Compare commits
No commits in common. "main" and "gh-pages" have entirely different histories.
62 changed files with 1468 additions and 1060 deletions
|
|
@ -1,37 +0,0 @@
|
|||
name: Deploy pages
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
deploy:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Setup Go
|
||||
uses: actions/setup-go@v5
|
||||
with:
|
||||
go-version: "1.22.x"
|
||||
- uses: https://code.icb4dc0.de/prskr/setup-hugo@main
|
||||
with:
|
||||
dart-sass: true
|
||||
extended: true
|
||||
- uses: actions/cache@v4
|
||||
with:
|
||||
path: /home/runner/.cache/hugo_cache
|
||||
key: ${{ runner.os }}-hugomod-${{ hashFiles('**/go.sum') }}
|
||||
restore-keys: |
|
||||
${{ runner.os }}-hugomod-
|
||||
- name: Build
|
||||
run: |
|
||||
hugo mod get
|
||||
hugo --minify --environment production
|
||||
|
||||
- name: Copy files to the s3 website content bucket
|
||||
run: aws s3 sync public s3://${{ secrets.HCLOUD_BUCKET }} --delete
|
||||
env:
|
||||
AWS_ACCESS_KEY_ID: ${{ secrets.HCLOUD_KEY_ID }}
|
||||
AWS_SECRET_ACCESS_KEY: ${{ secrets.HCLOUD_SECRET_KEY }}
|
||||
AWS_DEFAULT_REGION: fsn1
|
||||
AWS_ENDPOINT_URL: ${{ secrets.HCLOUD_ENDPOINT }}
|
||||
21
.gitignore
vendored
21
.gitignore
vendored
|
|
@ -1,21 +0,0 @@
|
|||
# Generated files by hugo
|
||||
/public/
|
||||
/resources/_gen/
|
||||
/assets/jsconfig.json
|
||||
hugo_stats.json
|
||||
|
||||
# Executable may be added to repository
|
||||
hugo.exe
|
||||
hugo.darwin
|
||||
hugo.linux
|
||||
|
||||
# Temporary lock file while building
|
||||
/.hugo_build.lock
|
||||
|
||||
# IntelliJ project files
|
||||
.idea/
|
||||
|
||||
*.o
|
||||
cmake-build-debug
|
||||
out/
|
||||
CMakeLists.txt
|
||||
0
.nojekyll
Normal file
0
.nojekyll
Normal file
5
.vscode/settings.json
vendored
5
.vscode/settings.json
vendored
|
|
@ -1,5 +0,0 @@
|
|||
{
|
||||
"yaml.schemas": {
|
||||
"https://json.schemastore.org/github-workflow.json": "file:///Users/baez/sources/code.icb4dc0.de/prskr/blog/.forgejo/workflows/deploy.yml"
|
||||
}
|
||||
}
|
||||
15
Dockerfile
15
Dockerfile
|
|
@ -1,15 +0,0 @@
|
|||
FROM docker.io/golang:1.19-alpine as builder
|
||||
|
||||
WORKDIR /tmp
|
||||
|
||||
RUN apk add -U --no-cache hugo git
|
||||
|
||||
WORKDIR /src
|
||||
|
||||
COPY . /src/
|
||||
|
||||
RUN hugo --minify --environment production --config config.toml
|
||||
|
||||
FROM code.icb4dc0.de/prskr/ci-images/caddy:latest as final
|
||||
|
||||
COPY --from=builder /src/public /usr/share/caddy
|
||||
11
about/index.html
Normal file
11
about/index.html
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
<!doctype html><html lang=en-us data-theme><head><meta charset=utf-8><meta name=HandheldFriendly content="True"><meta name=viewport content="width=device-width,initial-scale=1"><meta name=referrer content="no-referrer-when-downgrade"><title>About me - 1533B4dC0.de</title><meta name=description content="My name’s Peter. I’m a passionate software developer especially interested in all kind of networking stuff but also asynchronous data processing, software architecture, testing and automatic software quality analysis and many more.
|
||||
I’m the author of InetMock and Goveal (more on projects) but I’m also trying to contribute to other open source projects."><link rel=icon type=image/x-icon href=https://www.1533b4dc0.de/favicon.ico><link rel=apple-touch-icon-precomposed href=https://www.1533b4dc0.de/favicon.png><style>body{visibility:hidden;opacity:0}</style><noscript><style>body{visibility:visible;opacity:1}</style></noscript><link rel=stylesheet href=https://www.1533b4dc0.de/css/style.min.e4dd69a921886f06d1a0e2bf835aa4fdced2d03b6f83804e6ae146caac8882bb.css integrity="sha256-5N1pqSGIbwbRoOK/g1qk/c7S0Dtvg4BOauFGyqyIgrs="><script src=https://www.1533b4dc0.de/js/script.min.a65afe903825231554d9b55b073eb144da4ccf2d2823b216dcbc6cc656c9de76.js type=text/javascript integrity="sha256-plr+kDglIxVU2bVbBz6xRNpMzy0oI7IW3LxsxlbJ3nY="></script><meta property="og:title" content="About me"><meta property="og:description" content="My name’s Peter. I’m a passionate software developer especially interested in all kind of networking stuff but also asynchronous data processing, software architecture, testing and automatic software quality analysis and many more.
|
||||
I’m the author of InetMock and Goveal (more on projects) but I’m also trying to contribute to other open source projects."><meta property="og:type" content="article"><meta property="og:url" content="https://www.1533b4dc0.de/about/"><meta property="article:section" content><meta name=twitter:card content="summary"><meta name=twitter:title content="About me"><meta name=twitter:description content="My name’s Peter. I’m a passionate software developer especially interested in all kind of networking stuff but also asynchronous data processing, software architecture, testing and automatic software quality analysis and many more.
|
||||
I’m the author of InetMock and Goveal (more on projects) but I’m also trying to contribute to other open source projects."></head><body><a class=skip-main href=#main>Skip to main content</a><div class=container><header class=common-header><div class=header-top><h1 class=site-title><a href=/>1533B4dC0.de</a></h1><ul class=social-icons><li><a href=https://github.com/baez90 title=Github rel=me><span class=inline-svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><path fill="currentcolor" d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6.0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6.0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3.0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1.0-6.2-.3-40.4-.3-61.4.0.0-70 15-84.7-29.8.0.0-11.4-29.1-27.8-36.6.0.0-22.9-15.7 1.6-15.4.0.0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5.0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9.0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4.0 33.7-.3 75.4-.3 83.6.0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6.0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9.0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg></span></a></li><li><a href=https://www.linkedin.com/in/peter-s-kurfer title=Linkedin rel=me><span class=inline-svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path fill="currentcolor" d="M416 32H31.9C14.3 32 0 46.5.0 64.3v383.4C0 465.5 14.3 480 31.9 480H416c17.6.0 32-14.5 32-32.3V64.3c0-17.8-14.4-32.3-32-32.3zM135.4 416H69V202.2h66.5V416zm-33.2-243c-21.3.0-38.5-17.3-38.5-38.5S80.9 96 102.2 96c21.2.0 38.5 17.3 38.5 38.5.0 21.3-17.2 38.5-38.5 38.5zm282.1 243h-66.4V312c0-24.8-.5-56.7-34.5-56.7-34.6.0-39.9 27-39.9 54.9V416h-66.4V202.2h63.7v29.2h.9c8.9-16.8 30.6-34.5 62.9-34.5 67.2.0 79.7 44.3 79.7 101.9V416z"/></svg></span></a></li><li><a href=https://www.xing.com/profile/Sebastian_Kurfer title=Xing rel=me><span class=inline-svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512"><path fill="currentcolor" d="M162.7 210c-1.8 3.3-25.2 44.4-70.1 123.5-4.9 8.3-10.8 12.5-17.7 12.5H9.8c-7.7.0-12.1-7.5-8.5-14.4l69-121.3c.2.0.2-.1.0-.3l-43.9-75.6c-4.3-7.8.3-14.1 8.5-14.1H1e2c7.3.0 13.3 4.1 18 12.2l44.7 77.5zM382.6 46.1l-144 253v.3L330.2 466c3.9 7.1.2 14.1-8.5 14.1h-65.2c-7.6.0-13.6-4-18-12.2l-92.4-168.5c3.3-5.8 51.5-90.8 144.8-255.2 4.6-8.1 10.4-12.2 17.5-12.2h65.7c8 0 12.3 6.7 8.5 14.1z"/></svg></span></a></li><li><a href=https://www.1533b4dc0.de/index.xml title=RSS rel=me><span class=inline-svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path fill="currentcolor" d="M128.081 415.959c0 35.369-28.672 64.041-64.041 64.041S0 451.328.0 415.959s28.672-64.041 64.041-64.041 64.04 28.673 64.04 64.041zm175.66 47.25c-8.354-154.6-132.185-278.587-286.95-286.95C7.656 175.765.0 183.105.0 192.253v48.069c0 8.415 6.49 15.472 14.887 16.018 111.832 7.284 201.473 96.702 208.772 208.772.547 8.397 7.604 14.887 16.018 14.887h48.069c9.149.001 16.489-7.655 15.995-16.79zm144.249.288C439.596 229.677 251.465 40.445 16.503 32.01 7.473 31.686.0 38.981.0 48.016v48.068c0 8.625 6.835 15.645 15.453 15.999 191.179 7.839 344.627 161.316 352.465 352.465.353 8.618 7.373 15.453 15.999 15.453h48.068c9.034-.001 16.329-7.474 16.005-16.504z"/></svg></span></a></li></ul></div><nav><a href=https://www.1533b4dc0.de/about/ title>About</a>
|
||||
<a href=https://www.1533b4dc0.de/projects/ title>Projects</a>
|
||||
<a href=https://www.1533b4dc0.de/tags/ title>Tags</a>
|
||||
<a href=https://www.1533b4dc0.de/posts/ title>Archive</a></nav></header><main id=main tabindex=-1><article class="post h-entry"><div class=post-header><header><h1 class="p-name post-title">About me</h1></header></div><div class="content e-content"><p>My name’s Peter. I’m a passionate software developer especially interested in all kind of networking stuff but also asynchronous data processing, software architecture, testing and automatic software quality analysis and many more.</p><p>I’m the author of <a href=https://gitlab.com/inetmock/inetmock>InetMock</a> and <a href=https://github.com/baez90/goveal>Goveal</a> (more on <a href=/projects>projects</a>) but I’m also trying to contribute to other open source projects.</p></div><div class=post-info><a class="post-hidden-url u-url" href=https://www.1533b4dc0.de/about/>https://www.1533b4dc0.de/about/</a>
|
||||
<a href=https://www.1533b4dc0.de/ class="p-name p-author post-hidden-author h-card" rel=me>Peter Kurfer</a><div class=post-taxonomies></div></div></article></main><footer class=common-footer><div class=common-footer-bottom><div class=copyright><p>© Peter Kurfer, 2022<br>Powered by <a target=_blank rel="noopener noreferrer" href=https://gohugo.io/>Hugo</a>, theme <a target=_blank rel="noopener noreferrer" href=https://github.com/mitrichius/hugo-theme-anubis>Anubis</a>.<br><script src=https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js></script>
|
||||
<script>mermaid.initialize({startOnLoad:!0,securityLevel:"loose"})</script></p></div><button class=theme-switcher>
|
||||
Dark theme</button>
|
||||
<script>const STORAGE_KEY="user-color-scheme",defaultTheme="auto";let currentTheme,switchButton,autoDefinedScheme=window.matchMedia("(prefers-color-scheme: dark)");const autoChangeScheme=e=>{currentTheme=e.matches?"dark":"light",document.documentElement.setAttribute("data-theme",currentTheme),changeButtonText()};document.addEventListener("DOMContentLoaded",function(){switchButton=document.querySelector(".theme-switcher"),currentTheme=detectCurrentScheme(),currentTheme=="dark"&&document.documentElement.setAttribute("data-theme","dark"),currentTheme=="auto"&&(autoChangeScheme(autoDefinedScheme),autoDefinedScheme.addListener(autoChangeScheme)),switchButton&&(changeButtonText(),switchButton.addEventListener("click",switchTheme,!1)),showContent()});function detectCurrentScheme(){return localStorage.getItem(STORAGE_KEY)?localStorage.getItem(STORAGE_KEY):defaultTheme?defaultTheme:window.matchMedia?window.matchMedia("(prefers-color-scheme: dark)").matches?"dark":"light":"light"}function changeButtonText(e){e&&(e.textContent=currentTheme=="dark"?"Light theme":"Dark theme")}function switchTheme(){currentTheme=="dark"?(localStorage.setItem(STORAGE_KEY,"light"),document.documentElement.setAttribute("data-theme","light"),currentTheme="light"):(localStorage.setItem(STORAGE_KEY,"dark"),document.documentElement.setAttribute("data-theme","dark"),currentTheme="dark"),changeButtonText()}function showContent(){document.body.style.visibility="visible",document.body.style.opacity=1}</script></div><p class="h-card vcard"><a href=https://www.1533b4dc0.de/ class="p-name u-url url fn" rel=me>Peter Kurfer</a></p></footer></div></body></html>
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
title: "{{ replace .Name "-" " " | title }}"
|
||||
date: {{ .Date }}
|
||||
draft: true
|
||||
---
|
||||
|
||||
1
articles/index.html
Normal file
1
articles/index.html
Normal file
|
|
@ -0,0 +1 @@
|
|||
<!doctype html><html lang=en-us><head><title>https://www.1533b4dc0.de/post/</title><link rel=canonical href=https://www.1533b4dc0.de/post/><meta name=robots content="noindex"><meta charset=utf-8><meta http-equiv=refresh content="0; url=https://www.1533b4dc0.de/post/"></head></html>
|
||||
1
blog/index.html
Normal file
1
blog/index.html
Normal file
|
|
@ -0,0 +1 @@
|
|||
<!doctype html><html lang=en-us><head><title>https://www.1533b4dc0.de/post/</title><link rel=canonical href=https://www.1533b4dc0.de/post/><meta name=robots content="noindex"><meta charset=utf-8><meta http-equiv=refresh content="0; url=https://www.1533b4dc0.de/post/"></head></html>
|
||||
7
categories/index.html
Normal file
7
categories/index.html
Normal file
File diff suppressed because one or more lines are too long
1
categories/index.xml
Normal file
1
categories/index.xml
Normal file
|
|
@ -0,0 +1 @@
|
|||
<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Categories on 1533B4dC0.de</title><link>https://www.1533b4dc0.de/categories/</link><description>1533B4dC0.de (Categories)</description><generator>Hugo -- gohugo.io</generator><language>en-us</language><atom:link href="https://www.1533b4dc0.de/categories/index.xml" rel="self" type="application/rss+xml"/></channel></rss>
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
<network>
|
||||
<name>containers</name>
|
||||
<uuid>929b7b7d-bd82-452d-96b7-12f0cf1a4b17</uuid>
|
||||
<bridge name='conbr0' stp='on' delay='0'/>
|
||||
<mac address='af:af:13:ed:c6:41'/>
|
||||
<ip address='10.10.1.42' netmask='255.255.255.0'>
|
||||
<dhcp>
|
||||
<range start='10.10.1.100' end='10.10.1.150'/>
|
||||
</dhcp>
|
||||
</ip>
|
||||
</network>
|
||||
|
|
@ -1,43 +0,0 @@
|
|||
{
|
||||
"cniVersion": "0.4.0",
|
||||
"name": "libvirt",
|
||||
"plugins": [
|
||||
{
|
||||
"type": "bridge",
|
||||
"bridge": "conbr0",
|
||||
"isGateway": false,
|
||||
"hairpinMode": true,
|
||||
"ipam": {
|
||||
"type": "host-local",
|
||||
"routes": [
|
||||
{
|
||||
"dst": "0.0.0.0/0"
|
||||
}
|
||||
],
|
||||
"ranges": [
|
||||
[
|
||||
{
|
||||
"subnet": "10.10.1.0/24",
|
||||
"rangeStart": "10.10.1.151",
|
||||
"rangeEnd": "10.10.1.160",
|
||||
"gateway": "10.10.1.42"
|
||||
}
|
||||
]
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "portmap",
|
||||
"capabilities": {
|
||||
"portMappings": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "firewall",
|
||||
"backend": ""
|
||||
},
|
||||
{
|
||||
"type": "tuning"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
{
|
||||
"name": "libvirt",
|
||||
"id": "0489e6e643b97003c47b27a9ce0a6f6a8dce7d5f08329603e79a0ba48ad5285f",
|
||||
"driver": "bridge",
|
||||
"network_interface": "conbr0",
|
||||
"created": "2022-04-05T09:18:48.198960971+01:00",
|
||||
"subnets": [
|
||||
{
|
||||
"subnet": "10.10.1.0/24",
|
||||
"gateway": "10.10.1.42",
|
||||
"lease_range": {
|
||||
"start_ip": "10.10.1.1",
|
||||
"end_ip": "10.10.1.10"
|
||||
}
|
||||
}
|
||||
],
|
||||
"ipv6_enabled": false,
|
||||
"internal": false,
|
||||
"dns_enabled": false,
|
||||
"ipam_options": {
|
||||
"driver": "host-local"
|
||||
}
|
||||
}
|
||||
67
config.toml
67
config.toml
|
|
@ -1,67 +0,0 @@
|
|||
baseURL = 'https://www.icb4dc0.de/'
|
||||
languageCode = 'en-us'
|
||||
title = 'icb4dc0.de'
|
||||
|
||||
[module]
|
||||
[[module.imports]]
|
||||
path = 'github.com/LordMathis/hugo-theme-nightfall'
|
||||
|
||||
[params]
|
||||
style= "auto"
|
||||
copyCodeButton = true
|
||||
rssAsSocialIcon = true
|
||||
readingTime = true
|
||||
published = true
|
||||
|
||||
[params.author]
|
||||
name = "Peter Kurfer"
|
||||
email = "peter.kurfer@gmail.com"
|
||||
|
||||
[menu]
|
||||
[[menu.header]]
|
||||
name = "blog"
|
||||
weight = 0
|
||||
url = "blog"
|
||||
[[menu.header]]
|
||||
name = "about"
|
||||
weight = 1
|
||||
url = "about"
|
||||
[[menu.header]]
|
||||
name = "projects"
|
||||
weight = 2
|
||||
url = "projects"
|
||||
[[menu.header]]
|
||||
name = "tags"
|
||||
weight = 3
|
||||
url = "tags"
|
||||
|
||||
[[params.social]]
|
||||
name = "forgejob"
|
||||
url = "https://code.icb4dc0.de"
|
||||
icon = "fa-brands fa-git"
|
||||
target = "_blank"
|
||||
aria = "Forgejo Instance"
|
||||
|
||||
[[params.social]]
|
||||
name = "github"
|
||||
url = "https://github.com/prskr"
|
||||
icon = "fa-brands fa-github"
|
||||
target = "_blank"
|
||||
aria = "GitHub Profile"
|
||||
|
||||
[[params.social]]
|
||||
name = "linkedin"
|
||||
url = "https://www.linkedin.com/in/peter-s-kurfer/"
|
||||
icon = "fa-brands fa-linkedin"
|
||||
target = "_blank"
|
||||
aria = "LinkedIn Profile"
|
||||
|
||||
[[params.social]]
|
||||
name = "xing"
|
||||
url = "https://www.xing.com/profile/Sebastian_Kurfer"
|
||||
icon = "fa-brands fa-xing"
|
||||
target = "_blank"
|
||||
aria = "Xing Profile"
|
||||
|
||||
[[deployment.targets]]
|
||||
URL = "s3://1661580-blog?endpoint=fsn1.your-objectstorage.com®ion=fsn1"
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
+++
|
||||
author = "Peter Kurfer"
|
||||
+++
|
||||
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
---
|
||||
title: 'About me'
|
||||
button: 'About me'
|
||||
weight: 1
|
||||
showMetadata: false
|
||||
---
|
||||
|
||||
My name's Peter. I'm a passionate software developer especially interested in all kind of networking stuff but also asynchronous data processing, software architecture, distributed computing, testing and automatic software quality analysis and many more.
