LXD networking with netplan, and vlans

bodleytunes · June 12, 2019, 10:09pm

You can actually make the management network inaccessible to the containers

By default all interfaces can route to each other as they live in the default routing table.

You have to make use of linux VRF and/or multiple routing tables to get what you need for the L3 isolation for the management interface.

I would firstly install something to abstract away some of the more tedious linux networking, I usually use FRR v7 (Free range routing) you can install it via apt repos now… https://deb.frrouting.org/

This allows you to manage your interface IP addresses via a cisco-like interface “vtysh”

You can manipulate the kernel routing tables and create routes in “VRF”, it uses staticD and zebra if I remember correctly.

There may be easier ways to do it now in FRR but this is what I have done a few months ago in /etc/network/interfaces to create a VRF for my management interface (the more manual way).

### management - vlan193

allow-bridge0 vlan_193
iface vlan_193 inet static
  ovs_type OVSIntPort
  ovs_bridge bridge0
  ovs_options vlan_mode=access tag=193
  address 10.10.193.5
  netmask 255.255.255.0
  dns-nameservers 8.8.8.8 1.1.1.1
  post-up ip link add mgmt type vrf table 10
  post-up ip link set dev mgmt up
  post-up ip rule add iif mgmt table 10
  post-up ip rule add oif mgmt table 10
  post-up ip link set dev vlan_193 master mgmt
  post-up ip route add default via 10.10.193.1 table 10
 
### Bonded interfaces
 
auto enp2s0f0
iface enp2s0f0 inet manual
 
auto enp2s0f1
iface enp2s0f1 inet manual

## Bond and trunk specific vlans
 
allow-bridge0 bond0
iface bond0 inet manual
  ovs_bridge bridge0
  ovs_type OVSBond
  ovs_bonds enp2s0f0 enp2s0f1
  ovs_options bond_mode=balance-tcp lacp=active other-config:lacp-time=slow other_config:lacp-fallback-ab=true tag=1 vlan_mode=native-untagged trunks=1,80,88,193

### Bind all the l3 ports together in the ovs bridge
 
auto bridge0
allow-ovs bridge0
iface bridge0 inet manual
  ovs_type OVSBridge
  ovs_ports bond0 vlan_88 vlan_193
  up /etc/network/if-up.d/vlans
 
 
allow-bridge0 vlan_88
iface vlan_88 inet static
  ovs_type OVSIntPort
  ovs_bridge bridge0
  ovs_options vlan_mode=access tag=88
  address 10.10.88.10
  netmask 255.255.255.0
  gateway 10.10.88.1
  up ip route add 10.10.0.0/16 via 10.10.88.1


### Routed lxdbridge
 
 
auto lxdbr99
allow-ovs lxdbr99
iface lxdbr99 inet static
  ovs_type OVSBridge
  address 10.10.99.1
  netmask 255.255.255.0

root@m11:/home/jon# cat /etc/network/if-up.d/vlans

ovs-vsctl add-br lxdbr80 bridge0 80