I want to use the Vlan feature of OpenVSwitch. This is what I have done so far;
hussain@hussain:~$ lxc list
+----------+---------+------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+----------+---------+------+------+------------+-----------+
| trusty-1 | STOPPED | | | PERSISTENT | 0 |
+----------+---------+------+------+------------+-----------+
| trusty-2 | STOPPED | | | PERSISTENT | 0 |
+----------+---------+------+------+------------+-----------+
| trusty-3 | STOPPED | | | PERSISTENT | 0 |
+----------+---------+------+------+------------+-----------+
and this;
hussain@hussain:~$ sudo ovs-vsctl show
a8498c25-8432-4174-9869-6eae38044cfe
Bridge "br0"
Controller ptcp
Port "vport1"
Interface "vport1"
Port "enp1s0"
Interface "enp1s0"
Port "br0"
Interface "br0"
type: internal
ovs_version: "2.5.0"
In trusty-1 container I have this ;
root@trusty-1:~# cat /etc/network/interfaces.d/eth0.cfg
#auto eth0
#iface eth0 inet static
# address 172.16.3.250
# netmask 255.255.254.0
# gateway 172.16.2.1
auto eth0
iface eth0 inet static
address 172.16.3.250
network 172.16.0.0
netmask 255.255.254.0
gateway 172.16.2.1
dns-nameservers 172.16.3.199 8.8.8.8
dns-search google.com
bridge_ports vport1
bridge_stp off
bridge_fd 0
bridge_maxwait 0
What I want to do is that trusty-1 container use vport1 bridge port so that I can tag it and then manipulate it for later future cases, but what happens instead is this;
hussain@hussain:~$ sudo ovs-vsctl show
a8498c25-8432-4174-9869-6eae38044cfe
Bridge "br0"
Controller ptcp
Port "vport1"
Interface "vport1"
Port vethHBNLTA
Interface vethHBNLTA
Port "enp1s0"
Interface "enp1s0"
Port "br0"
Interface "br0"
type: internal
ovs_version: "2.5.0"
every time I up trusty-1 a temporary port (vethHBNLTA in this case) gets created.
How can I make sure that the container trusty-1 always uses vport1 ?
Thank you.
P.S.: So a God sent angel on the LXC IRC told me to do;
$ lxc config edit trusty-1
and add
eth0:
name: eth0
nictype: physical
parent: vport1
type: nic
under devices:.
so I did. But the networks connectivity went out. Couldn't ping either the host or Google from the container anymore.
SO then I changed the container config to this;
devices:
eth0:
name: eth0
nictype: bridged
parent: vport1
type: nic
Now I cant even start my container. The error logs shows this;
hussain@hussain:~$ lxc info --show-log trusty-1
Name: trusty-1
Architecture: x86_64
Created: 2016/08/10 06:48 UTC
Status: Stopped
Type: persistent
Profiles: default
Log:
lxc 20160823145623.424 INFO lxc_start - start.c:lxc_check_inherited:251 - closed inherited fd 3
lxc 20160823145623.424 INFO lxc_start - start.c:lxc_check_inherited:251 - closed inherited fd 8
lxc 20160823145623.426 INFO lxc_container - lxccontainer.c:do_lxcapi_start:797 - Attempting to set proc title to [lxc monitor] /var/lib/lxd/containers trusty-1
lxc 20160823145623.427 INFO lxc_start - start.c:lxc_check_inherited:251 - closed inherited fd 8
lxc 20160823145623.428 INFO lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver AppArmor
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:342 - processing: .reject_force_umount # comment this to allow umount -f; not recommended.
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:446 - Adding native rule for reject_force_umount action 0
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:216 - Setting seccomp rule to reject force umounts
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:449 - Adding compat rule for reject_force_umount action 0
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:216 - Setting seccomp rule to reject force umounts
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:342 - processing: .[all].
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:342 - processing: .kexec_load errno 1.
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:446 - Adding native rule for kexec_load action 327681
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:449 - Adding compat rule for kexec_load action 327681
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:342 - processing: .open_by_handle_at errno 1.
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:446 - Adding native rule for open_by_handle_at action 327681
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:449 - Adding compat rule for open_by_handle_at action 327681
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:342 - processing: .init_module errno 1.
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:446 - Adding native rule for init_module action 327681
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:449 - Adding compat rule for init_module action 327681
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:342 - processing: .finit_module errno 1.
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:446 - Adding native rule for finit_module action 327681
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:449 - Adding compat rule for finit_module action 327681
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:342 - processing: .delete_module errno 1.