|
||||
|
||||
I'm the author of [InetMock](https://gitlab.com/inetmock/inetmock) and [Goveal](https://github.com/baez90/goveal) (more on [projects](/projects)) but I'm also trying to contribute to other open source projects like [testcontainers-go](https://github.com/testcontainers/testcontainers-go)
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 105 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 101 KiB |
|
|
@ -1,110 +0,0 @@
|
|||
+++
|
||||
author = "Peter Kurfer"
|
||||
title = "Libvirt & Podman: follow up for Podman 4.0 and netavark"
|
||||
date = "2022-02-24"
|
||||
description = "Joining libvirt VMs and containers with Podman 4.0's new network stack netavark"
|
||||
tags = [
|
||||
"podman",
|
||||
"libvirt",
|
||||
"netavark"
|
||||
]
|
||||
+++
|
||||
|
||||
This is a follow up post to ["Joining libvirt {{<abbr short="VM" full="Virtual Machine" >}}s and Podman container in a common network"]({{<relref "2022-02-libvirt-podman-network-mesh.md" >}}).
|
||||
Therefore I won't cover all the basics again and how to configure libvirt because nothing's changed on that side.
|
||||
|
||||
## Podman 4.0
|
||||
|
||||
Podman 4.0 comes with a completely new network stack replacing the previous [{{<abbr short="CNI" full="Container Network Interface" >}}](https://www.cni.dev/) stack:
|
||||
|
||||
* [Netavark](https://github.com/containers/netavark)
|
||||
* [Aardvark](https://github.com/containers/aardvark-dns)
|
||||
|
||||
There are [great resources](https://www.redhat.com/sysadmin/podman-new-network-stack) that explain the backgrounds of both tools and I don't think I could describe it better than the folks implementing it :smile: so if you're interested have a look at the aforementioned article or the [release post](https://podman.io/releases/2022/02/22/podman-release-v4.0.0.html).
|
||||
|
||||
## Netavark and libvirt
|
||||
|
||||
After reading the announcement I was most curious if I would be able to configure an equivalent setup for Netavark like I described it with Podman 3.x and CNI.
|
||||
|
||||
__Short answer:__ yes, it is possible! :tada:
|
||||
|
||||
_"But how?!"_ do you ask?
|
||||
Well it's pretty much equivalent to the previous solution: you need to create a new Podman network I once more named it _'libvirt'_.
|
||||
To get an idea how the config should look like and where it should placed.
|
||||
I reused the CLI call from my previous article:
|
||||
|
||||
```bash
|
||||
podman network create \
|
||||
--disable-dns \
|
||||
--internal \
|
||||
--gateway 10.10.2.37 \
|
||||
--ip-range 10.10.2.160/29 \
|
||||
--subnet 10.10.2.0/24 \
|
||||
libvirt
|
||||
```
|
||||
|
||||
The configuration files are now obviously resided in `/etc/containers/networks/` and my (already modified) `libvirt.json` now looks like so:
|
||||
|
||||
```json
|
||||
{
|
||||
"name": "libvirt",
|
||||
"id": "0489e6e643b97003c47b27a9ce0a6f6a8dce7d5f08329603e79a0ba48ad5285f",
|
||||
"driver": "bridge",
|
||||
"network_interface": "conbr0",
|
||||
"created": "2022-04-05T09:18:48.198960971+01:00",
|
||||
"subnets": [
|
||||
{
|
||||
"subnet": "10.10.1.0/24",
|
||||
"gateway": "10.10.1.42",
|
||||
"lease_range": {
|
||||
"start_ip": "10.10.1.1",
|
||||
"end_ip": "10.10.1.10"
|
||||
}
|
||||
}
|
||||
],
|
||||
"ipv6_enabled": false,
|
||||
"internal": false,
|
||||
"dns_enabled": false,
|
||||
"ipam_options": {
|
||||
"driver": "host-local"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
_Side note: I'm really happy they dropped the `.conflist` extension because this way most editors offer really helpful syntax highlighting in the first place!_
|
||||
|
||||
Note that `"internal": false` is mandatory. Otherwise I wasn't able to establish communication between VM and container.
|
||||
I also disabled the Aardvark {{<abbr short="DNS" full="Domain Name System">}} server and IPv6 support because I don't need it and I also don't expect much benefit of it due to the fact that it can't be aware of the VMs present in the network same as `dnsmasq` won't be able to resolve containers in the libvirt network.
|
||||
|
||||
Having this in place I was again able to reuse the CLI command from my previous article:
|
||||
|
||||
```bash
|
||||
podman run \
|
||||
--rm \
|
||||
-d \
|
||||
--name nginx \
|
||||
--network libvirt \
|
||||
--ip 10.10.1.151 \
|
||||
docker.io/nginx:alpine
|
||||
```
|
||||
|
||||
to create a Nginx container that can be reached from a VM.
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
Sometimes the communication between container and VM fails - don't know if I restarted the libvirt network previously or somehow fucked up the container network configuration but a:
|
||||
|
||||
```bash
|
||||
podman network reload <container ID/container name>
|
||||
```
|
||||
|
||||
often resolved the problem.
|
||||
|
||||
## Final thoughts
|
||||
|
||||
I haven't used _Netavark_ and _Aardvark_ a lot, yet.
|
||||
But I already noticed a few **really awesome** things:
|
||||
|
||||
- the `docker-compose` support seems to be a lot better now because containers are actually able to talk to each other by _service name_, something I wasn't able to configure properly in Podman 3.x - at least not rootless.
|
||||
- with _Netavark_ all the Podman configuration is now unified within `/etc/containers` or `$HOME/.config/containers` respectively
|
||||
- the new configuration format is a little bit cleaner the the previous one due to the fact that _Netavark_ does not support plugins and with a `.json` extension editors do help a lot more without requiring extra "configuration"
|
||||
|
|
@ -1,231 +0,0 @@
|
|||
+++
|
||||
author = "Peter Kurfer"
|
||||
title = "Libvirt & Podman: network 'mesh'"
|
||||
date = "2022-02-24"
|
||||
description = "Joining libvirt VMs and Podman container in a common network"
|
||||
tags = [
|
||||
"podman",
|
||||
"libvirt"
|
||||
]
|
||||
+++
|
||||
|
||||
_Disclaimer: I tested all this with Podman 3.x even though Podman 4.0 is already announced but the {{<abbr short="CNI" full="Container Network Interface" >}} driver is still available with Podman 4.0 and as soon as I get my hands on 4.0 I'll give **Netavark** a try, too!_
|
||||
|
||||
When playing around with containers and {{<abbr short="VM" full="Virtual Machine" >}}s one might ask if it's possible to bring VMs and containers into a common network segment.
|
||||
I see 'why the hell would I need a VM anyway when already having containers' or something similar I almost see on your face :stuck_out_tongue_winking_eye:
|
||||
|
||||
Well 1st of all, not everything can be solved with containers.
|
||||
For instance windows applications can be run in Windows containers but I'm not aware of how to run a Windows container on my Linux desktop.
|
||||
|
||||
But also in pure Linux environments there are cases where a VM is probably a better fit for the problem.
|
||||
As you might know I'm a bit of network :nerd: and I love playing around with 'weird' stuff almost no one else does even think about if not forced to.
|
||||
So if you try to implement for example your own DHCP server you might want to isolate your experiments (especially at the beginning) to avoid discussion about "why's Netflix on the TV not working?!" :smile: or also if you try to implement your own 'firewall' with {{<abbr short="DNAT" full="Destination network address translation" >}} support (stay tuned - post's following!).
|
||||
|
||||
## Part 1: Libvirt preparation
|
||||
|
||||
Okay now that I came around with _some_ arguments - if they're convincing or not is not important - how does this work?
|
||||
|
||||
Assuming you've Libvirt and Podman already installed on your system without any modification and you run
|
||||
|
||||
```bash
|
||||
virsh net-list
|
||||
```
|
||||
|
||||
you should have at least the `default` network already.
|
||||
|
||||
The definition of all networks (as of every other component of libvirt) is in XML.
|
||||
`virsh` comes with a `net-dumpxml` command to export the configuration of a network:
|
||||
|
||||
```bash
|
||||
virsh net-dumpxml default
|
||||
```
|
||||
|
||||
The output should look (more or less) like in the following snippet:
|
||||
|
||||
|
||||
```xml
|
||||
<network>
|
||||
<name>default</name>
|
||||
<uuid>8d2028ed-cc9a-4eae-9883-b59b673d560d</uuid>
|
||||
<forward mode='nat'>
|
||||
<nat>
|
||||
<port start='1024' end='65535'/>
|
||||
</nat>
|
||||
</forward>
|
||||
<bridge name='virbr0' stp='on' delay='0'/>
|
||||
<mac address='63:b3:d8:75:53:6b'/>
|
||||
<ip address='192.168.122.1' netmask='255.255.255.0'>
|
||||
<dhcp>
|
||||
<range start='192.168.122.2' end='192.168.122.254'/>
|
||||
</dhcp>
|
||||
</ip>
|
||||
</network>
|
||||
```
|
||||
|
||||
So we've a `<network/>` that is defined by:
|
||||
|
||||
* a `<name/>`
|
||||
* a `<uuid/>`
|
||||
* a _optional_ `<forward/>` node
|
||||
* a `<bridge/>` interface
|
||||
* the `<mac/>` for the bridge interface (of the host)
|
||||
* the `<ip/>` of the host on the bridge interface
|
||||
* an _optional_ `<dhcp/>` range definition
|
||||
|
||||
The complete reference for the XML schema can be found [here](https://libvirt.org/formatnetwork.html).
|
||||
|
||||
Before we have a closer look how to bring Podman containers into a Libvirt network, let's define a new `containers` network.
|
||||
The following snippet contains the definition I'll use:
|
||||
|
||||
```xml
|
||||
<network>
|
||||
<name>containers</name>
|
||||
<uuid>929b7b7d-bd82-452d-96b7-12f0cf1a4b17</uuid>
|
||||
<bridge name='conbr0' stp='on' delay='0'/>
|
||||
<mac address='af:af:13:ed:c6:41'/>
|
||||
<ip address='10.10.1.42' netmask='255.255.255.0'>
|
||||
<dhcp>
|
||||
<range start='10.10.1.100' end='10.10.1.150'/>
|
||||
</dhcp>
|
||||
</ip>
|
||||
</network>
|
||||
```
|
||||
|
||||
It's quite similar except I made a few adoptions:
|
||||
|
||||
* remove the `<forward/>` block
|
||||
* change the `<name/>` and the `<uuid/>` (with the help of `uuidgen`)
|
||||
* change the `name=""` of the `<bridge/>`
|
||||
* change the `address=""` attribute of the `<mac/>` (use any [mac address generator](https://macaddress.io/mac-address-generator))
|
||||
* change the `address=""` attribute of the `<ip/>` and `start=""` and `end=""` of the DHCP range accordingly
|
||||
|
||||
You may use any private network - as far as I can tell it shouldn't matter if you're using a class B, C or D private network as long as you don't have any conflicts with your LAN or any other virtual interfaces of your environment.
|
||||
|
||||
When done safe your network definition as `.xml` file.
|
||||
To import the configuration you can use `virsh net-define` like in the following snippet (assuming the network definition is in `containers.xml`):
|
||||
|
||||
```bash
|
||||
$ virsh net-define containers.xml
|
||||
|
||||
> Network containers defined from containers.xml
|
||||
```
|
||||
|
||||
_Note: this only works because the XML already contains an `<uuid/>`. Otherwise you'd have to use `virsh net-create` and a few more extra steps to make the network actually persistent._
|
||||
|
||||
If you now check with `virsh net-list` you'd be disappointed because there's no network!
|
||||
Checking again with `virsh net-list --all` explains why our `containers` network wasn't in the output previously because it is by default _inactive_.
|
||||
To activate it we've to start it like so:
|
||||
|
||||
```bash
|
||||
$ virsh net-start containers
|
||||
|
||||
> Network containers started
|
||||
```
|
||||
|
||||
If you don't mind the extra adapter and wish to use the network frequently in the future you might consider to autostart it:
|
||||
|
||||
|
||||
```bash
|
||||
$ virsh net-autostart containers
|
||||
|
||||
> Network containers marked as autostarted
|
||||
```
|
||||
|
||||
With our custom Libvirt network in place we're good to go to configure Podman.
|
||||
|
||||
## Part 2: Podman CNI network
|
||||
|
||||
_Note: this only works with **rootfull** Podman because rootless Podman does not use CNI but another network stack._
|
||||
|
||||
A clean Podman installation without any custom network created comes with the default network `podman`.
|
||||
Rootfull Podman network configs are by default stored in `/etc/cni/net.d`.
|
||||
You should find the default network as `87-podman.conflist` in the aforementioned directory.
|
||||
|
||||
Every Podman network is defined as JSON file.
|
||||
We will define our own `libvirt` network to join Podman containers into the previously created Libvirt network.
|
||||
You can either use `podman network create` to create the network (at least more or less) or you can copy for example the default network and make some adjustments.
|
||||
|
||||
To create the new network from the CLI you can use the following command:
|
||||
|
||||
```bash
|
||||
podman network create \
|
||||
--disable-dns \
|
||||
--internal \
|
||||
--gateway 10.10.2.37 \
|
||||
--ip-range 10.10.2.160/29 \
|
||||
--subnet 10.10.2.0/24 \
|
||||
libvirt
|
||||
```
|
||||
|
||||
Note that I used a different IP range as in the Libvirt network! Otherwise Podman will complain that the IP range is already in use at an adapter.
|
||||
You can use this command to create the required file in `/etc/cni/net.d/` but you've to update the `ranges` accordingly before creating a container in the network.
|
||||
|
||||
Because we've to edit the `.conflist` either way copy the default one is also fine.
|
||||
|
||||
The `.conflist` I'm using looks like this:
|
||||
|
||||
```json
|
||||
{
|
||||
"cniVersion": "0.4.0",
|
||||
"name": "libvirt",
|
||||
"plugins": [
|
||||
{
|
||||
"type": "bridge",
|
||||
"bridge": "conbr0",
|
||||
"isGateway": false,
|
||||
"hairpinMode": true,
|
||||
"ipam": {
|
||||
"type": "host-local",
|
||||
"routes": [
|
||||
{
|
||||
"dst": "0.0.0.0/0"
|
||||
}
|
||||
],
|
||||
"ranges": [
|
||||
[
|
||||
{
|
||||
"subnet": "10.10.1.0/24",
|
||||
"rangeStart": "10.10.1.151",
|
||||
"rangeEnd": "10.10.1.160",
|
||||
"gateway": "10.10.1.42"
|
||||
}
|
||||
]
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "portmap",
|
||||
"capabilities": {
|
||||
"portMappings": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "firewall",
|
||||
"backend": ""
|
||||
},
|
||||
{
|
||||
"type": "tuning"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
Interestingly the `rangeStart` and `rangeEnd` are actually IP addresses and not tight to some IP networks but unfortunately there's no equivalent for `podman network create` hence I update both to a range after the DHCP range of the Libvirt network to make sure that no duplicate IPs are assigned.
|
||||
|
||||
I tend to declare the network as `host-local` but this shouldn't be critical.
|
||||
The **most important** part is to update the `bridge` to the same interface like in the Libvirt network definition (in my case `conbr0`).
|
||||
|
||||
After this we're ready to go and you can for instance start a Nginx container in the `libvirt` network and you should be able to reach it from a VM in the Libvirt network:
|
||||
|
||||
```bash
|
||||
podman run \
|
||||
--rm \
|
||||
-d \
|
||||
--name nginx \
|
||||
--network libvirt \
|
||||
--ip 10.10.1.151 \
|
||||
docker.io/nginx:alpine
|
||||
```
|
||||
|
||||
A nice option for `podman run` is `--ip`.
|
||||
You've to choose an IP from the previously configured `range` but you can skip the `podman inspect` or `ip a` to get the container IP and the container will have the IP every time you start it, if you like :wink: and speaking of 'nice' `podman run` options: you do know `--replace`, don't you?
|
||||
|
|
@ -1,155 +0,0 @@
|
|||
+++
|
||||
author = "Peter Kurfer"
|
||||
title = "Build & deploy a Hugo site with Gitea/Forgejo actions"
|
||||
description = "How to host a Hugo site with Cloudflare pages and deploy it automatically with Forgejo actions"
|
||||
date = "2024-04-30"
|
||||
tags = [
|
||||
"hugo",
|
||||
"cloudflare",
|
||||
"CD/CD",
|
||||
"actions"
|
||||
]
|
||||
+++
|
||||
|
||||
I admit it. I like self-hosting.
|
||||
I like the idea of being able to control every aspect of my infrastructure.
|
||||
It was only consequent to also self-host my blog.
|
||||
This article describes my odyssey and why I ended up letting [Cloudflare](https://www.cloudflare.com/) do the hosting.
|
||||
|
||||
In the beginning - there was a repository.
|
||||
As we all know, the repository is the truth.
|
||||
When the time came for deploying the blog, I already had a Kubernetes (K8s) cluster at hand so the obvious choice was to containerize the web page and host it there.
|
||||
I wrote a simple Dockerfile with a multi-stage build, just like this:
|
||||
|
||||
```Dockerfile
|
||||
FROM docker.io/golang:1-alpine as builder
|
||||
|
||||
WORKDIR /tmp
|
||||
|
||||
RUN apk add -U --no-cache hugo git
|
||||
|
||||
WORKDIR /src
|
||||
|
||||
COPY . /src/
|
||||
|
||||
RUN hugo --minify --environment production --config config.toml
|
||||
|
||||
FROM caddy as runtime
|
||||
|
||||
COPY --from=builder /src/public /usr/share/caddy
|
||||
```
|
||||
|
||||
prepared my deployment manifests and setup a CI pipeline (back then with DroneCI) to deploy everything.
|
||||
|
||||
So far so good, the only complicacy was that I now had two 'truths'.
|
||||
One was the repository and the second one was the container registry - let alone that I also had to 💸 the storage for both.
|
||||
Of course, various container registries have cleanup options but being a software engineer, why using something existing when you can build the 11th solution to solve the same problem, right?
|
||||
|
||||
Yes...actually, no!
|
||||
|
||||
In the beginning I just accepted the fact and went on.
|
||||
Every now and then, when the amount of images became costlier, I manually deleted a few until I reached a reasonable count - say...five, I mean in the end there was no reason to keep any old version at all, but you know, I was lazy.
|
||||
At some point I had a similar problem at work with our SPAs and I couldn't help but wonder: is this really the best way?
|
||||
Not only because I'm duplicating the content every time, but also the web server needs patching, every now and then a breaking change in the configuration system happens and so on and so forth.
|
||||
I came across the possibility to serve a S3 bucket (or similar) directly from a [K8s ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/#resource-backend).
|
||||
That sounded awesome!
|
||||
No need to build a container image, no need to waste compute resources, simple copy to S3 bucket and be done with it!
|
||||
|
||||
So I came back to my blog and tried to migrate to this approach.
|
||||
I wasted a few hours of my spare time, only realizing that - apparently - Cloudflare R2 or some CLI or something else is ignoring the content type of my files, leaving me with `application/octet-stream` which is absolutely useless for web pages.
|
||||
It might be different when I would use [MinIO](https://min.io/) or AWS S3 but I didn't want to waste even more resources (and 💵) on hosting a MinIO instance in my cluster.
|
||||
Also, I am already using Hetzner Cloud and didn't feel like distributing my costs around multiple cloud providers, so I started looking for alternative solutions.
|
||||
|
||||
I then stumbled upon [Cloudflare Pages](https://pages.cloudflare.com/).
|
||||
After a 'quick' prototype I was happy and decided to migrate - actually not so quick, I spent a few evenings on migrating my whole DNS setup to [external-dns](https://github.com/kubernetes-sigs/external-dns) and experimented with Cloudflare DNS for DoS protection but that's a topic for another day.
|
||||
|
||||
The only other problem I had was: I also got rid of DroneCI in favor of [Forgejo Actions](https://forgejo.org/docs/latest/user/actions/).
|
||||
I know, if I would use GitHub, there would be perfect integration from Cloudflare to build my Hugo page and deploy it, but we don't want to make things too easy, right?
|
||||
|
||||
But using Forgejo Actions also seemed pretty straight forward:
|
||||
|
||||
```yaml
|
||||
name: Deploy pages
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
deploy:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Setup Hugo
|
||||
uses: peaceiris/actions-hugo@v3
|
||||
- name: Build
|
||||
run: hugo --minify --environment production
|
||||
- name: Deploy
|
||||
uses: cloudflare/wrangler-action@v3
|
||||
with:
|
||||
apiToken: ${{ secrets.CF_PAGES_TOKEN }}
|
||||
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
|
||||
command: pages deploy public --project-name=blog
|
||||
```
|
||||
|
||||
Well, not so fast kiddo!
