Managed network dependency resolution on incusd start

tregubovav · June 16, 2025, 7:42pm

I was trying to make workaround for the issue Unable to edit managed bridge network if it created with 'bridge.external_interfaces' value in <interfaceName>/<parentInterfaceName>/<vlanId> format · Issue #2166 · lxc/incus · GitHub and found another issue.

Historically I use banch of VLANs and I have to maintain corresponded VLANs and bridges on every incus cluster node. Now I’m trying to switch to fully managed network and OVN (microovn under the hood) to reduce cluster management overhead. However, the issue above blocks me now to create bridge (or even OVN) managed network in one shot.

I was trying to make uplink vlan and bridge networks in 2 steps and this works well until… the node is rebooted. The incus logs show that the networks created in orders which do not honor their dependencies. I expect that such case had never been reviewed and never supported.

Step for reproduce

(for cluster environment. should work with the single server and with regular bridge as well.

Create managed networks

for i in {1..3}; do incus network create eth0.90 --type physical parent=eth0 --target vm-0$i; done && \
incus network create eth0.90 --type physical ipv4.gateway=192.168.91.254/23 ipv4.ovn.ranges=192.168.91.0-192.168.91.248 vlan=90 && \
for i in {1..3}; do incus network create br90 --type bridge bridge.external_interfaces=eth0.90 --target vm-0$i; done && \
incus network create br90 --type bridge bridge.driver=openvswitch ipv6.address=none ipv4.address=192.168.90.1/23 ipv4.dhcp.expiry=10m ipv4.dhcp.gateway=192.168.91.254 ipv4.dhcp.ranges=192.168.90.64-192.168.90.255 ipv4.nat=false

Check that the bridge connected to the `uplink` vlan.

>ovs-vsctl list-ports br90
eth0.90

Reboot the node and check that the bridge connected to the `uplink` vlan. again

>ovs-vsctl list-ports br90

Incus logs the warning:

time="2025-06-16T16:09:35Z" level=warning msg="Skipping attaching missing external interface" driver=bridge interface=eth0.90 network=br90 project=default

ip link displays that the both br90 and eth0.90 has been created, however the order of creation is not in the expected order.

candlerb · June 17, 2025, 7:44am

Not answering your question here, but I just wanted to point out that there is a middle ground, which is to use VLAN-aware bridges.

Here’s the configuration from my home server:

# /etc/netplan/01-netcfg.yaml
network:
  version: 2
  ethernets:
    enp1s0:
      wakeonlan: true
      dhcp4: false
      accept-ra: false
      link-local: []
  bridges:
    br0:
      # See https://bugs.launchpad.net/netplan/+bug/1782221
      macaddress: xx:xx:xx:xx:xx:xx   # Copy MAC address of enp1s0
      interfaces: [enp1s0]
      parameters:
        stp: false
        forward-delay: 0
      dhcp4: false
      accept-ra: false
      addresses:
        - 10.12.255.13/24
        - "xxxx:xxxx:xxxx:xxxx::13/64"
      routes:
        - to: default
          via: 10.12.255.1
        - to: default
          via: "xxxx:xxxx:xxxx:xxxx::1"
      nameservers:
        addresses: [10.12.255.1]
        search: [example.com]

# /etc/systemd/network/10-netplan-br0.netdev.d/vlan.conf
[Bridge]
MulticastSnooping=false
VLANFiltering=true

# /etc/systemd/network/10-netplan-br0.network.d/vlan.conf
[BridgeVLAN]
VLAN=2-3
VLAN=248-256
PVID=255
EgressUntagged=255

# /etc/systemd/network/10-netplan-enp1s0.network.d/vlan.conf
[BridgeVLAN]
VLAN=2-3
VLAN=248-256

The above config gives me tagged VLANs on the enp1s0 port. The server’s own IP address is on VLAN 255, which is still tagged on the external port, but because of settings PVID and EgressUntagged, I can apply the local address to br0 directly, rather than br0.255.

Then in incus, I create interfaces or profiles which attach to any VLAN of interest without having to touch the network config any further, for example:

# incus profile show br255
config: {}
description: Bridge to vlan 255
devices:
  eth0:
    name: eth0
    nictype: bridged
    parent: br0
    type: nic
    vlan: "255"
  root:
    path: /
    pool: default
    type: disk
name: br255

It’s slightly annoying that I can’t put all the config in netplan so I need those auxiliary files under /etc/systemd/network/, but apart from that it works really well, and is way simpler than trying to get my head around OVN.

Useful commands:

ip [-d] [-j -p] link show type bridge
ip [-d] [-j -p] link show br0
ip [-d] [-j -p] link show master br0
bridge -compressvlans vlan show
bridge link show

tregubovav · June 17, 2025, 2:07pm

This is what I use now. My intention to move out from the from the OS defined bridges to the incus managed bridges to reduce overhead maintaining network configuration on 7th nodes cluster.

candlerb · June 17, 2025, 2:31pm

Ah I see. When you said “corresponded VLANs and bridges” I thought you meant one bridge per VLAN. That is what I had before, and indeed is a pain to manage!

With a single VLAN-aware bridge, it would be possible enable VLANs 2-4095 up-front and then they’re all available to use. But this only works if your cluster nodes are all connected at layer 2.