search

containers / netavark

Container network stack
Apache License 2.0
512 stars 81 forks source link

VLAN support in bridge network driver #1028

Open ahinrichs opened 1 month ago

ahinrichs commented 1 month ago

Feature request description

With podman + netavark it is currently not possible to create veth links with VLAN tags.

I use the linux bridge in VLAN-aware mode to interconnect different container/VMs (podman, libvirt, lxc, systemd-nspawn). To connect podman container to a specific VLAN I use the CNI bridge plugin in L2-only vlan configuration.

Screenshot 2024-07-22 at 12-06-23 CNI

Suggest potential solution

It would need two changes:

  1. Support multiple networks with the same network_interface but different vlan option
  2. Set the vlan on the veth link:\ sudo bridge vlan add vid 20 pvid untagged dev veth1

1. network creation

Currently, the podman network create already allows to set a vlan option:

$ podman network create -o 'com.docker.network.bridge.name=brint' \
        -o vlan=20 --ipam-driver 'none' vlan20

gives /etc/containers/networks/vlan20.json

{
  "name": "vlan20",
  "driver": "bridge",
  "network_interface": "brint",
  "options": {
    "vlan": "20"   <--- 
  },
  "ipam_options": {
    "driver": "none"
  }
}

But it fails to create another network on the same bridge:

$ sudo podman network create -o 'com.docker.network.bridge.name=brint' \
        -o vlan=30 --ipam-driver 'none' vlan30
Error: bridge name brint already in use

2. container startup / link creation

When using a network, the vlan option currently is ignored:

$ sudo podman run --rm -dit --net vlan20 alpine sh
f10492164ec16b69a2216bdcfe9e78812ab5a90865937ca95ec6a6f32064cdaa
$ bridge vlan
port              vlan-id
[...]
veth1             1 PVID Egress Untagged

With CNI (or libvirt, lxc, ...) it works as expected:

$ bridge vlan
port              vlan-id
veth1             1 Egress Untagged
                  20 PVID Egress Untagged

Have you considered any alternatives?

I used to use CNI and custom shell based plugins. As CNI is considered deprecated I try to recreate my setup. Netavark and its support for multiple static interfaces is great but the lack of VLAN support in podman currently a stopper for me. So I need to stick with CNI for now.

Additional context

From the podman network create manpage:

--opt, -o=option

Set driver specific options.

Additionally the bridge driver supports the following options:

Luap99 commented 1 month ago

This has to be implemented netavark so I move the issue there.

ahinrichs commented 1 month ago

For 1. the code is in a different repo common, func createBridge, line 16

Luap99 commented 1 month ago

yes but until it is implemented in netavark (PRs welcome) there is no point in allowing that in c/common/libnetwork