|
||||
|
||||
At first I noticed, when using [Hugo modules](https://gohugo.io/hugo-modules/) you need to fetch those modules before being able to build anything, alright:
|
||||
|
||||
```yaml
|
||||
// ...
|
||||
- name: Build
|
||||
run: |
|
||||
hugo mod get
|
||||
hugo --minify --environment production
|
||||
// ...
|
||||
```
|
||||
|
||||
then, obviously, I realized, for being able to fetch those modules, you need a Go SDK, there you go (pun intended):
|
||||
|
||||
```yaml
|
||||
// ...
|
||||
- name: Setup Go
|
||||
uses: actions/setup-go@v5
|
||||
with:
|
||||
go-version: "1.22.x"
|
||||
- name: Setup Hugo
|
||||
uses: peaceiris/actions-hugo@v3
|
||||
// ...
|
||||
```
|
||||
|
||||
and now we're getting - finally - to the point when things got really annoying...
|
||||
I'm using the [github.com/LordMathis/hugo-theme-nightfall](https://github.com/LordMathis/hugo-theme-nightfall) theme.
|
||||
Although being a very minimalistic theme, it requires [dart-sass](https://gohugo.io/functions/resources/tocss/#dart-sass).
|
||||
Even though this also seem straight forward, especially because there's only [documentation for Github Actions](https://gohugo.io/functions/resources/tocss/#github-pages), with Forgejo Actions it isn't.
|
||||
The key difference between Github Actions and Forgejo Actions is, that Forgejo Actions are running in containers.
|
||||
The officially recommended way to install `dart-sass` in Github Actions is via `snap`, but snap doesn't really work in containers, so I had find another way.
|
||||
When doing some research, you might come across the official [`dart-sass` repository](https://github.com/sass/dart-sass) that mentions another installation method:
|
||||
|
||||
```bash
|
||||
npm install -g sass
|
||||
```
|
||||
|
||||
but:
|
||||
|
||||
> The `--embedded` command-line flag is not available when you install Dart Sass as an npm package.
|
||||
|
||||
(*see [here](https://github.com/sass/dart-sass?tab=readme-ov-file#embedded-dart-sass)*)
|
||||
|
||||
unfortunately, Hugo requires the `--embedded` flag, so also not an option.
|
||||
Eventually I came around this abomination:
|
||||
|
||||
```yaml
|
||||
- name: Install sass
|
||||
run: |
|
||||
export SASS_VERSION=$(curl https://api.github.com/repos/sass/dart-sass/releases | jq -r '. | first |.tag_name | capture("(?<version>[[:digit:]]+\\.[[:digit:]]+\\.[[:digit:]]+)") | .version')
|
||||
curl -L "https://github.com/sass/dart-sass/releases/download/${SASS_VERSION}/dart-sass-${SASS_VERSION}-linux-arm64.tar.gz" | tar xvz -C /opt/
|
||||
ln -s /opt/dart-sass/sass /usr/local/bin/
|
||||
```
|
||||
|
||||
*Don't get confused by the huge capture in the `jq` expression, I'm using this snippet whenever I have to use the version of a package in the filename and this way I don't have to think about, is there a `v` prefix or not, looking at you 'goreleaser' 👀*
|
||||
|
||||
That downloads the latest release of `dart-sass` and makes it available in the `$PATH`.
|
||||
So far I'm not considering the CPU architecture because whenever possible I'm running my CI jobs on ARM machines anyway, but if I find the time, I might try to implement a custom action similar to `peaceiris/actions-hugo@v3` but with `dart-sass` support.
|
||||
|
||||
You can imagine how happy I was realizing the `cloudflare/wrangler-action@v3` step 'just worked' ™.
|
||||
|
|
@ -1,261 +0,0 @@
|
|||
+++
|
||||
author = "Peter Kurfer"
|
||||
title = "RBAC in Supabase with EntraID"
|
||||
description = "How to use EntraID defined roles in Supabase for RLS policies"
|
||||
date = "2024-12-03"
|
||||
tags = [
|
||||
"supabase",
|
||||
"entraid",
|
||||
"RBAC",
|
||||
"RLS"
|
||||
]
|
||||
+++
|
||||
|
||||
[Supabase](https://supabase.com/) is an awesome tool for building (CRUD) applications in no time.
|
||||
For those who are not familiar with Supabase, it is an open-source Firebase alternative with a focus on privacy and security.
|
||||
Compared to other tools, Supabase is focused on the Postgres database and provides a lot of features out of the box, like authentication, authorization, and real-time subscriptions.
|
||||
Also their tech stack appeals to me, as they are using Go, Rust, Elixir and (sadly) Node.js for all their services.[^1]
|
||||
|
||||
When building applications - especially in a business context - there's no way around authentication and authorization.
|
||||
A very common approach to authorization is Role-Based Access Control (RBAC).
|
||||
In RBAC, permissions are assigned to roles, and roles are assigned to users and/or groups.
|
||||
|
||||
In this post, I want to show you how to use roles defined in [EntraID](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id) in Supabase for Row-Level Security (RLS) policies.
|
||||
When looking into the [Supabase documentation](https://supabase.com/docs/guides/auth/social-login/auth-azure) you will notice that they mostly focus on how to integrate Azure EntraID and how to implement authentication in your frontend app.
|
||||
When it comes to authorization, they provide [high level documentation](https://supabase.com/docs/guides/database/postgres/row-level-security) on how to use RLS policies in general with Supabase including examples for their helper functions and there's even an [article](https://supabase.com/docs/guides/database/postgres/custom-claims-and-role-based-access-control-rbac) about custom claims and role-based access control (RBAC), but all their documentation assumes that you want to manage roles **within** Supabase instead of using what your external authentication provider gives you for free.
|
||||
|
||||
## Basic setup
|
||||
|
||||
As also described in the Supabase documentation, the first step is to ensure that you have a so called "App Registration" in your Azure subscription.
|
||||
App Registrations are the entity in Azure that define OpenID Connect applications.
|
||||
Also, application roles are **defined** in the App Registration - and **assigened** in the corresponding "Enterprise Application" - why that is, is a topic for another day.
|
||||
Assuming, that you already followed the official docs for the basic authentication for Azure EntraID, you can now directly jump to the "App Roles" section in your App Registration and define your roles:
|
||||
|
||||
|
||||
|
||||
For this example, I defined the roles:
|
||||
|
||||
- `Admin`
|
||||
- `Reader`
|
||||
- `Writer`
|
||||
|
||||
but you can define as many roles as you like.
|
||||
|
||||
Now, as already mentioned, to **assign** roles, you have to head over to the "Enterprise Applications" section in your Azure subscription and assign the roles to the users or groups you want to have them:
|
||||
|
||||
|
||||
|
||||
as you may have noticed, I assigned multiple roles to the same user, which results in the user having multiple roles in the token.
|
||||
|
||||
## Database setup
|
||||
|
||||
Now that we have our roles defined and assigned, we can start with the database setup.
|
||||
Before implementing any policy, we first need some tables to work with.
|
||||
|
||||
To keep the scenario as simple as possible we'll start with two tables: `users` and `todos`:
|
||||
|
||||
```postgresql
|
||||
CREATE SCHEMA IF NOT EXISTS public;
|
||||
|
||||
CREATE TABLE IF NOT EXISTS public.users (
|
||||
"id" UUID PRIMARY KEY NOT NULL
|
||||
);
|
||||
|
||||
CREATE TABLE IF NOT EXISTS public.todos (
|
||||
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
||||
owner UUID NOT NULL DEFAULT (auth.jwt() -> 'user_metadata' -> 'custom_claims' ->> 'tid')::uuid REFERENCES public.users (id),
|
||||
title TEXT NOT NULL,
|
||||
description TEXT,
|
||||
completed BOOLEAN NOT NULL DEFAULT FALSE
|
||||
);
|
||||
|
||||
ALTER TABLE public.todos enable ROW level security;
|
||||
```
|
||||
|
||||
**Note:** normally I'd put the `users` table in a separate schema e.g. `internal` to avoid that it's visible to the users through the API, but for this example we'll keep it simple. Alternatively we could limit the access to the `users` table with RLS policies but again, for the sake of this article we'll skip this part.
|
||||
|
||||
## Implementing RLS policies
|
||||
|
||||
With the tables in place, we can now start with the RLS policies.
|
||||
We want to enforce the following business rules:
|
||||
|
||||
- `Admin` can read and write all todos
|
||||
- `Reader` can read all todos
|
||||
- `Writer` can create new todos and update their own todos
|
||||
|
||||
To be able to implement these rules, we need to be able to access the aforementioned roles from the token.
|
||||
Supabase provides a helper function `auth.jwt()` to access the users JSON Web Token (JWT).
|
||||
The token contains `user_metadata` that encapsulates the data coming from the authentication provider.
|
||||
To play around with the token, you can open the SQL editor in the Supabase dashboard, change the role to some existing user (impersonate) and run the following query:
|
||||
|
||||
```postgresql
|
||||
SELECT auth.jwt()->'user_metadata' AS user_metadata
|
||||
```
|
||||
|
||||
This will return the `user_metadata` object from the token:
|
||||
|
||||
```json
|
||||
{
|
||||
"iss": "https://login.microsoftonline.com/<your EntraID tenant ID>/v2.0",
|
||||
"sub": "<subject>",
|
||||
"email": "<email>",
|
||||
"provider_id": "<provider_id>",
|
||||
"custom_claims": {
|
||||
"tid": "<object id of your user>",
|
||||
"email": "<email>",
|
||||
"roles": ["Reader", "Writer"]
|
||||
},
|
||||
"email_verified": true,
|
||||
"phone_verified": false
|
||||
}
|
||||
```
|
||||
|
||||
You might already see where this is going.
|
||||
We can access the roles by using:
|
||||
|
||||
```postgresql
|
||||
auth.jwt()->'user_metadata'->'custom_claims'->'roles'
|
||||
```
|
||||
|
||||
### Admin
|
||||
|
||||
The `Admin` role should be able to read and write all todos.
|
||||
To implement this, we need a set of policies:
|
||||
|
||||
```postgresql
|
||||
CREATE POLICY "Role Admin can read all todos"
|
||||
ON public.todos
|
||||
FOR SELECT
|
||||
TO authenticated
|
||||
USING ( auth.jwt()->'user_metadata'->'custom_claims'->'roles' ? 'Admin' );
|
||||
```
|
||||
|
||||
There's already a lot going on here, so let's break it down:
|
||||
|
||||
- `CREATE POLICY` is used to create a new policy, the name can be anything you like
|
||||
- every policy is only applicable to a single table, in this case `public.todos`
|
||||
- `FOR SELECT` specifies the operation the policy is applied to, in this case `SELECT`, other options are: `INSERT`, `UPDATE`, `DELETE` or `ALL`
|
||||
- `TO authenticated` specifies the role the policy is applied to, in this case `authenticated` which is the default role for authenticated users in Supabase
|
||||
- `USING` specifies the condition that has to be met for selecting the row, in this case we check if the `Admin` role is present in the token
|
||||
- `WITH CHECK` can be used to enforce additional conditions for `INSERT`, `UPDATE` or `DELETE` operations e.g. to ensure that the user can only create todos for itself
|
||||
|
||||
but we also want the `Admin` role to be able to write (`INSERT`/`UPDATE`/`DELETE`) todos:
|
||||
|
||||
```postgresql
|
||||
-- Admin can create todos - including on behalf of others
|
||||
CREATE POLICY "Role Admin can create todos"
|
||||
ON public.todos
|
||||
FOR INSERT
|
||||
TO authenticated
|
||||
WITH CHECK ( auth.jwt()->'user_metadata'->'custom_claims'->'roles' ? 'Admin' );
|
||||
|
||||
-- Admin can update todos of everyone
|
||||
CREATE POLICY "Role Admin can write all todos"
|
||||
ON public.todos
|
||||
FOR UPDATE
|
||||
TO authenticated
|
||||
USING ( auth.jwt()->'user_metadata'->'custom_claims'->'roles' ? 'Admin' );
|
||||
|
||||
-- Admin can delete todos of everyone
|
||||
CREATE POLICY "Role Admin can delete todos"
|
||||
ON public.todos
|
||||
FOR DELETE
|
||||
TO authenticated
|
||||
USING ( auth.jwt()->'user_metadata'->'custom_claims'->'roles' ? 'Admin' );
|
||||
```
|
||||
|
||||
### Writers
|
||||
|
||||
The `Writer` role can create new todos and update their own todos.
|
||||
As you might have guessed, we will also need more than one policy to implement this:
|
||||
|
||||
```postgresql
|
||||
CREATE POLICY "Role Writer can read its own todos"
|
||||
ON public.todos
|
||||
FOR SELECT
|
||||
TO authenticated
|
||||
USING ( auth.jwt()->'user_metadata'->'custom_claims'->'roles' ? 'Writer' AND (owner = (auth.jwt() -> 'user_metadata' -> 'custom_claims' ->> 'tid')::uuid) );
|
||||
```
|
||||
|
||||
This policy is a bit more complex than the previous one.
|
||||
Not only are we checking the `Writer` role, but we also check if the `owner` of the todo is the same as the `tid` from the token.
|
||||
The `tid` is the user ID from the authentication provider - in this case the object ID of the user in Azure EntraID.
|
||||
|
||||
**Remark**: This is **not** the ID of the user within Supabase! Supabase has its own helper `auth.uid()` to access the user ID but I prefer to use the object ID of the user directly from the token because it avoids one additional layer of indirection. For this reason I also have an independent `users` table in the database where I store the object ID of the user e.g. with a trigger on the `INSERT` of a new user.
|
||||
|
||||
For the `Writer` role to be able to create new todos, we need the following policy:
|
||||
|
||||
```postgresql
|
||||
-- Writer can create todos - owner is set to the tid of the user, if provided it will be checked whether the user is the owner
|
||||
CREATE POLICY "Role Writer can create todos for itself"
|
||||
ON public.todos
|
||||
FOR INSERT
|
||||
TO authenticated
|
||||
WITH CHECK ( auth.jwt()->'user_metadata'->'custom_claims'->'roles' ? 'Writer' AND (owner = (auth.jwt() -> 'user_metadata' -> 'custom_claims' ->> 'tid')::uuid) );
|
||||
|
||||
-- Writer can delete its own todos
|
||||
CREATE POLICY "Role Writer can delete todos for itself"
|
||||
ON public.todos
|
||||
FOR DELETE
|
||||
TO authenticated
|
||||
USING ( auth.jwt()->'user_metadata'->'custom_claims'->'roles' ? 'Writer' AND (owner = (auth.jwt() -> 'user_metadata' -> 'custom_claims' ->> 'tid')::uuid) );
|
||||
```
|
||||
|
||||
### Readers
|
||||
|
||||
The `Reader` role can read all todos:
|
||||
|
||||
```postgresql
|
||||
CREATE POLICY "Role Reader can read all todos"
|
||||
ON public.todos
|
||||
FOR SELECT
|
||||
TO authenticated
|
||||
USING ( auth.jwt()->'user_metadata'->'custom_claims'->'roles' ? 'Reader' );
|
||||
```
|
||||
|
||||
As this is basically the same policy as the `Admin` can read all, we'll not further discuss this policy.
|
||||
|
||||
## Final thoughts
|
||||
|
||||
### RLS
|
||||
|
||||
PostgreSQL has a lot to offer when it comes to RLS policies, so make sure to check out the [official documentation](https://www.postgresql.org/docs/current/sql-createpolicy.html) for more information.
|
||||
|
||||
### EntraID
|
||||
|
||||
In real-world applications I'd recommend to create a `entraid` schema and store some auxiliary functions there similar to the ones provided by Supabase in the `auth` scheme.
|
||||
|
||||
```postgresql
|
||||
CREATE SCHEMA IF NOT EXISTS entraid;
|
||||
|
||||
-- grant usage on the schema to authenticated users
|
||||
GRANT usage ON schema entraid TO authenticated;
|
||||
|
||||
-- helper to return the object ID of the current user
|
||||
CREATE OR REPLACE function "entraid"."uid" () returns uuid
|
||||
SET
|
||||
search_path = '' AS $$
|
||||
BEGIN
|
||||
RETURN (auth.jwt() -> 'user_metadata' -> 'custom_claims' ->> 'tid')::uuid;
|
||||
END;
|
||||
$$ language plpgsql;
|
||||
|
||||
-- grant execution permissions on the function to authenticated users
|
||||
GRANT EXECUTE ON function "entraid"."uid" TO authenticated;
|
||||
|
||||
-- helper to return the roles defined in EntraID of the current user
|
||||
CREATE OR REPLACE function "entraid"."roles" () returns jsonb
|
||||
SET
|
||||
search_path = '' AS $$
|
||||
BEGIN
|
||||
RETURN auth.jwt() -> 'user_metadata' -> 'custom_claims' -> 'roles';
|
||||
END;
|
||||
$$ language plpgsql;
|
||||
|
||||
-- grant execution permissions on the function to authenticated users
|
||||
GRANT EXECUTE ON function "entraid"."roles" TO authenticated;
|
||||
```
|
||||
|
||||
This would also make the policies more readable and maintainable.
|
||||
|
||||
[^1]: I'm not a big fan of Node.js, but there are reasons why it can make sense to open this rabbit hole. It's just a personal preference.
