address: B.B.B.B fe80::xxxx:xxxx:xxxx:xxxx Gateway: Y.Y.Y.Y DNS: X.X.X.1 X.X.X.2 DHCP6 Client DUID: DUID-EN/Vendor:0000ab117511f183668420370000 Feb 17 19:45:26 mycontainer systemd-networkd[25]: host0: Link UP Feb 17 19:45:26 mycontainer systemd-networkd[25]: host0: Gained carrier Feb 17 19:45:27 mycontainer systemd-networkd[25]: host0: Gained IPv6LL # ip route default via Y.Y.Y.Y dev host0 proto static onlink關於所有其他設置,我堅持系統預設設置。但它不起作用,我無法從主機 ping 到客人,也不能從客人 ping 到主機、網際網路或網關,只是得到Destination Host Unreachable。那麼我在這裡想念什麼嗎?我對網路的了解並不深入,並且已經在這方面花費了很多時間,但已經為我可能犯的一些愚蠢的錯誤道歉。歡迎每條線索。謝謝!
編輯:
我查看了鄰居表:
Host: $ ip neighbor Y.Y.Y.Y dev br0 lladdr 84:c1:c1:76:ae:9b REACHABLE <- gateway fe80::f80b:aff:fe80:d92 dev vb-mycontainer FAILED fe80::6c91:a7ff:fe1f:19a2 dev br0 FAILED fe80::1 dev br0 lladdr 84:c1:c1:76:ae:9b router STALE fe80::f80b:aff:fe80:d92 dev br0 lladdr fa:0b:0a:80:0d:92 STALE Guest: $ ip neighbor fe80::7e10:c9ff:fe21:ed87 dev host0 lladdr 7c:10:c9:21:ed:87 router STALE fe80::6c91:a7ff:fe1f:19a2 dev host0 FAILED fe80::1 dev host0 lladdr 84:c1:c1:76:ae:9b router STALEfe80::6c91:a7ff:fe1f:19a2 是主機上虛擬介面 vb-mycontainer 的連結區域設置地址。所以我假設的客人和主人之間似乎存在連接問題?
好的,我自己解決了這個問題。我錯過了將主機上的網橋配置中的 IP 路由添加到我的容器:
# /etc/systemd/network/20-br0.network [Match] Name=br0 [Network] LinkLocalAddressing=ipv6 Address=A.A.A.A/32 Gateway=fe80::1 DNS=X.X.X.1 DNS=X.X.X.2 [Route] Destination=0.0.0.0/0 Gateway=Y.Y.Y.Y GatewayOnlink=true [Route] Destination=B.B.B.B/32在來賓中,網關是主機的主要 IPv4 地址 (AAAA/32):
# /etc/systemd/network/80-container-host0.network [Match] Name=host0 [Network] Address=B.B.B.B/32 DNS=X.X.X.1 DNS=X.X.X.2 [Route] Destination=0.0.0.0/0 Gateway=A.A.A.A GatewayOnlink=true進一步啟用 systemd-resolved 是獲得 DNS 解析所必需的。