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:446 - Adding native rule for delete_module action 327681
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:449 - Adding compat rule for delete_module action 327681
lxc 20160823145623.428 INFO lxc_seccomp - seccomp.c:parse_config_v2:456 - Merging in the compat seccomp ctx into the main one
lxc 20160823145623.428 INFO lxc_conf - conf.c:run_script_argv:367 - Executing script '/usr/bin/lxd callhook /var/lib/lxd 1 start' for container 'trusty-1', config section 'lxc'
lxc 20160823145623.429 INFO lxc_start - start.c:lxc_check_inherited:251 - closed inherited fd 3
lxc 20160823145623.429 INFO lxc_start - start.c:lxc_check_inherited:251 - closed inherited fd 8
lxc 20160823145623.431 INFO lxc_monitor - monitor.c:lxc_monitor_sock_name:178 - using monitor sock name lxc/d78a9d7e97b4b375//var/lib/lxd/containers
lxc 20160823145623.451 DEBUG lxc_start - start.c:setup_signal_fd:289 - sigchild handler set
lxc 20160823145623.451 DEBUG lxc_console - console.c:lxc_console_peer_default:469 - no console peer
lxc 20160823145623.451 INFO lxc_start - start.c:lxc_init:488 - 'trusty-1' is initialized
lxc 20160823145623.451 INFO lxc_confile - confile.c:config_idmap:1500 - read uid map: type u nsid 0 hostid 165536 range 65536
lxc 20160823145623.451 INFO lxc_confile - confile.c:config_idmap:1500 - read uid map: type g nsid 0 hostid 165536 range 65536
lxc 20160823145623.452 DEBUG lxc_start - start.c:__lxc_start:1326 - Not dropping cap_sys_boot or watching utmp
lxc 20160823145623.452 INFO lxc_start - start.c:resolve_clone_flags:1013 - Cloning a new user namespace
lxc 20160823145623.487 ERROR lxc_conf - conf.c:instantiate_veth:2595 - failed to attach 'veth1SE4RV' to the bridge 'vport1': Operation not permitted
lxc 20160823145623.512 ERROR lxc_conf - conf.c:lxc_create_network:2872 - failed to create netdev
lxc 20160823145623.512 ERROR lxc_start - start.c:lxc_spawn:1080 - failed to create the network
lxc 20160823145623.512 ERROR lxc_start - start.c:__lxc_start:1353 - failed to spawn 'trusty-1'
lxc 20160823145623.512 INFO lxc_conf - conf.c:run_script_argv:367 - Executing script '/usr/share/lxcfs/lxc.reboot.hook' for container 'trusty-1', config section 'lxc'
lxc 20160823145624.015 INFO lxc_conf - conf.c:run_script_argv:367 - Executing script '/usr/bin/lxd callhook /var/lib/lxd 1 stop' for container 'trusty-1', config section 'lxc'
lxc 20160823145624.087 WARN lxc_commands - commands.c:lxc_cmd_rsp_recv:172 - command get_cgroup failed to receive response
lxc 20160823145624.087 WARN lxc_commands - commands.c:lxc_cmd_rsp_recv:172 - command get_cgroup failed to receive response
lxc 20160823145624.093 INFO lxc_confile - confile.c:config_idmap:1500 - read uid map: type u nsid 0 hostid 165536 range 65536
lxc 20160823145624.093 INFO lxc_confile - confile.c:config_idmap:1500 - read uid map: type g nsid 0 hostid 165536 range 65536
lxc 20160823145635.567 INFO lxc_confile - confile.c:config_idmap:1500 - read uid map: type u nsid 0 hostid 165536 range 65536
lxc 20160823145635.567 INFO lxc_confile - confile.c:config_idmap:1500 - read uid map: type g nsid 0 hostid 165536 range 65536
lxc 20160823145635.575 INFO lxc_confile - confile.c:config_idmap:1500 - read uid map: type u nsid 0 hostid 165536 range 65536
lxc 20160823145635.575 INFO lxc_confile - confile.c:config_idmap:1500 - read uid map: type g nsid 0 hostid 165536 range 65536
In the logs there comes a line;
Failed to attach 'veth1SE4RV' to the bridge 'vport1': Operation not permitted
Does this have something to do with permissions of some sort ?
vport1 type to internal, by doint so, ovs will create a virtual interface vport1. Please ensure you can see the interface by using ip link show before creating the lxc containerphys, so lxc will use the existing interface vport1 created by ovs instead of creating a new interface