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
+++
|
||||
aliases = ["posts","articles","blog","showcase","docs"]
|
||||
title = "Posts"
|
||||
author = "Peter Kurfer"
|
||||
tags = ["index"]
|
||||
+++
|
||||
|
|
@ -1,30 +0,0 @@
|
|||
---
|
||||
title: 'Projects'
|
||||
button: 'Projects'
|
||||
weight: 2
|
||||
showMetadata: false
|
||||
---
|
||||
|
||||
## INetMock
|
||||
|
||||
[INetMock](https://gitlab.com/inetmock/inetmock) started as an resource/container friendly alternative to [INetSim](https://www.inetsim.org/).
|
||||
While working on a project we tried to reduce analysis complexity coming from 'noise' in the network traffic recorded to a central INetSim cluster we were running.
|
||||
We decided to decentralize the internet simulation, put it into a container image and run directly on every host multiple times in virtual networks.
|
||||
Unfortunately INetSim has a relatively huge memory footprint (~1GB) which alone wouldn't been a showstopper but in combination with a relatively long startup time I felt having something smaller could be beneficial so I started to implement a prototype in Go.
|
||||
|
||||
2 years later INetMock has grown to kind of a full router (supporting DNS and DHCP) with support for faking HTTP/s (direct or proxy requests) requests.
|
||||
Furthermore it is able to record PCAP files for further analysis and it emits events for every handled request.
|
||||
|
||||
It comes with a descriptive configuration language (embedded in a YAML configuration) to setup the behavior of all components and to define health checks/integration tests to validate your configuration.
|
||||
|
||||
Apart from working as a router it can also be used e.g. for integration tests of HTTP APIs, DNS/DoT/DoH clients and most likely other things I haven't even thought about.
|
||||
|
||||
## Goveal
|
||||
|
||||
[Goveal](https://github.com/baez90/goveal) is similar to [reveal-md](https://github.com/webpro/reveal-md) or previously _GitPitch_ but obviously in Go.
|
||||
Originally I used GitPitch but then the author decided to go with a commercial license.
|
||||
The commercial license made sense when I was working at the university but after that it didn't really make sense any more.
|
||||
So I decided to replace it with a small custom CLI rendering the markdown into a static HTML file and serving it as a local web server (basically).
|
||||
|
||||
Later on I refined it more and more.
|
||||
Currently I'm working on a rewrite which adds e.g. 1st class support for [mermaid-js](https://mermaid-js.github.io) diagrams in slides.
|
||||
File diff suppressed because one or more lines are too long
1
docs/index.html
Normal file
1
docs/index.html
Normal file
|
|
@ -0,0 +1 @@
|
|||
<!doctype html><html lang=en-us><head><title>https://www.1533b4dc0.de/post/</title><link rel=canonical href=https://www.1533b4dc0.de/post/><meta name=robots content="noindex"><meta charset=utf-8><meta http-equiv=refresh content="0; url=https://www.1533b4dc0.de/post/"></head></html>
|
||||
|
Before Width: | Height: | Size: 627 B After Width: | Height: | Size: 627 B |
5
go.mod
5
go.mod
|
|
@ -1,5 +0,0 @@
|
|||
module code.icb4dc0.de/prskr/blog
|
||||
|
||||
go 1.22
|
||||
|
||||
require github.com/LordMathis/hugo-theme-nightfall v0.7.1 // indirect
|
||||
2
go.sum
2
go.sum
|
|
@ -1,2 +0,0 @@
|
|||
github.com/LordMathis/hugo-theme-nightfall v0.7.1 h1:n8T4Eg/5ZJLXGWmRHHAZ9DrbIv0yXBATeNo/A3p8EoM=
|
||||
github.com/LordMathis/hugo-theme-nightfall v0.7.1/go.mod h1:0tCPxAeg5+tWhv17517Q8Lti/TPh0KNyON/uferEU30=
|
||||
12
index.html
Normal file
12
index.html
Normal file
File diff suppressed because one or more lines are too long
288
index.xml
Normal file
288
index.xml
Normal file
|
|
@ -0,0 +1,288 @@
|
|||
<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>1533B4dC0.de</title><link>https://www.1533b4dc0.de/</link><description>1533B4dC0.de</description><generator>Hugo -- gohugo.io</generator><language>en-us</language><lastBuildDate>Thu, 24 Feb 2022 00:00:00 +0000</lastBuildDate><atom:link href="https://www.1533b4dc0.de/index.xml" rel="self" type="application/rss+xml"/><item><title>About me</title><link>https://www.1533b4dc0.de/about/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://www.1533b4dc0.de/about/</guid><description><p>My name&rsquo;s Peter. I&rsquo;m a passionate software developer especially interested in all kind of networking stuff but also asynchronous data processing, software architecture, testing and automatic software quality analysis and many more.</p>
|
||||
<p>I&rsquo;m the author of <a href="https://gitlab.com/inetmock/inetmock">InetMock</a> and <a href="https://github.com/baez90/goveal">Goveal</a> (more on <a href="https://www.1533b4dc0.de/projects">projects</a>) but I&rsquo;m also trying to contribute to other open source projects.</p></description></item><item><title>Projects</title><link>https://www.1533b4dc0.de/projects/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://www.1533b4dc0.de/projects/</guid><description><h2 id="inetmock" >INetMock
|
||||
<span>
|
||||
<a href="#inetmock">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p><a href="https://gitlab.com/inetmock/inetmock">INetMock</a> started as an resource/container friendly alternative to <a href="https://www.inetsim.org/">INetSim</a>.
|
||||
While working on a project we tried to reduce analysis complexity coming from &rsquo;noise&rsquo; in the network traffic recorded to a central INetSim cluster we were running.
|
||||
We decided to decentralize the internet simulation, put it into a container image and run directly on every host multiple times in virtual networks.
|
||||
Unfortunately INetSim has a relatively huge memory footprint (~1GB) which alone wouldn&rsquo;t been a showstopper but in combination with a relatively long startup time I felt having something smaller could be beneficial so I started to implement a prototype in Go.</p>
|
||||
<p>2 years later INetMock has grown to kind of a full router (supporting DNS and DHCP) with support for faking HTTP/s (direct or proxy requests) requests.
|
||||
Furthermore it is able to record PCAP files for further analysis and it emits events for every handled request.</p>
|
||||
<p>It comes with a descriptive configuration language (embedded in a YAML configuration) to setup the behavior of all components and to define health checks/integration tests to validate your configuration.</p>
|
||||
<p>Apart from working as a router it can also be used e.g. for integration tests of HTTP APIs, DNS/DoT/DoH clients and most likely other things I haven&rsquo;t even thought about.</p>
|
||||
<h2 id="goveal" >Goveal
|
||||
<span>
|
||||
<a href="#goveal">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p><a href="https://github.com/baez90/goveal">Goveal</a> is similar to <a href="https://github.com/webpro/reveal-md">reveal-md</a> or previously <em>GitPitch</em> but obviously in Go.
|
||||
Originally I used GitPitch but then the author decided to go with a commercial license.
|
||||
The commercial license made sense when I was working at the university but after that it didn&rsquo;t really make sense any more.
|
||||
So I decided to replace it with a small custom CLI rendering the markdown into a static HTML file and serving it as a local web server (basically).</p>
|
||||
<p>Later on I refined it more and more.
|
||||
Currently I&rsquo;m working on a rewrite which adds e.g. 1st class support for <a href="https://mermaid-js.github.io">mermaid-js</a> diagrams in slides.</p></description></item><item><title>Libvirt & Podman: follow up for Podman 4.0 and netavark</title><link>https://www.1533b4dc0.de/post/libvirt-podman-netavark-follow-up/</link><pubDate>Thu, 24 Feb 2022 00:00:00 +0000</pubDate><guid>https://www.1533b4dc0.de/post/libvirt-podman-netavark-follow-up/</guid><description><p>This is a follow up post to <a href="https://www.1533b4dc0.de/post/libvirt-podman-network-mesh/">&ldquo;Joining libvirt <abbr title="Virtual Machine">VM</abbr>s and Podman container in a common network&rdquo;</a>.
|
||||
Therefore I won&rsquo;t cover all the basics again and how to configure libvirt because nothing&rsquo;s changed on that side.</p>
|
||||
<h2 id="podman-40" >Podman 4.0
|
||||
<span>
|
||||
<a href="#podman-40">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>Podman 4.0 comes with a completely new network stack replacing the previous <a href="https://www.cni.dev/"><abbr title="Container Network Interface">CNI</abbr></a> stack:</p>
|
||||
<ul>
|
||||
<li><a href="https://github.com/containers/netavark">Netavark</a></li>
|
||||
<li><a href="https://github.com/containers/aardvark-dns">Aardvark</a></li>
|
||||
</ul>
|
||||
<p>There are <a href="https://www.redhat.com/sysadmin/podman-new-network-stack">great resources</a> that explain the backgrounds of both tools and I don&rsquo;t think I could describe it better than the folks implementing it 😄 so if you&rsquo;re interested have a look at the aforementioned article or the <a href="https://podman.io/releases/2022/02/22/podman-release-v4.0.0.html">release post</a>.</p>
|
||||
<h2 id="netavark-and-libvirt" >Netavark and libvirt
|
||||
<span>
|
||||
<a href="#netavark-and-libvirt">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>After reading the announcement I was most curious if I would be able to configure an equivalent setup for Netavark like I described it with Podman 3.x and CNI.</p>
|
||||
<p><strong>Short answer:</strong> yes, it is possible! 🎉</p>
|
||||
<p><em>&ldquo;But how?!&rdquo;</em> do you ask?
|
||||
Well it&rsquo;s pretty much equivalent to the previous solution: you need to create a new Podman network I once more named it <em>&rsquo;libvirt&rsquo;</em>.
|
||||
To get an idea how the config should look like and where it should placed.
|
||||
I reused the CLI call from my previous article:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman network create <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --disable-dns <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --internal <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --gateway 10.10.2.37 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip-range 10.10.2.160/29 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --subnet 10.10.2.0/24 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> libvirt
|
||||
</span></span></code></pre></div><p>The configuration files are now obviously resided in <code>/etc/containers/networks/</code> and my (already modified) <code>libvirt.json</code> now looks like so:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;name&#34;</span>: <span style="color:#e6db74">&#34;libvirt&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;id&#34;</span>: <span style="color:#e6db74">&#34;0489e6e643b97003c47b27a9ce0a6f6a8dce7d5f08329603e79a0ba48ad5285f&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;driver&#34;</span>: <span style="color:#e6db74">&#34;bridge&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;network_interface&#34;</span>: <span style="color:#e6db74">&#34;conbr0&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;created&#34;</span>: <span style="color:#e6db74">&#34;2022-04-05T09:18:48.198960971+01:00&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;subnets&#34;</span>: [
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;subnet&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.0/24&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;gateway&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.42&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;lease_range&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;start_ip&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.1&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;end_ip&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.10&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> ],
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ipv6_enabled&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;internal&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;dns_enabled&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ipam_options&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;driver&#34;</span>: <span style="color:#e6db74">&#34;host-local&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span>}
|
||||
</span></span></code></pre></div><p><em>Side note: I&rsquo;m really happy they dropped the <code>.conflist</code> extension because this way most editors offer really helpful syntax highlighting in the first place!</em></p>
|
||||
<p>Note that <code>&quot;internal&quot;: false</code> is mandatory. Otherwise I wasn&rsquo;t able to establish communication between VM and container.
|
||||
I also disabled the Aardvark <abbr title="Domain Name System">DNS</abbr> server and IPv6 support because I don&rsquo;t need it and I also don&rsquo;t expect much benefit of it due to the fact that it can&rsquo;t be aware of the VMs present in the network same as <code>dnsmasq</code> won&rsquo;t be able to resolve containers in the libvirt network.</p>
|
||||
<p>Having this in place I was again able to reuse the CLI command from my previous article:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman run <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --rm <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> -d <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --name nginx <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --network libvirt <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip 10.10.1.151 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> docker.io/nginx:alpine
|
||||
</span></span></code></pre></div><p>to create a Nginx container that can be reached from a VM.</p>
|
||||
<h2 id="troubleshooting" >Troubleshooting
|
||||
<span>
|
||||
<a href="#troubleshooting">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>Sometimes the communication between container and VM fails - don&rsquo;t know if I restarted the libvirt network previously or somehow fucked up the container network configuration but a:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman network reload &lt;container ID/container name&gt;
|
||||
</span></span></code></pre></div><p>often resolved the problem.</p>
|
||||
<h2 id="final-thoughts" >Final thoughts
|
||||
<span>
|
||||
<a href="#final-thoughts">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>I haven&rsquo;t used <em>Netavark</em> and <em>Aardvark</em> a lot, yet.
|
||||
But I already noticed a few <strong>really awesome</strong> things:</p>
|
||||
<ul>
|
||||
<li>the <code>docker-compose</code> support seems to be a lot better now because containers are actually able to talk to each other by <em>service name</em>, something I wasn&rsquo;t able to configure properly in Podman 3.x - at least not rootless.</li>
|
||||
<li>with <em>Netavark</em> all the Podman configuration is now unified within <code>/etc/containers</code> or <code>$HOME/.config/containers</code> respectively</li>
|
||||
<li>the new configuration format is a little bit cleaner the the previous one due to the fact that <em>Netavark</em> does not support plugins and with a <code>.json</code> extension editors do help a lot more without requiring extra &ldquo;configuration&rdquo;</li>
|
||||
</ul></description></item><item><title>Libvirt & Podman: network 'mesh'</title><link>https://www.1533b4dc0.de/post/libvirt-podman-network-mesh/</link><pubDate>Thu, 24 Feb 2022 00:00:00 +0000</pubDate><guid>https://www.1533b4dc0.de/post/libvirt-podman-network-mesh/</guid><description><p><em>Disclaimer: I tested all this with Podman 3.x even though Podman 4.0 is already announced but the <abbr title="Container Network Interface">CNI</abbr> driver is still available with Podman 4.0 and as soon as I get my hands on 4.0 I&rsquo;ll give <strong>Netavark</strong> a try, too!</em></p>
|
||||
<p>When playing around with containers and <abbr title="Virtual Machine">VM</abbr>s one might ask if it&rsquo;s possible to bring VMs and containers into a common network segment.
|
||||
I see &lsquo;why the hell would I need a VM anyway when already having containers&rsquo; or something similar I almost see on your face 😜</p>
|
||||
<p>Well 1st of all, not everything can be solved with containers.
|
||||
For instance windows applications can be run in Windows containers but I&rsquo;m not aware of how to run a Windows container on my Linux desktop.</p>
|
||||
<p>But also in pure Linux environments there are cases where a VM is probably a better fit for the problem.
|
||||
As you might know I&rsquo;m a bit of network 🤓 and I love playing around with &lsquo;weird&rsquo; stuff almost no one else does even think about if not forced to.
|
||||
So if you try to implement for example your own DHCP server you might want to isolate your experiments (especially at the beginning) to avoid discussion about &ldquo;why&rsquo;s Netflix on the TV not working?!&rdquo; 😄 or also if you try to implement your own &lsquo;firewall&rsquo; with <abbr title="Destination network address translation">DNAT</abbr> support (stay tuned - post&rsquo;s following!).</p>
|
||||
<h2 id="part-1-libvirt-preparation" >Part 1: Libvirt preparation
|
||||
<span>
|
||||
<a href="#part-1-libvirt-preparation">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>Okay now that I came around with <em>some</em> arguments - if they&rsquo;re convincing or not is not important - how does this work?</p>
|
||||
<p>Assuming you&rsquo;ve Libvirt and Podman already installed on your system without any modification and you run</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>virsh net-list
|
||||
</span></span></code></pre></div><p>you should have at least the <code>default</code> network already.</p>
|
||||
<p>The definition of all networks (as of every other component of libvirt) is in XML.
|
||||
<code>virsh</code> comes with a <code>net-dumpxml</code> command to export the configuration of a network:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>virsh net-dumpxml default
|
||||
</span></span></code></pre></div><p>The output should look (more or less) like in the following snippet:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#f92672">&lt;network&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;name&gt;</span>default<span style="color:#f92672">&lt;/name&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;uuid&gt;</span>8d2028ed-cc9a-4eae-9883-b59b673d560d<span style="color:#f92672">&lt;/uuid&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;forward</span> <span style="color:#a6e22e">mode=</span><span style="color:#e6db74">&#39;nat&#39;</span><span style="color:#f92672">&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;nat&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;port</span> <span style="color:#a6e22e">start=</span><span style="color:#e6db74">&#39;1024&#39;</span> <span style="color:#a6e22e">end=</span><span style="color:#e6db74">&#39;65535&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/nat&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/forward&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;bridge</span> <span style="color:#a6e22e">name=</span><span style="color:#e6db74">&#39;virbr0&#39;</span> <span style="color:#a6e22e">stp=</span><span style="color:#e6db74">&#39;on&#39;</span> <span style="color:#a6e22e">delay=</span><span style="color:#e6db74">&#39;0&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;mac</span> <span style="color:#a6e22e">address=</span><span style="color:#e6db74">&#39;63:b3:d8:75:53:6b&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;ip</span> <span style="color:#a6e22e">address=</span><span style="color:#e6db74">&#39;192.168.122.1&#39;</span> <span style="color:#a6e22e">netmask=</span><span style="color:#e6db74">&#39;255.255.255.0&#39;</span><span style="color:#f92672">&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;dhcp&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;range</span> <span style="color:#a6e22e">start=</span><span style="color:#e6db74">&#39;192.168.122.2&#39;</span> <span style="color:#a6e22e">end=</span><span style="color:#e6db74">&#39;192.168.122.254&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/dhcp&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/ip&gt;</span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#f92672">&lt;/network&gt;</span>
|
||||
</span></span></code></pre></div><p>So we&rsquo;ve a <code>&lt;network/&gt;</code> that is defined by:</p>
|
||||
<ul>
|
||||
<li>a <code>&lt;name/&gt;</code></li>
|
||||
<li>a <code>&lt;uuid/&gt;</code></li>
|
||||
<li>a <em>optional</em> <code>&lt;forward/&gt;</code> node</li>
|
||||
<li>a <code>&lt;bridge/&gt;</code> interface</li>
|
||||
<li>the <code>&lt;mac/&gt;</code> for the bridge interface (of the host)</li>
|
||||
<li>the <code>&lt;ip/&gt;</code> of the host on the bridge interface
|
||||
<ul>
|
||||
<li>an <em>optional</em> <code>&lt;dhcp/&gt;</code> range definition</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
<p>The complete reference for the XML schema can be found <a href="https://libvirt.org/formatnetwork.html">here</a>.</p>
|
||||
<p>Before we have a closer look how to bring Podman containers into a Libvirt network, let&rsquo;s define a new <code>containers</code> network.
|
||||
The following snippet contains the definition I&rsquo;ll use:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#f92672">&lt;network&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;name&gt;</span>containers<span style="color:#f92672">&lt;/name&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;uuid&gt;</span>929b7b7d-bd82-452d-96b7-12f0cf1a4b17<span style="color:#f92672">&lt;/uuid&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;bridge</span> <span style="color:#a6e22e">name=</span><span style="color:#e6db74">&#39;conbr0&#39;</span> <span style="color:#a6e22e">stp=</span><span style="color:#e6db74">&#39;on&#39;</span> <span style="color:#a6e22e">delay=</span><span style="color:#e6db74">&#39;0&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;mac</span> <span style="color:#a6e22e">address=</span><span style="color:#e6db74">&#39;af:af:13:ed:c6:41&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;ip</span> <span style="color:#a6e22e">address=</span><span style="color:#e6db74">&#39;10.10.1.42&#39;</span> <span style="color:#a6e22e">netmask=</span><span style="color:#e6db74">&#39;255.255.255.0&#39;</span><span style="color:#f92672">&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;dhcp&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;range</span> <span style="color:#a6e22e">start=</span><span style="color:#e6db74">&#39;10.10.1.100&#39;</span> <span style="color:#a6e22e">end=</span><span style="color:#e6db74">&#39;10.10.1.150&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/dhcp&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/ip&gt;</span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#f92672">&lt;/network&gt;</span>
|
||||
</span></span></code></pre></div><p>It&rsquo;s quite similar except I made a few adoptions:</p>
|
||||
<ul>
|
||||
<li>remove the <code>&lt;forward/&gt;</code> block</li>
|
||||
<li>change the <code>&lt;name/&gt;</code> and the <code>&lt;uuid/&gt;</code> (with the help of <code>uuidgen</code>)</li>
|
||||
<li>change the <code>name=&quot;&quot;</code> of the <code>&lt;bridge/&gt;</code></li>
|
||||
<li>change the <code>address=&quot;&quot;</code> attribute of the <code>&lt;mac/&gt;</code> (use any <a href="https://macaddress.io/mac-address-generator">mac address generator</a>)</li>
|
||||
<li>change the <code>address=&quot;&quot;</code> attribute of the <code>&lt;ip/&gt;</code> and <code>start=&quot;&quot;</code> and <code>end=&quot;&quot;</code> of the DHCP range accordingly</li>
|
||||
</ul>
|
||||
<p>You may use any private network - as far as I can tell it shouldn&rsquo;t matter if you&rsquo;re using a class B, C or D private network as long as you don&rsquo;t have any conflicts with your LAN or any other virtual interfaces of your environment.</p>
|
||||
<p>When done safe your network definition as <code>.xml</code> file.
|
||||
To import the configuration you can use <code>virsh net-define</code> like in the following snippet (assuming the network definition is in <code>containers.xml</code>):</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ virsh net-define containers.xml
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>&gt; Network containers defined from containers.xml
|
||||
</span></span></code></pre></div><p><em>Note: this only works because the XML already contains an <code>&lt;uuid/&gt;</code>. Otherwise you&rsquo;d have to use <code>virsh net-create</code> and a few more extra steps to make the network actually persistent.</em></p>
|
||||
<p>If you now check with <code>virsh net-list</code> you&rsquo;d be disappointed because there&rsquo;s no network!
|
||||
Checking again with <code>virsh net-list --all</code> explains why our <code>containers</code> network wasn&rsquo;t in the output previously because it is by default <em>inactive</em>.
|
||||
To activate it we&rsquo;ve to start it like so:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ virsh net-start containers
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>&gt; Network containers started
|
||||
</span></span></code></pre></div><p>If you don&rsquo;t mind the extra adapter and wish to use the network frequently in the future you might consider to autostart it:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ virsh net-autostart containers
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>&gt; Network containers marked as autostarted
|
||||
</span></span></code></pre></div><p>With our custom Libvirt network in place we&rsquo;re good to go to configure Podman.</p>
|
||||
<h2 id="part-2-podman-cni-network" >Part 2: Podman CNI network
|
||||
<span>
|
||||
<a href="#part-2-podman-cni-network">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p><em>Note: this only works with <strong>rootfull</strong> Podman because rootless Podman does not use CNI but another network stack.</em></p>
|
||||
<p>A clean Podman installation without any custom network created comes with the default network <code>podman</code>.
|
||||
Rootfull Podman network configs are by default stored in <code>/etc/cni/net.d</code>.
|
||||
You should find the default network as <code>87-podman.conflist</code> in the aforementioned directory.</p>
|
||||
<p>Every Podman network is defined as JSON file.
|
||||
We will define our own <code>libvirt</code> network to join Podman containers into the previously created Libvirt network.
|
||||
You can either use <code>podman network create</code> to create the network (at least more or less) or you can copy for example the default network and make some adjustments.</p>
|
||||
<p>To create the new network from the CLI you can use the following command:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman network create <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --disable-dns <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --internal <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --gateway 10.10.2.37 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip-range 10.10.2.160/29 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --subnet 10.10.2.0/24 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> libvirt
|
||||
</span></span></code></pre></div><p>Note that I used a different IP range as in the Libvirt network! Otherwise Podman will complain that the IP range is already in use at an adapter.
|
||||
You can use this command to create the required file in <code>/etc/cni/net.d/</code> but you&rsquo;ve to update the <code>ranges</code> accordingly before creating a container in the network.</p>
|
||||
<p>Because we&rsquo;ve to edit the <code>.conflist</code> either way copy the default one is also fine.</p>
|
||||
<p>The <code>.conflist</code> I&rsquo;m using looks like this:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;cniVersion&#34;</span>: <span style="color:#e6db74">&#34;0.4.0&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;name&#34;</span>: <span style="color:#e6db74">&#34;libvirt&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;plugins&#34;</span>: [
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;bridge&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;bridge&#34;</span>: <span style="color:#e6db74">&#34;conbr0&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;isGateway&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;hairpinMode&#34;</span>: <span style="color:#66d9ef">true</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ipam&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;host-local&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;routes&#34;</span>: [
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;dst&#34;</span>: <span style="color:#e6db74">&#34;0.0.0.0/0&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> ],
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ranges&#34;</span>: [
|
||||
</span></span><span style="display:flex;"><span> [
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;subnet&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.0/24&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;rangeStart&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.151&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;rangeEnd&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.160&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;gateway&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.42&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> ]
|
||||
</span></span><span style="display:flex;"><span> ]
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> },
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;portmap&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;capabilities&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;portMappings&#34;</span>: <span style="color:#66d9ef">true</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> },
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;firewall&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;backend&#34;</span>: <span style="color:#e6db74">&#34;&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> },
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;tuning&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> ]
|
||||
</span></span><span style="display:flex;"><span>}
|
||||
</span></span></code></pre></div><p>Interestingly the <code>rangeStart</code> and <code>rangeEnd</code> are actually IP addresses and not tight to some IP networks but unfortunately there&rsquo;s no equivalent for <code>podman network create</code> hence I update both to a range after the DHCP range of the Libvirt network to make sure that no duplicate IPs are assigned.</p>
|
||||
<p>I tend to declare the network as <code>host-local</code> but this shouldn&rsquo;t be critical.
|
||||
The <strong>most important</strong> part is to update the <code>bridge</code> to the same interface like in the Libvirt network definition (in my case <code>conbr0</code>).</p>
|
||||
<p>After this we&rsquo;re ready to go and you can for instance start a Nginx container in the <code>libvirt</code> network and you should be able to reach it from a VM in the Libvirt network:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman run <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --rm <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> -d <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --name nginx <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --network libvirt <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip 10.10.1.151 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> docker.io/nginx:alpine
|
||||
</span></span></code></pre></div><p>A nice option for <code>podman run</code> is <code>--ip</code>.
|
||||
You&rsquo;ve to choose an IP from the previously configured <code>range</code> but you can skip the <code>podman inspect</code> or <code>ip a</code> to get the container IP and the container will have the IP every time you start it, if you like 😉 and speaking of &rsquo;nice&rsquo; <code>podman run</code> options: you do know <code>--replace</code>, don&rsquo;t you?</p></description></item></channel></rss>
|
||||
|
|
@ -0,0 +1 @@
|
|||
document.addEventListener("DOMContentLoaded",function(){'use strict';if(!document.queryCommandSupported("copy"))return;let e='<svg xmlns="http://www.w3.org/2000/svg" width="15" height="15" viewBox="0 0 25 25"><path d="M18 6v-6h-18v18h6v6h18v-18h-6zm-12 10h-4v-14h14v4h-10v10zm16 6h-14v-14h14v14z"/></svg>',s='<svg xmlns="http://www.w3.org/2000/svg" width="15" height="15" viewBox="0 0 25 25"><path d="M20.285 2l-11.285 11.567-5.286-5.011-3.714 3.716 9 8.728 15-15.285z"/></svg>',o='<svg xmlns="http://www.w3.org/2000/svg" width="15" height="15" viewBox="0 0 25 25"><path d="M23.954 21.03l-9.184-9.095 9.092-9.174-2.832-2.807-9.09 9.179-9.176-9.088-2.81 2.81 9.186 9.105-9.095 9.184 2.81 2.81 9.112-9.192 9.18 9.1z"/></svg>';function t(t,n){t.innerHTML=n,setTimeout(()=>{t.innerHTML=e},1e3)}function i(e){let t=window.getSelection(),n=document.createRange();return e.childElementCount===2?n.selectNodeContents(e.children[1]):n.selectNodeContents(e),t.removeAllRanges(),t.addRange(n),t}function n(a){let n=document.createElement("button");n.className="highlight-copy-btn",n.innerHTML=e;let r=a.firstElementChild;n.addEventListener("click",()=>{try{let e=i(r);document.execCommand("copy"),e.removeAllRanges(),t(n,s)}catch(e){console&&console.log(e),t(n,o)}}),a.appendChild(n)}let a=document.getElementsByClassName("highlight");Array.prototype.forEach.call(a,n)},!1)
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
{{ if hugo.IsProduction }}
|
||||
<script
|
||||
defer
|
||||
data-domain="icb4dc0.de"
|
||||
src="https://plausible.icb4dc0.de/js/script.js"
|
||||
></script>
|
||||
{{ end }}
|
||||
<script
|
||||
src="https://kit.fontawesome.com/e6634cbc14.js"
|
||||
crossorigin="anonymous"
|
||||
></script>
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
<script src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js"></script>
|
||||
<script>mermaid.initialize({ startOnLoad: true, securityLevel: 'loose'});</script>
|
||||
|
|
@ -1 +0,0 @@
|
|||
<!--for overriding-->
|
||||
|
|
@ -1 +0,0 @@
|
|||
<abbr title="{{ .Get "full" }}">{{ .Get "short" }}</abbr>
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
{{ $_hugo_config := `{ "version": 1 }` }}
|
||||
<div class="mermaid" align="{{ if .Get "align" }}{{ .Get "align" }}{{ else }}center{{ end }}">{{ safeHTML .Inner }}</div>
|
||||
1
page/1/index.html
Normal file
1
page/1/index.html
Normal file
|
|
@ -0,0 +1 @@
|
|||
<!doctype html><html lang=en-us><head><title>https://www.1533b4dc0.de/</title><link rel=canonical href=https://www.1533b4dc0.de/><meta name=robots content="noindex"><meta charset=utf-8><meta http-equiv=refresh content="0; url=https://www.1533b4dc0.de/"></head></html>
|
||||
9
post/index.html
Normal file
9
post/index.html
Normal file
File diff suppressed because one or more lines are too long
262
post/index.xml
Normal file
262
post/index.xml
Normal file
|
|
@ -0,0 +1,262 @@
|
|||
<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Posts on 1533B4dC0.de</title><link>https://www.1533b4dc0.de/post/</link><description>1533B4dC0.de (Posts)</description><generator>Hugo -- gohugo.io</generator><language>en-us</language><lastBuildDate>Thu, 24 Feb 2022 00:00:00 +0000</lastBuildDate><atom:link href="https://www.1533b4dc0.de/post/index.xml" rel="self" type="application/rss+xml"/><item><title>Libvirt & Podman: follow up for Podman 4.0 and netavark</title><link>https://www.1533b4dc0.de/post/libvirt-podman-netavark-follow-up/</link><pubDate>Thu, 24 Feb 2022 00:00:00 +0000</pubDate><guid>https://www.1533b4dc0.de/post/libvirt-podman-netavark-follow-up/</guid><description><p>This is a follow up post to <a href="https://www.1533b4dc0.de/post/libvirt-podman-network-mesh/">&ldquo;Joining libvirt <abbr title="Virtual Machine">VM</abbr>s and Podman container in a common network&rdquo;</a>.
|
||||
Therefore I won&rsquo;t cover all the basics again and how to configure libvirt because nothing&rsquo;s changed on that side.</p>
|
||||
<h2 id="podman-40" >Podman 4.0
|
||||
<span>
|
||||
<a href="#podman-40">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>Podman 4.0 comes with a completely new network stack replacing the previous <a href="https://www.cni.dev/"><abbr title="Container Network Interface">CNI</abbr></a> stack:</p>
|
||||
<ul>
|
||||
<li><a href="https://github.com/containers/netavark">Netavark</a></li>
|
||||
<li><a href="https://github.com/containers/aardvark-dns">Aardvark</a></li>
|
||||
</ul>
|
||||
<p>There are <a href="https://www.redhat.com/sysadmin/podman-new-network-stack">great resources</a> that explain the backgrounds of both tools and I don&rsquo;t think I could describe it better than the folks implementing it 😄 so if you&rsquo;re interested have a look at the aforementioned article or the <a href="https://podman.io/releases/2022/02/22/podman-release-v4.0.0.html">release post</a>.</p>
|
||||
<h2 id="netavark-and-libvirt" >Netavark and libvirt
|
||||
<span>
|
||||
<a href="#netavark-and-libvirt">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>After reading the announcement I was most curious if I would be able to configure an equivalent setup for Netavark like I described it with Podman 3.x and CNI.</p>
|
||||
<p><strong>Short answer:</strong> yes, it is possible! 🎉</p>
|
||||
<p><em>&ldquo;But how?!&rdquo;</em> do you ask?
|
||||
Well it&rsquo;s pretty much equivalent to the previous solution: you need to create a new Podman network I once more named it <em>&rsquo;libvirt&rsquo;</em>.
|
||||
To get an idea how the config should look like and where it should placed.
|
||||
I reused the CLI call from my previous article:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman network create <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --disable-dns <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --internal <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --gateway 10.10.2.37 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip-range 10.10.2.160/29 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --subnet 10.10.2.0/24 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> libvirt
|
||||
</span></span></code></pre></div><p>The configuration files are now obviously resided in <code>/etc/containers/networks/</code> and my (already modified) <code>libvirt.json</code> now looks like so:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;name&#34;</span>: <span style="color:#e6db74">&#34;libvirt&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;id&#34;</span>: <span style="color:#e6db74">&#34;0489e6e643b97003c47b27a9ce0a6f6a8dce7d5f08329603e79a0ba48ad5285f&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;driver&#34;</span>: <span style="color:#e6db74">&#34;bridge&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;network_interface&#34;</span>: <span style="color:#e6db74">&#34;conbr0&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;created&#34;</span>: <span style="color:#e6db74">&#34;2022-04-05T09:18:48.198960971+01:00&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;subnets&#34;</span>: [
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;subnet&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.0/24&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;gateway&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.42&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;lease_range&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;start_ip&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.1&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;end_ip&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.10&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> ],
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ipv6_enabled&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;internal&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;dns_enabled&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ipam_options&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;driver&#34;</span>: <span style="color:#e6db74">&#34;host-local&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span>}
|
||||
</span></span></code></pre></div><p><em>Side note: I&rsquo;m really happy they dropped the <code>.conflist</code> extension because this way most editors offer really helpful syntax highlighting in the first place!</em></p>
|
||||
<p>Note that <code>&quot;internal&quot;: false</code> is mandatory. Otherwise I wasn&rsquo;t able to establish communication between VM and container.
|
||||
I also disabled the Aardvark <abbr title="Domain Name System">DNS</abbr> server and IPv6 support because I don&rsquo;t need it and I also don&rsquo;t expect much benefit of it due to the fact that it can&rsquo;t be aware of the VMs present in the network same as <code>dnsmasq</code> won&rsquo;t be able to resolve containers in the libvirt network.</p>
|
||||
<p>Having this in place I was again able to reuse the CLI command from my previous article:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman run <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --rm <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> -d <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --name nginx <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --network libvirt <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip 10.10.1.151 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> docker.io/nginx:alpine
|
||||
</span></span></code></pre></div><p>to create a Nginx container that can be reached from a VM.</p>
|
||||
<h2 id="troubleshooting" >Troubleshooting
|
||||
<span>
|
||||
<a href="#troubleshooting">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>Sometimes the communication between container and VM fails - don&rsquo;t know if I restarted the libvirt network previously or somehow fucked up the container network configuration but a:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman network reload &lt;container ID/container name&gt;
|
||||
</span></span></code></pre></div><p>often resolved the problem.</p>
|
||||
<h2 id="final-thoughts" >Final thoughts
|
||||
<span>
|
||||
<a href="#final-thoughts">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>I haven&rsquo;t used <em>Netavark</em> and <em>Aardvark</em> a lot, yet.
|
||||
But I already noticed a few <strong>really awesome</strong> things:</p>
|
||||
<ul>
|
||||
<li>the <code>docker-compose</code> support seems to be a lot better now because containers are actually able to talk to each other by <em>service name</em>, something I wasn&rsquo;t able to configure properly in Podman 3.x - at least not rootless.</li>
|
||||
<li>with <em>Netavark</em> all the Podman configuration is now unified within <code>/etc/containers</code> or <code>$HOME/.config/containers</code> respectively</li>
|
||||
<li>the new configuration format is a little bit cleaner the the previous one due to the fact that <em>Netavark</em> does not support plugins and with a <code>.json</code> extension editors do help a lot more without requiring extra &ldquo;configuration&rdquo;</li>
|
||||
</ul></description></item><item><title>Libvirt & Podman: network 'mesh'</title><link>https://www.1533b4dc0.de/post/libvirt-podman-network-mesh/</link><pubDate>Thu, 24 Feb 2022 00:00:00 +0000</pubDate><guid>https://www.1533b4dc0.de/post/libvirt-podman-network-mesh/</guid><description><p><em>Disclaimer: I tested all this with Podman 3.x even though Podman 4.0 is already announced but the <abbr title="Container Network Interface">CNI</abbr> driver is still available with Podman 4.0 and as soon as I get my hands on 4.0 I&rsquo;ll give <strong>Netavark</strong> a try, too!</em></p>
|
||||
<p>When playing around with containers and <abbr title="Virtual Machine">VM</abbr>s one might ask if it&rsquo;s possible to bring VMs and containers into a common network segment.
|
||||
I see &lsquo;why the hell would I need a VM anyway when already having containers&rsquo; or something similar I almost see on your face 😜</p>
|
||||
<p>Well 1st of all, not everything can be solved with containers.
|
||||
For instance windows applications can be run in Windows containers but I&rsquo;m not aware of how to run a Windows container on my Linux desktop.</p>
|
||||
<p>But also in pure Linux environments there are cases where a VM is probably a better fit for the problem.
|
||||
As you might know I&rsquo;m a bit of network 🤓 and I love playing around with &lsquo;weird&rsquo; stuff almost no one else does even think about if not forced to.
|
||||
So if you try to implement for example your own DHCP server you might want to isolate your experiments (especially at the beginning) to avoid discussion about &ldquo;why&rsquo;s Netflix on the TV not working?!&rdquo; 😄 or also if you try to implement your own &lsquo;firewall&rsquo; with <abbr title="Destination network address translation">DNAT</abbr> support (stay tuned - post&rsquo;s following!).</p>
|
||||
<h2 id="part-1-libvirt-preparation" >Part 1: Libvirt preparation
|
||||
<span>
|
||||
<a href="#part-1-libvirt-preparation">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>Okay now that I came around with <em>some</em> arguments - if they&rsquo;re convincing or not is not important - how does this work?</p>
|
||||
<p>Assuming you&rsquo;ve Libvirt and Podman already installed on your system without any modification and you run</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>virsh net-list
|
||||
</span></span></code></pre></div><p>you should have at least the <code>default</code> network already.</p>
|
||||
<p>The definition of all networks (as of every other component of libvirt) is in XML.
|
||||
<code>virsh</code> comes with a <code>net-dumpxml</code> command to export the configuration of a network:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>virsh net-dumpxml default
|
||||
</span></span></code></pre></div><p>The output should look (more or less) like in the following snippet:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#f92672">&lt;network&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;name&gt;</span>default<span style="color:#f92672">&lt;/name&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;uuid&gt;</span>8d2028ed-cc9a-4eae-9883-b59b673d560d<span style="color:#f92672">&lt;/uuid&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;forward</span> <span style="color:#a6e22e">mode=</span><span style="color:#e6db74">&#39;nat&#39;</span><span style="color:#f92672">&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;nat&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;port</span> <span style="color:#a6e22e">start=</span><span style="color:#e6db74">&#39;1024&#39;</span> <span style="color:#a6e22e">end=</span><span style="color:#e6db74">&#39;65535&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/nat&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/forward&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;bridge</span> <span style="color:#a6e22e">name=</span><span style="color:#e6db74">&#39;virbr0&#39;</span> <span style="color:#a6e22e">stp=</span><span style="color:#e6db74">&#39;on&#39;</span> <span style="color:#a6e22e">delay=</span><span style="color:#e6db74">&#39;0&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;mac</span> <span style="color:#a6e22e">address=</span><span style="color:#e6db74">&#39;63:b3:d8:75:53:6b&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;ip</span> <span style="color:#a6e22e">address=</span><span style="color:#e6db74">&#39;192.168.122.1&#39;</span> <span style="color:#a6e22e">netmask=</span><span style="color:#e6db74">&#39;255.255.255.0&#39;</span><span style="color:#f92672">&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;dhcp&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;range</span> <span style="color:#a6e22e">start=</span><span style="color:#e6db74">&#39;192.168.122.2&#39;</span> <span style="color:#a6e22e">end=</span><span style="color:#e6db74">&#39;192.168.122.254&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/dhcp&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/ip&gt;</span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#f92672">&lt;/network&gt;</span>
|
||||
</span></span></code></pre></div><p>So we&rsquo;ve a <code>&lt;network/&gt;</code> that is defined by:</p>
|
||||
<ul>
|
||||
<li>a <code>&lt;name/&gt;</code></li>
|
||||
<li>a <code>&lt;uuid/&gt;</code></li>
|
||||
<li>a <em>optional</em> <code>&lt;forward/&gt;</code> node</li>
|
||||
<li>a <code>&lt;bridge/&gt;</code> interface</li>
|
||||
<li>the <code>&lt;mac/&gt;</code> for the bridge interface (of the host)</li>
|
||||
<li>the <code>&lt;ip/&gt;</code> of the host on the bridge interface
|
||||
<ul>
|
||||
<li>an <em>optional</em> <code>&lt;dhcp/&gt;</code> range definition</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
<p>The complete reference for the XML schema can be found <a href="https://libvirt.org/formatnetwork.html">here</a>.</p>
|
||||
<p>Before we have a closer look how to bring Podman containers into a Libvirt network, let&rsquo;s define a new <code>containers</code> network.
|
||||
The following snippet contains the definition I&rsquo;ll use:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#f92672">&lt;network&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;name&gt;</span>containers<span style="color:#f92672">&lt;/name&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;uuid&gt;</span>929b7b7d-bd82-452d-96b7-12f0cf1a4b17<span style="color:#f92672">&lt;/uuid&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;bridge</span> <span style="color:#a6e22e">name=</span><span style="color:#e6db74">&#39;conbr0&#39;</span> <span style="color:#a6e22e">stp=</span><span style="color:#e6db74">&#39;on&#39;</span> <span style="color:#a6e22e">delay=</span><span style="color:#e6db74">&#39;0&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;mac</span> <span style="color:#a6e22e">address=</span><span style="color:#e6db74">&#39;af:af:13:ed:c6:41&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;ip</span> <span style="color:#a6e22e">address=</span><span style="color:#e6db74">&#39;10.10.1.42&#39;</span> <span style="color:#a6e22e">netmask=</span><span style="color:#e6db74">&#39;255.255.255.0&#39;</span><span style="color:#f92672">&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;dhcp&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;range</span> <span style="color:#a6e22e">start=</span><span style="color:#e6db74">&#39;10.10.1.100&#39;</span> <span style="color:#a6e22e">end=</span><span style="color:#e6db74">&#39;10.10.1.150&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/dhcp&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/ip&gt;</span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#f92672">&lt;/network&gt;</span>
|
||||
</span></span></code></pre></div><p>It&rsquo;s quite similar except I made a few adoptions:</p>
|
||||
<ul>
|
||||
<li>remove the <code>&lt;forward/&gt;</code> block</li>
|
||||
<li>change the <code>&lt;name/&gt;</code> and the <code>&lt;uuid/&gt;</code> (with the help of <code>uuidgen</code>)</li>
|
||||
<li>change the <code>name=&quot;&quot;</code> of the <code>&lt;bridge/&gt;</code></li>
|
||||
<li>change the <code>address=&quot;&quot;</code> attribute of the <code>&lt;mac/&gt;</code> (use any <a href="https://macaddress.io/mac-address-generator">mac address generator</a>)</li>
|
||||
<li>change the <code>address=&quot;&quot;</code> attribute of the <code>&lt;ip/&gt;</code> and <code>start=&quot;&quot;</code> and <code>end=&quot;&quot;</code> of the DHCP range accordingly</li>
|
||||
</ul>
|
||||
<p>You may use any private network - as far as I can tell it shouldn&rsquo;t matter if you&rsquo;re using a class B, C or D private network as long as you don&rsquo;t have any conflicts with your LAN or any other virtual interfaces of your environment.</p>
|
||||
<p>When done safe your network definition as <code>.xml</code> file.
|
||||
To import the configuration you can use <code>virsh net-define</code> like in the following snippet (assuming the network definition is in <code>containers.xml</code>):</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ virsh net-define containers.xml
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>&gt; Network containers defined from containers.xml
|
||||
</span></span></code></pre></div><p><em>Note: this only works because the XML already contains an <code>&lt;uuid/&gt;</code>. Otherwise you&rsquo;d have to use <code>virsh net-create</code> and a few more extra steps to make the network actually persistent.</em></p>
|
||||
<p>If you now check with <code>virsh net-list</code> you&rsquo;d be disappointed because there&rsquo;s no network!
|
||||
Checking again with <code>virsh net-list --all</code> explains why our <code>containers</code> network wasn&rsquo;t in the output previously because it is by default <em>inactive</em>.
|
||||
To activate it we&rsquo;ve to start it like so:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ virsh net-start containers
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>&gt; Network containers started
|
||||
</span></span></code></pre></div><p>If you don&rsquo;t mind the extra adapter and wish to use the network frequently in the future you might consider to autostart it:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ virsh net-autostart containers
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>&gt; Network containers marked as autostarted
|
||||
</span></span></code></pre></div><p>With our custom Libvirt network in place we&rsquo;re good to go to configure Podman.</p>
|
||||
<h2 id="part-2-podman-cni-network" >Part 2: Podman CNI network
|
||||
<span>
|
||||
<a href="#part-2-podman-cni-network">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p><em>Note: this only works with <strong>rootfull</strong> Podman because rootless Podman does not use CNI but another network stack.</em></p>
|
||||
<p>A clean Podman installation without any custom network created comes with the default network <code>podman</code>.
|
||||
Rootfull Podman network configs are by default stored in <code>/etc/cni/net.d</code>.
|
||||
You should find the default network as <code>87-podman.conflist</code> in the aforementioned directory.</p>
|
||||
<p>Every Podman network is defined as JSON file.
|
||||
We will define our own <code>libvirt</code> network to join Podman containers into the previously created Libvirt network.
|
||||
You can either use <code>podman network create</code> to create the network (at least more or less) or you can copy for example the default network and make some adjustments.</p>
|
||||
<p>To create the new network from the CLI you can use the following command:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman network create <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --disable-dns <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --internal <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --gateway 10.10.2.37 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip-range 10.10.2.160/29 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --subnet 10.10.2.0/24 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> libvirt
|
||||
</span></span></code></pre></div><p>Note that I used a different IP range as in the Libvirt network! Otherwise Podman will complain that the IP range is already in use at an adapter.
|
||||
You can use this command to create the required file in <code>/etc/cni/net.d/</code> but you&rsquo;ve to update the <code>ranges</code> accordingly before creating a container in the network.</p>
|
||||
<p>Because we&rsquo;ve to edit the <code>.conflist</code> either way copy the default one is also fine.</p>
|
||||
<p>The <code>.conflist</code> I&rsquo;m using looks like this:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;cniVersion&#34;</span>: <span style="color:#e6db74">&#34;0.4.0&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;name&#34;</span>: <span style="color:#e6db74">&#34;libvirt&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;plugins&#34;</span>: [
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;bridge&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;bridge&#34;</span>: <span style="color:#e6db74">&#34;conbr0&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;isGateway&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;hairpinMode&#34;</span>: <span style="color:#66d9ef">true</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ipam&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;host-local&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;routes&#34;</span>: [
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;dst&#34;</span>: <span style="color:#e6db74">&#34;0.0.0.0/0&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> ],
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ranges&#34;</span>: [
|
||||
</span></span><span style="display:flex;"><span> [
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;subnet&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.0/24&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;rangeStart&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.151&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;rangeEnd&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.160&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;gateway&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.42&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> ]
|
||||
</span></span><span style="display:flex;"><span> ]
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> },
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;portmap&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;capabilities&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;portMappings&#34;</span>: <span style="color:#66d9ef">true</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> },
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;firewall&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;backend&#34;</span>: <span style="color:#e6db74">&#34;&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> },
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;tuning&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> ]
|
||||
</span></span><span style="display:flex;"><span>}
|
||||
</span></span></code></pre></div><p>Interestingly the <code>rangeStart</code> and <code>rangeEnd</code> are actually IP addresses and not tight to some IP networks but unfortunately there&rsquo;s no equivalent for <code>podman network create</code> hence I update both to a range after the DHCP range of the Libvirt network to make sure that no duplicate IPs are assigned.</p>
|
||||
<p>I tend to declare the network as <code>host-local</code> but this shouldn&rsquo;t be critical.
|
||||
The <strong>most important</strong> part is to update the <code>bridge</code> to the same interface like in the Libvirt network definition (in my case <code>conbr0</code>).</p>
|
||||
<p>After this we&rsquo;re ready to go and you can for instance start a Nginx container in the <code>libvirt</code> network and you should be able to reach it from a VM in the Libvirt network:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman run <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --rm <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> -d <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --name nginx <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --network libvirt <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip 10.10.1.151 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> docker.io/nginx:alpine
|
||||
</span></span></code></pre></div><p>A nice option for <code>podman run</code> is <code>--ip</code>.
|
||||
You&rsquo;ve to choose an IP from the previously configured <code>range</code> but you can skip the <code>podman inspect</code> or <code>ip a</code> to get the container IP and the container will have the IP every time you start it, if you like 😉 and speaking of &rsquo;nice&rsquo; <code>podman run</code> options: you do know <code>--replace</code>, don&rsquo;t you?</p></description></item></channel></rss>
|
||||
56
post/libvirt-podman-netavark-follow-up/index.html
Normal file
56
post/libvirt-podman-netavark-follow-up/index.html
Normal file
File diff suppressed because one or more lines are too long
121
post/libvirt-podman-network-mesh/index.html
Normal file
121
post/libvirt-podman-network-mesh/index.html
Normal file
File diff suppressed because one or more lines are too long
1
posts/index.html
Normal file
1
posts/index.html
Normal file
|
|
@ -0,0 +1 @@
|
|||
<!doctype html><html lang=en-us><head><title>https://www.1533b4dc0.de/post/</title><link rel=canonical href=https://www.1533b4dc0.de/post/><meta name=robots content="noindex"><meta charset=utf-8><meta http-equiv=refresh content="0; url=https://www.1533b4dc0.de/post/"></head></html>
|
||||
18
projects/index.html
Normal file
18
projects/index.html
Normal file
File diff suppressed because one or more lines are too long
1
showcase/index.html
Normal file
1
showcase/index.html
Normal file
|
|
@ -0,0 +1 @@
|
|||
<!doctype html><html lang=en-us><head><title>https://www.1533b4dc0.de/post/</title><link rel=canonical href=https://www.1533b4dc0.de/post/><meta name=robots content="noindex"><meta charset=utf-8><meta http-equiv=refresh content="0; url=https://www.1533b4dc0.de/post/"></head></html>
|
||||
1
sitemap.xml
Normal file
1
sitemap.xml
Normal file
|
|
@ -0,0 +1 @@
|
|||
<?xml version="1.0" encoding="utf-8" standalone="yes"?><urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xhtml="http://www.w3.org/1999/xhtml"><url><loc>https://www.1533b4dc0.de/about/</loc></url><url><loc>https://www.1533b4dc0.de/projects/</loc></url><url><loc>https://www.1533b4dc0.de/</loc><lastmod>2022-02-24T00:00:00+00:00</lastmod></url><url><loc>https://www.1533b4dc0.de/tags/libvirt/</loc><lastmod>2022-02-24T00:00:00+00:00</lastmod></url><url><loc>https://www.1533b4dc0.de/post/libvirt-podman-netavark-follow-up/</loc><lastmod>2022-02-24T00:00:00+00:00</lastmod></url><url><loc>https://www.1533b4dc0.de/post/libvirt-podman-network-mesh/</loc><lastmod>2022-02-24T00:00:00+00:00</lastmod></url><url><loc>https://www.1533b4dc0.de/tags/netavark/</loc><lastmod>2022-02-24T00:00:00+00:00</lastmod></url><url><loc>https://www.1533b4dc0.de/tags/podman/</loc><lastmod>2022-02-24T00:00:00+00:00</lastmod></url><url><loc>https://www.1533b4dc0.de/post/</loc><lastmod>2022-02-24T00:00:00+00:00</lastmod></url><url><loc>https://www.1533b4dc0.de/tags/</loc><lastmod>2022-02-24T00:00:00+00:00</lastmod></url><url><loc>https://www.1533b4dc0.de/categories/</loc></url><url><loc>https://www.1533b4dc0.de/tags/index/</loc></url></urlset>
|
||||
|
|
@ -1 +0,0 @@
|
|||
www.1533b4dc0.de
|
||||
11
tags/index.html
Normal file
11
tags/index.html
Normal file
File diff suppressed because one or more lines are too long
1
tags/index.xml
Normal file
1
tags/index.xml
Normal file
|
|
@ -0,0 +1 @@
|
|||
<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Tags on 1533B4dC0.de</title><link>https://www.1533b4dc0.de/tags/</link><description>1533B4dC0.de (Tags)</description><generator>Hugo -- gohugo.io</generator><language>en-us</language><lastBuildDate>Thu, 24 Feb 2022 00:00:00 +0000</lastBuildDate><atom:link href="https://www.1533b4dc0.de/tags/index.xml" rel="self" type="application/rss+xml"/></channel></rss>
|
||||
8
tags/index/index.html
Normal file
8
tags/index/index.html
Normal file
File diff suppressed because one or more lines are too long
1
tags/index/index.xml
Normal file
1
tags/index/index.xml
Normal file
|
|
@ -0,0 +1 @@
|
|||
<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>index on 1533B4dC0.de</title><link>https://www.1533b4dc0.de/tags/index/</link><description>1533B4dC0.de (index)</description><generator>Hugo -- gohugo.io</generator><language>en-us</language><atom:link href="https://www.1533b4dc0.de/tags/index/index.xml" rel="self" type="application/rss+xml"/></channel></rss>
|
||||
1
tags/index/page/1/index.html
Normal file
1
tags/index/page/1/index.html
Normal file
|
|
@ -0,0 +1 @@
|
|||
<!doctype html><html lang=en-us><head><title>https://www.1533b4dc0.de/tags/index/</title><link rel=canonical href=https://www.1533b4dc0.de/tags/index/><meta name=robots content="noindex"><meta charset=utf-8><meta http-equiv=refresh content="0; url=https://www.1533b4dc0.de/tags/index/"></head></html>
|
||||
12
tags/libvirt/index.html
Normal file
12
tags/libvirt/index.html
Normal file
File diff suppressed because one or more lines are too long
262
tags/libvirt/index.xml
Normal file
262
tags/libvirt/index.xml
Normal file
|
|
@ -0,0 +1,262 @@
|
|||
<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>libvirt on 1533B4dC0.de</title><link>https://www.1533b4dc0.de/tags/libvirt/</link><description>1533B4dC0.de (libvirt)</description><generator>Hugo -- gohugo.io</generator><language>en-us</language><lastBuildDate>Thu, 24 Feb 2022 00:00:00 +0000</lastBuildDate><atom:link href="https://www.1533b4dc0.de/tags/libvirt/index.xml" rel="self" type="application/rss+xml"/><item><title>Libvirt & Podman: follow up for Podman 4.0 and netavark</title><link>https://www.1533b4dc0.de/post/libvirt-podman-netavark-follow-up/</link><pubDate>Thu, 24 Feb 2022 00:00:00 +0000</pubDate><guid>https://www.1533b4dc0.de/post/libvirt-podman-netavark-follow-up/</guid><description><p>This is a follow up post to <a href="https://www.1533b4dc0.de/post/libvirt-podman-network-mesh/">&ldquo;Joining libvirt <abbr title="Virtual Machine">VM</abbr>s and Podman container in a common network&rdquo;</a>.
|
||||
Therefore I won&rsquo;t cover all the basics again and how to configure libvirt because nothing&rsquo;s changed on that side.</p>
|
||||
<h2 id="podman-40" >Podman 4.0
|
||||
<span>
|
||||
<a href="#podman-40">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>Podman 4.0 comes with a completely new network stack replacing the previous <a href="https://www.cni.dev/"><abbr title="Container Network Interface">CNI</abbr></a> stack:</p>
|
||||
<ul>
|
||||
<li><a href="https://github.com/containers/netavark">Netavark</a></li>
|
||||
<li><a href="https://github.com/containers/aardvark-dns">Aardvark</a></li>
|
||||
</ul>
|
||||
<p>There are <a href="https://www.redhat.com/sysadmin/podman-new-network-stack">great resources</a> that explain the backgrounds of both tools and I don&rsquo;t think I could describe it better than the folks implementing it 😄 so if you&rsquo;re interested have a look at the aforementioned article or the <a href="https://podman.io/releases/2022/02/22/podman-release-v4.0.0.html">release post</a>.</p>
|
||||
<h2 id="netavark-and-libvirt" >Netavark and libvirt
|
||||
<span>
|
||||
<a href="#netavark-and-libvirt">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>After reading the announcement I was most curious if I would be able to configure an equivalent setup for Netavark like I described it with Podman 3.x and CNI.</p>
|
||||
<p><strong>Short answer:</strong> yes, it is possible! 🎉</p>
|
||||
<p><em>&ldquo;But how?!&rdquo;</em> do you ask?
|
||||
Well it&rsquo;s pretty much equivalent to the previous solution: you need to create a new Podman network I once more named it <em>&rsquo;libvirt&rsquo;</em>.
|
||||
To get an idea how the config should look like and where it should placed.
|
||||
I reused the CLI call from my previous article:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman network create <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --disable-dns <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --internal <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --gateway 10.10.2.37 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip-range 10.10.2.160/29 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --subnet 10.10.2.0/24 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> libvirt
|
||||
</span></span></code></pre></div><p>The configuration files are now obviously resided in <code>/etc/containers/networks/</code> and my (already modified) <code>libvirt.json</code> now looks like so:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;name&#34;</span>: <span style="color:#e6db74">&#34;libvirt&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;id&#34;</span>: <span style="color:#e6db74">&#34;0489e6e643b97003c47b27a9ce0a6f6a8dce7d5f08329603e79a0ba48ad5285f&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;driver&#34;</span>: <span style="color:#e6db74">&#34;bridge&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;network_interface&#34;</span>: <span style="color:#e6db74">&#34;conbr0&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;created&#34;</span>: <span style="color:#e6db74">&#34;2022-04-05T09:18:48.198960971+01:00&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;subnets&#34;</span>: [
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;subnet&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.0/24&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;gateway&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.42&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;lease_range&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;start_ip&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.1&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;end_ip&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.10&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> ],
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ipv6_enabled&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;internal&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;dns_enabled&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ipam_options&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;driver&#34;</span>: <span style="color:#e6db74">&#34;host-local&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span>}
|
||||
</span></span></code></pre></div><p><em>Side note: I&rsquo;m really happy they dropped the <code>.conflist</code> extension because this way most editors offer really helpful syntax highlighting in the first place!</em></p>
|
||||
<p>Note that <code>&quot;internal&quot;: false</code> is mandatory. Otherwise I wasn&rsquo;t able to establish communication between VM and container.
|
||||
I also disabled the Aardvark <abbr title="Domain Name System">DNS</abbr> server and IPv6 support because I don&rsquo;t need it and I also don&rsquo;t expect much benefit of it due to the fact that it can&rsquo;t be aware of the VMs present in the network same as <code>dnsmasq</code> won&rsquo;t be able to resolve containers in the libvirt network.</p>
|
||||
<p>Having this in place I was again able to reuse the CLI command from my previous article:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman run <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --rm <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> -d <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --name nginx <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --network libvirt <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip 10.10.1.151 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> docker.io/nginx:alpine
|
||||
</span></span></code></pre></div><p>to create a Nginx container that can be reached from a VM.</p>
|
||||
<h2 id="troubleshooting" >Troubleshooting
|
||||
<span>
|
||||
<a href="#troubleshooting">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>Sometimes the communication between container and VM fails - don&rsquo;t know if I restarted the libvirt network previously or somehow fucked up the container network configuration but a:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman network reload &lt;container ID/container name&gt;
|
||||
</span></span></code></pre></div><p>often resolved the problem.</p>
|
||||
<h2 id="final-thoughts" >Final thoughts
|
||||
<span>
|
||||
<a href="#final-thoughts">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>I haven&rsquo;t used <em>Netavark</em> and <em>Aardvark</em> a lot, yet.
|
||||
But I already noticed a few <strong>really awesome</strong> things:</p>
|
||||
<ul>
|
||||
<li>the <code>docker-compose</code> support seems to be a lot better now because containers are actually able to talk to each other by <em>service name</em>, something I wasn&rsquo;t able to configure properly in Podman 3.x - at least not rootless.</li>
|
||||
<li>with <em>Netavark</em> all the Podman configuration is now unified within <code>/etc/containers</code> or <code>$HOME/.config/containers</code> respectively</li>
|
||||
<li>the new configuration format is a little bit cleaner the the previous one due to the fact that <em>Netavark</em> does not support plugins and with a <code>.json</code> extension editors do help a lot more without requiring extra &ldquo;configuration&rdquo;</li>
|
||||
</ul></description></item><item><title>Libvirt & Podman: network 'mesh'</title><link>https://www.1533b4dc0.de/post/libvirt-podman-network-mesh/</link><pubDate>Thu, 24 Feb 2022 00:00:00 +0000</pubDate><guid>https://www.1533b4dc0.de/post/libvirt-podman-network-mesh/</guid><description><p><em>Disclaimer: I tested all this with Podman 3.x even though Podman 4.0 is already announced but the <abbr title="Container Network Interface">CNI</abbr> driver is still available with Podman 4.0 and as soon as I get my hands on 4.0 I&rsquo;ll give <strong>Netavark</strong> a try, too!</em></p>
|
||||
<p>When playing around with containers and <abbr title="Virtual Machine">VM</abbr>s one might ask if it&rsquo;s possible to bring VMs and containers into a common network segment.
|
||||
I see &lsquo;why the hell would I need a VM anyway when already having containers&rsquo; or something similar I almost see on your face 😜</p>
|
||||
<p>Well 1st of all, not everything can be solved with containers.
|
||||
For instance windows applications can be run in Windows containers but I&rsquo;m not aware of how to run a Windows container on my Linux desktop.</p>
|
||||
<p>But also in pure Linux environments there are cases where a VM is probably a better fit for the problem.
|
||||
As you might know I&rsquo;m a bit of network 🤓 and I love playing around with &lsquo;weird&rsquo; stuff almost no one else does even think about if not forced to.
|
||||
So if you try to implement for example your own DHCP server you might want to isolate your experiments (especially at the beginning) to avoid discussion about &ldquo;why&rsquo;s Netflix on the TV not working?!&rdquo; 😄 or also if you try to implement your own &lsquo;firewall&rsquo; with <abbr title="Destination network address translation">DNAT</abbr> support (stay tuned - post&rsquo;s following!).</p>
|
||||
<h2 id="part-1-libvirt-preparation" >Part 1: Libvirt preparation
|
||||
<span>
|
||||
<a href="#part-1-libvirt-preparation">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>Okay now that I came around with <em>some</em> arguments - if they&rsquo;re convincing or not is not important - how does this work?</p>
|
||||
<p>Assuming you&rsquo;ve Libvirt and Podman already installed on your system without any modification and you run</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>virsh net-list
|
||||
</span></span></code></pre></div><p>you should have at least the <code>default</code> network already.</p>
|
||||
<p>The definition of all networks (as of every other component of libvirt) is in XML.
|
||||
<code>virsh</code> comes with a <code>net-dumpxml</code> command to export the configuration of a network:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>virsh net-dumpxml default
|
||||
</span></span></code></pre></div><p>The output should look (more or less) like in the following snippet:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#f92672">&lt;network&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;name&gt;</span>default<span style="color:#f92672">&lt;/name&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;uuid&gt;</span>8d2028ed-cc9a-4eae-9883-b59b673d560d<span style="color:#f92672">&lt;/uuid&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;forward</span> <span style="color:#a6e22e">mode=</span><span style="color:#e6db74">&#39;nat&#39;</span><span style="color:#f92672">&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;nat&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;port</span> <span style="color:#a6e22e">start=</span><span style="color:#e6db74">&#39;1024&#39;</span> <span style="color:#a6e22e">end=</span><span style="color:#e6db74">&#39;65535&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/nat&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/forward&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;bridge</span> <span style="color:#a6e22e">name=</span><span style="color:#e6db74">&#39;virbr0&#39;</span> <span style="color:#a6e22e">stp=</span><span style="color:#e6db74">&#39;on&#39;</span> <span style="color:#a6e22e">delay=</span><span style="color:#e6db74">&#39;0&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;mac</span> <span style="color:#a6e22e">address=</span><span style="color:#e6db74">&#39;63:b3:d8:75:53:6b&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;ip</span> <span style="color:#a6e22e">address=</span><span style="color:#e6db74">&#39;192.168.122.1&#39;</span> <span style="color:#a6e22e">netmask=</span><span style="color:#e6db74">&#39;255.255.255.0&#39;</span><span style="color:#f92672">&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;dhcp&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;range</span> <span style="color:#a6e22e">start=</span><span style="color:#e6db74">&#39;192.168.122.2&#39;</span> <span style="color:#a6e22e">end=</span><span style="color:#e6db74">&#39;192.168.122.254&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/dhcp&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/ip&gt;</span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#f92672">&lt;/network&gt;</span>
|
||||
</span></span></code></pre></div><p>So we&rsquo;ve a <code>&lt;network/&gt;</code> that is defined by:</p>
|
||||
<ul>
|
||||
<li>a <code>&lt;name/&gt;</code></li>
|
||||
<li>a <code>&lt;uuid/&gt;</code></li>
|
||||
<li>a <em>optional</em> <code>&lt;forward/&gt;</code> node</li>
|
||||
<li>a <code>&lt;bridge/&gt;</code> interface</li>
|
||||
<li>the <code>&lt;mac/&gt;</code> for the bridge interface (of the host)</li>
|
||||
<li>the <code>&lt;ip/&gt;</code> of the host on the bridge interface
|
||||
<ul>
|
||||
<li>an <em>optional</em> <code>&lt;dhcp/&gt;</code> range definition</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
<p>The complete reference for the XML schema can be found <a href="https://libvirt.org/formatnetwork.html">here</a>.</p>
|
||||
<p>Before we have a closer look how to bring Podman containers into a Libvirt network, let&rsquo;s define a new <code>containers</code> network.
|
||||
The following snippet contains the definition I&rsquo;ll use:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#f92672">&lt;network&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;name&gt;</span>containers<span style="color:#f92672">&lt;/name&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;uuid&gt;</span>929b7b7d-bd82-452d-96b7-12f0cf1a4b17<span style="color:#f92672">&lt;/uuid&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;bridge</span> <span style="color:#a6e22e">name=</span><span style="color:#e6db74">&#39;conbr0&#39;</span> <span style="color:#a6e22e">stp=</span><span style="color:#e6db74">&#39;on&#39;</span> <span style="color:#a6e22e">delay=</span><span style="color:#e6db74">&#39;0&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;mac</span> <span style="color:#a6e22e">address=</span><span style="color:#e6db74">&#39;af:af:13:ed:c6:41&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;ip</span> <span style="color:#a6e22e">address=</span><span style="color:#e6db74">&#39;10.10.1.42&#39;</span> <span style="color:#a6e22e">netmask=</span><span style="color:#e6db74">&#39;255.255.255.0&#39;</span><span style="color:#f92672">&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;dhcp&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;range</span> <span style="color:#a6e22e">start=</span><span style="color:#e6db74">&#39;10.10.1.100&#39;</span> <span style="color:#a6e22e">end=</span><span style="color:#e6db74">&#39;10.10.1.150&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/dhcp&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/ip&gt;</span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#f92672">&lt;/network&gt;</span>
|
||||
</span></span></code></pre></div><p>It&rsquo;s quite similar except I made a few adoptions:</p>
|
||||
<ul>
|
||||
<li>remove the <code>&lt;forward/&gt;</code> block</li>
|
||||
<li>change the <code>&lt;name/&gt;</code> and the <code>&lt;uuid/&gt;</code> (with the help of <code>uuidgen</code>)</li>
|
||||
<li>change the <code>name=&quot;&quot;</code> of the <code>&lt;bridge/&gt;</code></li>
|
||||
<li>change the <code>address=&quot;&quot;</code> attribute of the <code>&lt;mac/&gt;</code> (use any <a href="https://macaddress.io/mac-address-generator">mac address generator</a>)</li>
|
||||
<li>change the <code>address=&quot;&quot;</code> attribute of the <code>&lt;ip/&gt;</code> and <code>start=&quot;&quot;</code> and <code>end=&quot;&quot;</code> of the DHCP range accordingly</li>
|
||||
</ul>
|
||||
<p>You may use any private network - as far as I can tell it shouldn&rsquo;t matter if you&rsquo;re using a class B, C or D private network as long as you don&rsquo;t have any conflicts with your LAN or any other virtual interfaces of your environment.</p>
|
||||
<p>When done safe your network definition as <code>.xml</code> file.
|
||||
To import the configuration you can use <code>virsh net-define</code> like in the following snippet (assuming the network definition is in <code>containers.xml</code>):</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ virsh net-define containers.xml
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>&gt; Network containers defined from containers.xml
|
||||
</span></span></code></pre></div><p><em>Note: this only works because the XML already contains an <code>&lt;uuid/&gt;</code>. Otherwise you&rsquo;d have to use <code>virsh net-create</code> and a few more extra steps to make the network actually persistent.</em></p>
|
||||
<p>If you now check with <code>virsh net-list</code> you&rsquo;d be disappointed because there&rsquo;s no network!
|
||||
Checking again with <code>virsh net-list --all</code> explains why our <code>containers</code> network wasn&rsquo;t in the output previously because it is by default <em>inactive</em>.
|
||||
To activate it we&rsquo;ve to start it like so:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ virsh net-start containers
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>&gt; Network containers started
|
||||
</span></span></code></pre></div><p>If you don&rsquo;t mind the extra adapter and wish to use the network frequently in the future you might consider to autostart it:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ virsh net-autostart containers
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>&gt; Network containers marked as autostarted
|
||||
</span></span></code></pre></div><p>With our custom Libvirt network in place we&rsquo;re good to go to configure Podman.</p>
|
||||
<h2 id="part-2-podman-cni-network" >Part 2: Podman CNI network
|
||||
<span>
|
||||
<a href="#part-2-podman-cni-network">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p><em>Note: this only works with <strong>rootfull</strong> Podman because rootless Podman does not use CNI but another network stack.</em></p>
|
||||
<p>A clean Podman installation without any custom network created comes with the default network <code>podman</code>.
|
||||
Rootfull Podman network configs are by default stored in <code>/etc/cni/net.d</code>.
|
||||
You should find the default network as <code>87-podman.conflist</code> in the aforementioned directory.</p>
|
||||
<p>Every Podman network is defined as JSON file.
|
||||
We will define our own <code>libvirt</code> network to join Podman containers into the previously created Libvirt network.
|
||||
You can either use <code>podman network create</code> to create the network (at least more or less) or you can copy for example the default network and make some adjustments.</p>
|
||||
<p>To create the new network from the CLI you can use the following command:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman network create <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --disable-dns <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --internal <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --gateway 10.10.2.37 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip-range 10.10.2.160/29 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --subnet 10.10.2.0/24 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> libvirt
|
||||
</span></span></code></pre></div><p>Note that I used a different IP range as in the Libvirt network! Otherwise Podman will complain that the IP range is already in use at an adapter.
|
||||
You can use this command to create the required file in <code>/etc/cni/net.d/</code> but you&rsquo;ve to update the <code>ranges</code> accordingly before creating a container in the network.</p>
|
||||
<p>Because we&rsquo;ve to edit the <code>.conflist</code> either way copy the default one is also fine.</p>
|
||||
<p>The <code>.conflist</code> I&rsquo;m using looks like this:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;cniVersion&#34;</span>: <span style="color:#e6db74">&#34;0.4.0&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;name&#34;</span>: <span style="color:#e6db74">&#34;libvirt&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;plugins&#34;</span>: [
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;bridge&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;bridge&#34;</span>: <span style="color:#e6db74">&#34;conbr0&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;isGateway&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;hairpinMode&#34;</span>: <span style="color:#66d9ef">true</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ipam&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;host-local&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;routes&#34;</span>: [
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;dst&#34;</span>: <span style="color:#e6db74">&#34;0.0.0.0/0&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> ],
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ranges&#34;</span>: [
|
||||
</span></span><span style="display:flex;"><span> [
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;subnet&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.0/24&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;rangeStart&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.151&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;rangeEnd&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.160&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;gateway&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.42&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> ]
|
||||
</span></span><span style="display:flex;"><span> ]
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> },
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;portmap&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;capabilities&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;portMappings&#34;</span>: <span style="color:#66d9ef">true</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> },
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;firewall&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;backend&#34;</span>: <span style="color:#e6db74">&#34;&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> },
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;tuning&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> ]
|
||||
</span></span><span style="display:flex;"><span>}
|
||||
</span></span></code></pre></div><p>Interestingly the <code>rangeStart</code> and <code>rangeEnd</code> are actually IP addresses and not tight to some IP networks but unfortunately there&rsquo;s no equivalent for <code>podman network create</code> hence I update both to a range after the DHCP range of the Libvirt network to make sure that no duplicate IPs are assigned.</p>
|
||||
<p>I tend to declare the network as <code>host-local</code> but this shouldn&rsquo;t be critical.
|
||||
The <strong>most important</strong> part is to update the <code>bridge</code> to the same interface like in the Libvirt network definition (in my case <code>conbr0</code>).</p>
|
||||
<p>After this we&rsquo;re ready to go and you can for instance start a Nginx container in the <code>libvirt</code> network and you should be able to reach it from a VM in the Libvirt network:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman run <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --rm <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> -d <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --name nginx <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --network libvirt <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip 10.10.1.151 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> docker.io/nginx:alpine
|
||||
</span></span></code></pre></div><p>A nice option for <code>podman run</code> is <code>--ip</code>.
|
||||
You&rsquo;ve to choose an IP from the previously configured <code>range</code> but you can skip the <code>podman inspect</code> or <code>ip a</code> to get the container IP and the container will have the IP every time you start it, if you like 😉 and speaking of &rsquo;nice&rsquo; <code>podman run</code> options: you do know <code>--replace</code>, don&rsquo;t you?</p></description></item></channel></rss>
|
||||
1
tags/libvirt/page/1/index.html
Normal file
1
tags/libvirt/page/1/index.html
Normal file
|
|
@ -0,0 +1 @@
|
|||
<!doctype html><html lang=en-us><head><title>https://www.1533b4dc0.de/tags/libvirt/</title><link rel=canonical href=https://www.1533b4dc0.de/tags/libvirt/><meta name=robots content="noindex"><meta charset=utf-8><meta http-equiv=refresh content="0; url=https://www.1533b4dc0.de/tags/libvirt/"></head></html>
|
||||
10
tags/netavark/index.html
Normal file
10
tags/netavark/index.html
Normal file
File diff suppressed because one or more lines are too long
91
tags/netavark/index.xml
Normal file
91
tags/netavark/index.xml
Normal file
|
|
@ -0,0 +1,91 @@
|
|||
<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>netavark on 1533B4dC0.de</title><link>https://www.1533b4dc0.de/tags/netavark/</link><description>1533B4dC0.de (netavark)</description><generator>Hugo -- gohugo.io</generator><language>en-us</language><lastBuildDate>Thu, 24 Feb 2022 00:00:00 +0000</lastBuildDate><atom:link href="https://www.1533b4dc0.de/tags/netavark/index.xml" rel="self" type="application/rss+xml"/><item><title>Libvirt & Podman: follow up for Podman 4.0 and netavark</title><link>https://www.1533b4dc0.de/post/libvirt-podman-netavark-follow-up/</link><pubDate>Thu, 24 Feb 2022 00:00:00 +0000</pubDate><guid>https://www.1533b4dc0.de/post/libvirt-podman-netavark-follow-up/</guid><description><p>This is a follow up post to <a href="https://www.1533b4dc0.de/post/libvirt-podman-network-mesh/">&ldquo;Joining libvirt <abbr title="Virtual Machine">VM</abbr>s and Podman container in a common network&rdquo;</a>.
|
||||
Therefore I won&rsquo;t cover all the basics again and how to configure libvirt because nothing&rsquo;s changed on that side.</p>
|
||||
<h2 id="podman-40" >Podman 4.0
|
||||
<span>
|
||||
<a href="#podman-40">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>Podman 4.0 comes with a completely new network stack replacing the previous <a href="https://www.cni.dev/"><abbr title="Container Network Interface">CNI</abbr></a> stack:</p>
|
||||
<ul>
|
||||
<li><a href="https://github.com/containers/netavark">Netavark</a></li>
|
||||
<li><a href="https://github.com/containers/aardvark-dns">Aardvark</a></li>
|
||||
</ul>
|
||||
<p>There are <a href="https://www.redhat.com/sysadmin/podman-new-network-stack">great resources</a> that explain the backgrounds of both tools and I don&rsquo;t think I could describe it better than the folks implementing it 😄 so if you&rsquo;re interested have a look at the aforementioned article or the <a href="https://podman.io/releases/2022/02/22/podman-release-v4.0.0.html">release post</a>.</p>
|
||||
<h2 id="netavark-and-libvirt" >Netavark and libvirt
|
||||
<span>
|
||||
<a href="#netavark-and-libvirt">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>After reading the announcement I was most curious if I would be able to configure an equivalent setup for Netavark like I described it with Podman 3.x and CNI.</p>
|
||||
<p><strong>Short answer:</strong> yes, it is possible! 🎉</p>
|
||||
<p><em>&ldquo;But how?!&rdquo;</em> do you ask?
|
||||
Well it&rsquo;s pretty much equivalent to the previous solution: you need to create a new Podman network I once more named it <em>&rsquo;libvirt&rsquo;</em>.
|
||||
To get an idea how the config should look like and where it should placed.
|
||||
I reused the CLI call from my previous article:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman network create <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --disable-dns <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --internal <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --gateway 10.10.2.37 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip-range 10.10.2.160/29 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --subnet 10.10.2.0/24 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> libvirt
|
||||
</span></span></code></pre></div><p>The configuration files are now obviously resided in <code>/etc/containers/networks/</code> and my (already modified) <code>libvirt.json</code> now looks like so:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;name&#34;</span>: <span style="color:#e6db74">&#34;libvirt&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;id&#34;</span>: <span style="color:#e6db74">&#34;0489e6e643b97003c47b27a9ce0a6f6a8dce7d5f08329603e79a0ba48ad5285f&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;driver&#34;</span>: <span style="color:#e6db74">&#34;bridge&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;network_interface&#34;</span>: <span style="color:#e6db74">&#34;conbr0&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;created&#34;</span>: <span style="color:#e6db74">&#34;2022-04-05T09:18:48.198960971+01:00&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;subnets&#34;</span>: [
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;subnet&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.0/24&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;gateway&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.42&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;lease_range&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;start_ip&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.1&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;end_ip&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.10&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> ],
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ipv6_enabled&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;internal&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;dns_enabled&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ipam_options&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;driver&#34;</span>: <span style="color:#e6db74">&#34;host-local&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span>}
|
||||
</span></span></code></pre></div><p><em>Side note: I&rsquo;m really happy they dropped the <code>.conflist</code> extension because this way most editors offer really helpful syntax highlighting in the first place!</em></p>
|
||||
<p>Note that <code>&quot;internal&quot;: false</code> is mandatory. Otherwise I wasn&rsquo;t able to establish communication between VM and container.
|
||||
I also disabled the Aardvark <abbr title="Domain Name System">DNS</abbr> server and IPv6 support because I don&rsquo;t need it and I also don&rsquo;t expect much benefit of it due to the fact that it can&rsquo;t be aware of the VMs present in the network same as <code>dnsmasq</code> won&rsquo;t be able to resolve containers in the libvirt network.</p>
|
||||
<p>Having this in place I was again able to reuse the CLI command from my previous article:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman run <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --rm <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> -d <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --name nginx <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --network libvirt <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip 10.10.1.151 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> docker.io/nginx:alpine
|
||||
</span></span></code></pre></div><p>to create a Nginx container that can be reached from a VM.</p>
|
||||
<h2 id="troubleshooting" >Troubleshooting
|
||||
<span>
|
||||
<a href="#troubleshooting">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>Sometimes the communication between container and VM fails - don&rsquo;t know if I restarted the libvirt network previously or somehow fucked up the container network configuration but a:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman network reload &lt;container ID/container name&gt;
|
||||
</span></span></code></pre></div><p>often resolved the problem.</p>
|
||||
<h2 id="final-thoughts" >Final thoughts
|
||||
<span>
|
||||
<a href="#final-thoughts">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>I haven&rsquo;t used <em>Netavark</em> and <em>Aardvark</em> a lot, yet.
|
||||
But I already noticed a few <strong>really awesome</strong> things:</p>
|
||||
<ul>
|
||||
<li>the <code>docker-compose</code> support seems to be a lot better now because containers are actually able to talk to each other by <em>service name</em>, something I wasn&rsquo;t able to configure properly in Podman 3.x - at least not rootless.</li>
|
||||
<li>with <em>Netavark</em> all the Podman configuration is now unified within <code>/etc/containers</code> or <code>$HOME/.config/containers</code> respectively</li>
|
||||
<li>the new configuration format is a little bit cleaner the the previous one due to the fact that <em>Netavark</em> does not support plugins and with a <code>.json</code> extension editors do help a lot more without requiring extra &ldquo;configuration&rdquo;</li>
|
||||
</ul></description></item></channel></rss>
|
||||
1
tags/netavark/page/1/index.html
Normal file
1
tags/netavark/page/1/index.html
Normal file
|
|
@ -0,0 +1 @@
|
|||
<!doctype html><html lang=en-us><head><title>https://www.1533b4dc0.de/tags/netavark/</title><link rel=canonical href=https://www.1533b4dc0.de/tags/netavark/><meta name=robots content="noindex"><meta charset=utf-8><meta http-equiv=refresh content="0; url=https://www.1533b4dc0.de/tags/netavark/"></head></html>
|
||||
12
tags/podman/index.html
Normal file
12
tags/podman/index.html
Normal file
File diff suppressed because one or more lines are too long
262
tags/podman/index.xml
Normal file
262
tags/podman/index.xml
Normal file
|
|
@ -0,0 +1,262 @@
|
|||
<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>podman on 1533B4dC0.de</title><link>https://www.1533b4dc0.de/tags/podman/</link><description>1533B4dC0.de (podman)</description><generator>Hugo -- gohugo.io</generator><language>en-us</language><lastBuildDate>Thu, 24 Feb 2022 00:00:00 +0000</lastBuildDate><atom:link href="https://www.1533b4dc0.de/tags/podman/index.xml" rel="self" type="application/rss+xml"/><item><title>Libvirt & Podman: follow up for Podman 4.0 and netavark</title><link>https://www.1533b4dc0.de/post/libvirt-podman-netavark-follow-up/</link><pubDate>Thu, 24 Feb 2022 00:00:00 +0000</pubDate><guid>https://www.1533b4dc0.de/post/libvirt-podman-netavark-follow-up/</guid><description><p>This is a follow up post to <a href="https://www.1533b4dc0.de/post/libvirt-podman-network-mesh/">&ldquo;Joining libvirt <abbr title="Virtual Machine">VM</abbr>s and Podman container in a common network&rdquo;</a>.
|
||||
Therefore I won&rsquo;t cover all the basics again and how to configure libvirt because nothing&rsquo;s changed on that side.</p>
|
||||
<h2 id="podman-40" >Podman 4.0
|
||||
<span>
|
||||
<a href="#podman-40">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>Podman 4.0 comes with a completely new network stack replacing the previous <a href="https://www.cni.dev/"><abbr title="Container Network Interface">CNI</abbr></a> stack:</p>
|
||||
<ul>
|
||||
<li><a href="https://github.com/containers/netavark">Netavark</a></li>
|
||||
<li><a href="https://github.com/containers/aardvark-dns">Aardvark</a></li>
|
||||
</ul>
|
||||
<p>There are <a href="https://www.redhat.com/sysadmin/podman-new-network-stack">great resources</a> that explain the backgrounds of both tools and I don&rsquo;t think I could describe it better than the folks implementing it 😄 so if you&rsquo;re interested have a look at the aforementioned article or the <a href="https://podman.io/releases/2022/02/22/podman-release-v4.0.0.html">release post</a>.</p>
|
||||
<h2 id="netavark-and-libvirt" >Netavark and libvirt
|
||||
<span>
|
||||
<a href="#netavark-and-libvirt">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>After reading the announcement I was most curious if I would be able to configure an equivalent setup for Netavark like I described it with Podman 3.x and CNI.</p>
|
||||
<p><strong>Short answer:</strong> yes, it is possible! 🎉</p>
|
||||
<p><em>&ldquo;But how?!&rdquo;</em> do you ask?
|
||||
Well it&rsquo;s pretty much equivalent to the previous solution: you need to create a new Podman network I once more named it <em>&rsquo;libvirt&rsquo;</em>.
|
||||
To get an idea how the config should look like and where it should placed.
|
||||
I reused the CLI call from my previous article:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman network create <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --disable-dns <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --internal <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --gateway 10.10.2.37 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip-range 10.10.2.160/29 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --subnet 10.10.2.0/24 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> libvirt
|
||||
</span></span></code></pre></div><p>The configuration files are now obviously resided in <code>/etc/containers/networks/</code> and my (already modified) <code>libvirt.json</code> now looks like so:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;name&#34;</span>: <span style="color:#e6db74">&#34;libvirt&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;id&#34;</span>: <span style="color:#e6db74">&#34;0489e6e643b97003c47b27a9ce0a6f6a8dce7d5f08329603e79a0ba48ad5285f&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;driver&#34;</span>: <span style="color:#e6db74">&#34;bridge&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;network_interface&#34;</span>: <span style="color:#e6db74">&#34;conbr0&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;created&#34;</span>: <span style="color:#e6db74">&#34;2022-04-05T09:18:48.198960971+01:00&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;subnets&#34;</span>: [
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;subnet&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.0/24&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;gateway&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.42&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;lease_range&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;start_ip&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.1&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;end_ip&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.10&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> ],
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ipv6_enabled&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;internal&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;dns_enabled&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ipam_options&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;driver&#34;</span>: <span style="color:#e6db74">&#34;host-local&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span>}
|
||||
</span></span></code></pre></div><p><em>Side note: I&rsquo;m really happy they dropped the <code>.conflist</code> extension because this way most editors offer really helpful syntax highlighting in the first place!</em></p>
|
||||
<p>Note that <code>&quot;internal&quot;: false</code> is mandatory. Otherwise I wasn&rsquo;t able to establish communication between VM and container.
|
||||
I also disabled the Aardvark <abbr title="Domain Name System">DNS</abbr> server and IPv6 support because I don&rsquo;t need it and I also don&rsquo;t expect much benefit of it due to the fact that it can&rsquo;t be aware of the VMs present in the network same as <code>dnsmasq</code> won&rsquo;t be able to resolve containers in the libvirt network.</p>
|
||||
<p>Having this in place I was again able to reuse the CLI command from my previous article:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman run <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --rm <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> -d <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --name nginx <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --network libvirt <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip 10.10.1.151 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> docker.io/nginx:alpine
|
||||
</span></span></code></pre></div><p>to create a Nginx container that can be reached from a VM.</p>
|
||||
<h2 id="troubleshooting" >Troubleshooting
|
||||
<span>
|
||||
<a href="#troubleshooting">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>Sometimes the communication between container and VM fails - don&rsquo;t know if I restarted the libvirt network previously or somehow fucked up the container network configuration but a:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman network reload &lt;container ID/container name&gt;
|
||||
</span></span></code></pre></div><p>often resolved the problem.</p>
|
||||
<h2 id="final-thoughts" >Final thoughts
|
||||
<span>
|
||||
<a href="#final-thoughts">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>I haven&rsquo;t used <em>Netavark</em> and <em>Aardvark</em> a lot, yet.
|
||||
But I already noticed a few <strong>really awesome</strong> things:</p>
|
||||
<ul>
|
||||
<li>the <code>docker-compose</code> support seems to be a lot better now because containers are actually able to talk to each other by <em>service name</em>, something I wasn&rsquo;t able to configure properly in Podman 3.x - at least not rootless.</li>
|
||||
<li>with <em>Netavark</em> all the Podman configuration is now unified within <code>/etc/containers</code> or <code>$HOME/.config/containers</code> respectively</li>
|
||||
<li>the new configuration format is a little bit cleaner the the previous one due to the fact that <em>Netavark</em> does not support plugins and with a <code>.json</code> extension editors do help a lot more without requiring extra &ldquo;configuration&rdquo;</li>
|
||||
</ul></description></item><item><title>Libvirt & Podman: network 'mesh'</title><link>https://www.1533b4dc0.de/post/libvirt-podman-network-mesh/</link><pubDate>Thu, 24 Feb 2022 00:00:00 +0000</pubDate><guid>https://www.1533b4dc0.de/post/libvirt-podman-network-mesh/</guid><description><p><em>Disclaimer: I tested all this with Podman 3.x even though Podman 4.0 is already announced but the <abbr title="Container Network Interface">CNI</abbr> driver is still available with Podman 4.0 and as soon as I get my hands on 4.0 I&rsquo;ll give <strong>Netavark</strong> a try, too!</em></p>
|
||||
<p>When playing around with containers and <abbr title="Virtual Machine">VM</abbr>s one might ask if it&rsquo;s possible to bring VMs and containers into a common network segment.
|
||||
I see &lsquo;why the hell would I need a VM anyway when already having containers&rsquo; or something similar I almost see on your face 😜</p>
|
||||
<p>Well 1st of all, not everything can be solved with containers.
|
||||
For instance windows applications can be run in Windows containers but I&rsquo;m not aware of how to run a Windows container on my Linux desktop.</p>
|
||||
<p>But also in pure Linux environments there are cases where a VM is probably a better fit for the problem.
|
||||
As you might know I&rsquo;m a bit of network 🤓 and I love playing around with &lsquo;weird&rsquo; stuff almost no one else does even think about if not forced to.
|
||||
So if you try to implement for example your own DHCP server you might want to isolate your experiments (especially at the beginning) to avoid discussion about &ldquo;why&rsquo;s Netflix on the TV not working?!&rdquo; 😄 or also if you try to implement your own &lsquo;firewall&rsquo; with <abbr title="Destination network address translation">DNAT</abbr> support (stay tuned - post&rsquo;s following!).</p>
|
||||
<h2 id="part-1-libvirt-preparation" >Part 1: Libvirt preparation
|
||||
<span>
|
||||
<a href="#part-1-libvirt-preparation">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p>Okay now that I came around with <em>some</em> arguments - if they&rsquo;re convincing or not is not important - how does this work?</p>
|
||||
<p>Assuming you&rsquo;ve Libvirt and Podman already installed on your system without any modification and you run</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>virsh net-list
|
||||
</span></span></code></pre></div><p>you should have at least the <code>default</code> network already.</p>
|
||||
<p>The definition of all networks (as of every other component of libvirt) is in XML.
|
||||
<code>virsh</code> comes with a <code>net-dumpxml</code> command to export the configuration of a network:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>virsh net-dumpxml default
|
||||
</span></span></code></pre></div><p>The output should look (more or less) like in the following snippet:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#f92672">&lt;network&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;name&gt;</span>default<span style="color:#f92672">&lt;/name&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;uuid&gt;</span>8d2028ed-cc9a-4eae-9883-b59b673d560d<span style="color:#f92672">&lt;/uuid&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;forward</span> <span style="color:#a6e22e">mode=</span><span style="color:#e6db74">&#39;nat&#39;</span><span style="color:#f92672">&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;nat&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;port</span> <span style="color:#a6e22e">start=</span><span style="color:#e6db74">&#39;1024&#39;</span> <span style="color:#a6e22e">end=</span><span style="color:#e6db74">&#39;65535&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/nat&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/forward&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;bridge</span> <span style="color:#a6e22e">name=</span><span style="color:#e6db74">&#39;virbr0&#39;</span> <span style="color:#a6e22e">stp=</span><span style="color:#e6db74">&#39;on&#39;</span> <span style="color:#a6e22e">delay=</span><span style="color:#e6db74">&#39;0&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;mac</span> <span style="color:#a6e22e">address=</span><span style="color:#e6db74">&#39;63:b3:d8:75:53:6b&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;ip</span> <span style="color:#a6e22e">address=</span><span style="color:#e6db74">&#39;192.168.122.1&#39;</span> <span style="color:#a6e22e">netmask=</span><span style="color:#e6db74">&#39;255.255.255.0&#39;</span><span style="color:#f92672">&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;dhcp&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;range</span> <span style="color:#a6e22e">start=</span><span style="color:#e6db74">&#39;192.168.122.2&#39;</span> <span style="color:#a6e22e">end=</span><span style="color:#e6db74">&#39;192.168.122.254&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/dhcp&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/ip&gt;</span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#f92672">&lt;/network&gt;</span>
|
||||
</span></span></code></pre></div><p>So we&rsquo;ve a <code>&lt;network/&gt;</code> that is defined by:</p>
|
||||
<ul>
|
||||
<li>a <code>&lt;name/&gt;</code></li>
|
||||
<li>a <code>&lt;uuid/&gt;</code></li>
|
||||
<li>a <em>optional</em> <code>&lt;forward/&gt;</code> node</li>
|
||||
<li>a <code>&lt;bridge/&gt;</code> interface</li>
|
||||
<li>the <code>&lt;mac/&gt;</code> for the bridge interface (of the host)</li>
|
||||
<li>the <code>&lt;ip/&gt;</code> of the host on the bridge interface
|
||||
<ul>
|
||||
<li>an <em>optional</em> <code>&lt;dhcp/&gt;</code> range definition</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
<p>The complete reference for the XML schema can be found <a href="https://libvirt.org/formatnetwork.html">here</a>.</p>
|
||||
<p>Before we have a closer look how to bring Podman containers into a Libvirt network, let&rsquo;s define a new <code>containers</code> network.
|
||||
The following snippet contains the definition I&rsquo;ll use:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-xml" data-lang="xml"><span style="display:flex;"><span><span style="color:#f92672">&lt;network&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;name&gt;</span>containers<span style="color:#f92672">&lt;/name&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;uuid&gt;</span>929b7b7d-bd82-452d-96b7-12f0cf1a4b17<span style="color:#f92672">&lt;/uuid&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;bridge</span> <span style="color:#a6e22e">name=</span><span style="color:#e6db74">&#39;conbr0&#39;</span> <span style="color:#a6e22e">stp=</span><span style="color:#e6db74">&#39;on&#39;</span> <span style="color:#a6e22e">delay=</span><span style="color:#e6db74">&#39;0&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;mac</span> <span style="color:#a6e22e">address=</span><span style="color:#e6db74">&#39;af:af:13:ed:c6:41&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;ip</span> <span style="color:#a6e22e">address=</span><span style="color:#e6db74">&#39;10.10.1.42&#39;</span> <span style="color:#a6e22e">netmask=</span><span style="color:#e6db74">&#39;255.255.255.0&#39;</span><span style="color:#f92672">&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;dhcp&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;range</span> <span style="color:#a6e22e">start=</span><span style="color:#e6db74">&#39;10.10.1.100&#39;</span> <span style="color:#a6e22e">end=</span><span style="color:#e6db74">&#39;10.10.1.150&#39;</span><span style="color:#f92672">/&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/dhcp&gt;</span>
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&lt;/ip&gt;</span>
|
||||
</span></span><span style="display:flex;"><span><span style="color:#f92672">&lt;/network&gt;</span>
|
||||
</span></span></code></pre></div><p>It&rsquo;s quite similar except I made a few adoptions:</p>
|
||||
<ul>
|
||||
<li>remove the <code>&lt;forward/&gt;</code> block</li>
|
||||
<li>change the <code>&lt;name/&gt;</code> and the <code>&lt;uuid/&gt;</code> (with the help of <code>uuidgen</code>)</li>
|
||||
<li>change the <code>name=&quot;&quot;</code> of the <code>&lt;bridge/&gt;</code></li>
|
||||
<li>change the <code>address=&quot;&quot;</code> attribute of the <code>&lt;mac/&gt;</code> (use any <a href="https://macaddress.io/mac-address-generator">mac address generator</a>)</li>
|
||||
<li>change the <code>address=&quot;&quot;</code> attribute of the <code>&lt;ip/&gt;</code> and <code>start=&quot;&quot;</code> and <code>end=&quot;&quot;</code> of the DHCP range accordingly</li>
|
||||
</ul>
|
||||
<p>You may use any private network - as far as I can tell it shouldn&rsquo;t matter if you&rsquo;re using a class B, C or D private network as long as you don&rsquo;t have any conflicts with your LAN or any other virtual interfaces of your environment.</p>
|
||||
<p>When done safe your network definition as <code>.xml</code> file.
|
||||
To import the configuration you can use <code>virsh net-define</code> like in the following snippet (assuming the network definition is in <code>containers.xml</code>):</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ virsh net-define containers.xml
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>&gt; Network containers defined from containers.xml
|
||||
</span></span></code></pre></div><p><em>Note: this only works because the XML already contains an <code>&lt;uuid/&gt;</code>. Otherwise you&rsquo;d have to use <code>virsh net-create</code> and a few more extra steps to make the network actually persistent.</em></p>
|
||||
<p>If you now check with <code>virsh net-list</code> you&rsquo;d be disappointed because there&rsquo;s no network!
|
||||
Checking again with <code>virsh net-list --all</code> explains why our <code>containers</code> network wasn&rsquo;t in the output previously because it is by default <em>inactive</em>.
|
||||
To activate it we&rsquo;ve to start it like so:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ virsh net-start containers
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>&gt; Network containers started
|
||||
</span></span></code></pre></div><p>If you don&rsquo;t mind the extra adapter and wish to use the network frequently in the future you might consider to autostart it:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ virsh net-autostart containers
|
||||
</span></span><span style="display:flex;"><span>
|
||||
</span></span><span style="display:flex;"><span>&gt; Network containers marked as autostarted
|
||||
</span></span></code></pre></div><p>With our custom Libvirt network in place we&rsquo;re good to go to configure Podman.</p>
|
||||
<h2 id="part-2-podman-cni-network" >Part 2: Podman CNI network
|
||||
<span>
|
||||
<a href="#part-2-podman-cni-network">
|
||||
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
|
||||
</a>
|
||||
</span>
|
||||
</h2><p><em>Note: this only works with <strong>rootfull</strong> Podman because rootless Podman does not use CNI but another network stack.</em></p>
|
||||
<p>A clean Podman installation without any custom network created comes with the default network <code>podman</code>.
|
||||
Rootfull Podman network configs are by default stored in <code>/etc/cni/net.d</code>.
|
||||
You should find the default network as <code>87-podman.conflist</code> in the aforementioned directory.</p>
|
||||
<p>Every Podman network is defined as JSON file.
|
||||
We will define our own <code>libvirt</code> network to join Podman containers into the previously created Libvirt network.
|
||||
You can either use <code>podman network create</code> to create the network (at least more or less) or you can copy for example the default network and make some adjustments.</p>
|
||||
<p>To create the new network from the CLI you can use the following command:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman network create <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --disable-dns <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --internal <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --gateway 10.10.2.37 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip-range 10.10.2.160/29 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --subnet 10.10.2.0/24 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> libvirt
|
||||
</span></span></code></pre></div><p>Note that I used a different IP range as in the Libvirt network! Otherwise Podman will complain that the IP range is already in use at an adapter.
|
||||
You can use this command to create the required file in <code>/etc/cni/net.d/</code> but you&rsquo;ve to update the <code>ranges</code> accordingly before creating a container in the network.</p>
|
||||
<p>Because we&rsquo;ve to edit the <code>.conflist</code> either way copy the default one is also fine.</p>
|
||||
<p>The <code>.conflist</code> I&rsquo;m using looks like this:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;cniVersion&#34;</span>: <span style="color:#e6db74">&#34;0.4.0&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;name&#34;</span>: <span style="color:#e6db74">&#34;libvirt&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;plugins&#34;</span>: [
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;bridge&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;bridge&#34;</span>: <span style="color:#e6db74">&#34;conbr0&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;isGateway&#34;</span>: <span style="color:#66d9ef">false</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;hairpinMode&#34;</span>: <span style="color:#66d9ef">true</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ipam&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;host-local&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;routes&#34;</span>: [
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;dst&#34;</span>: <span style="color:#e6db74">&#34;0.0.0.0/0&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> ],
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;ranges&#34;</span>: [
|
||||
</span></span><span style="display:flex;"><span> [
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;subnet&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.0/24&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;rangeStart&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.151&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;rangeEnd&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.160&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;gateway&#34;</span>: <span style="color:#e6db74">&#34;10.10.1.42&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> ]
|
||||
</span></span><span style="display:flex;"><span> ]
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> },
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;portmap&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;capabilities&#34;</span>: {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;portMappings&#34;</span>: <span style="color:#66d9ef">true</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> },
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;firewall&#34;</span>,
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;backend&#34;</span>: <span style="color:#e6db74">&#34;&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> },
|
||||
</span></span><span style="display:flex;"><span> {
|
||||
</span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;type&#34;</span>: <span style="color:#e6db74">&#34;tuning&#34;</span>
|
||||
</span></span><span style="display:flex;"><span> }
|
||||
</span></span><span style="display:flex;"><span> ]
|
||||
</span></span><span style="display:flex;"><span>}
|
||||
</span></span></code></pre></div><p>Interestingly the <code>rangeStart</code> and <code>rangeEnd</code> are actually IP addresses and not tight to some IP networks but unfortunately there&rsquo;s no equivalent for <code>podman network create</code> hence I update both to a range after the DHCP range of the Libvirt network to make sure that no duplicate IPs are assigned.</p>
|
||||
<p>I tend to declare the network as <code>host-local</code> but this shouldn&rsquo;t be critical.
|
||||
The <strong>most important</strong> part is to update the <code>bridge</code> to the same interface like in the Libvirt network definition (in my case <code>conbr0</code>).</p>
|
||||
<p>After this we&rsquo;re ready to go and you can for instance start a Nginx container in the <code>libvirt</code> network and you should be able to reach it from a VM in the Libvirt network:</p>
|
||||
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>podman run <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --rm <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> -d <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --name nginx <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --network libvirt <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --ip 10.10.1.151 <span style="color:#ae81ff">\
|
||||
</span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> docker.io/nginx:alpine
|
||||
</span></span></code></pre></div><p>A nice option for <code>podman run</code> is <code>--ip</code>.
|
||||
You&rsquo;ve to choose an IP from the previously configured <code>range</code> but you can skip the <code>podman inspect</code> or <code>ip a</code> to get the container IP and the container will have the IP every time you start it, if you like 😉 and speaking of &rsquo;nice&rsquo; <code>podman run</code> options: you do know <code>--replace</code>, don&rsquo;t you?</p></description></item></channel></rss>
|
||||
1
tags/podman/page/1/index.html
Normal file
1
tags/podman/page/1/index.html
Normal file
|
|
@ -0,0 +1 @@
|
|||
<!doctype html><html lang=en-us><head><title>https://www.1533b4dc0.de/tags/podman/</title><link rel=canonical href=https://www.1533b4dc0.de/tags/podman/><meta name=robots content="noindex"><meta charset=utf-8><meta http-equiv=refresh content="0; url=https://www.1533b4dc0.de/tags/podman/"></head></html>
|
||||
Loading…
Add table
Reference in a new issue