Re: [pve-devel] More than 10 interfaces in lxc containers

From: Stephan Leemburg <sleemburg@it-functions.nl>
To: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] More than 10 interfaces in lxc containers
Date: Tue, 25 Aug 2020 00:09:46 +0200	[thread overview]
Message-ID: <08b63223-ba28-8c80-e72a-ccde8395bd15@it-functions.nl> (raw)
In-Reply-To: <890269350b55f29457cd32bc35911a66ebcd36f3.camel@junkyard.4t2.com>

On 24-08-2020 18:14, Tom Weber wrote:
> Am Montag, den 24.08.2020, 17:49 +0200 schrieb Dietmar Maurer:
>>> On 08/24/2020 12:54 PM Stephan Leemburg <sleemburg@it-functions.nl>
>>> wrote:
>>>
>>>   
>>> On 24-08-2020 06:53, Dietmar Maurer wrote:
>>>>> If I don't put a tag on the device, it seems to behave like a
>>>>> trunk. So,
>>>>> that would solve my problem. _If_ the hosts where openvswitch
>>>>> enabled.
>>>> I am unable to see why you need openvswitch for that? This also
>>>> works with
>>>> standard linux network.
>>> Hi Dietmar,
>>>
>>> Oh, that is new for me.
>>>
>>> So, I can have a vlan aware traditional bridge in the firewall
>>> that
>>> receives tagged frames and at the same time have the clients on
>>> the
>>> specific 'vlans' receive non-tagged frames for their respective
>>> pvid?
>>>
>>> How can this be configured in Proxmox?
>> You do not not any special config on the pve host if you do all VLAN
>> related
>> stuff inside the VM.
> You do realize that Stephan is talking about CT not VM? (althought I
> don't think such a setup makes sense)
>
>    Tom

Thanks. I have done some research and experimenting on my test system.

I was not aware of vlan capable bridging. But if I have this in my 
/etc/network/interfaces on a traditional bridge configured system, then 
I can also assign vlans to the hosts on vmbr1 Just like with openvswitch.

auto lo
iface lo inet loopback

iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
     address 192.168.240.246
     netmask 255.255.255.0
     gateway 192.168.240.254
     bridge_ports eth0
     bridge_stp off
     bridge_fd 0

auto vmbr1
iface vmbr1 inet manual
     bridge-vlan-aware yes
     bridge-vids 2-200
     bridge-pvid 2
     bridge_ports none
     bridge_stp off
     bridge_fd 0

Dietmar knows this, but I had to do my homework. So, it is more or less 
the same as with openvswitch. And it still is an intrusive change for my 
operational systems.

So for now, while planning to do the migration to openvswitch, I took 
the easy way out in adding an additional interface in the 
/etc/pve/lxc/${CT}.conf file:

lxc.net.10.type: veth
lxc.net.10.link: vmbr5
lxc.net.10.veth.pair: veth1001i15
lxc.net.10.hwaddr: 00:CE:99:F9:BF:12
lxc.net.10.name: eth11
lxc.net.10.flags: up

So, I have learned. Even though some think different about the 'shared 
network stack' firewall approach, it can work. Be it with ovs, vlan 
capable bridge or a workaround.

Still (Dietmar?), bumping from 10 to 32 would not hurt anyone and can 
avoid long mail threads like this.. And 2^(10/2) is nicer than 10^1 
isn't it? And there still is 10 in it ;-)

Anyway. I will not bother you any longer on this  subject.

Thank you all for your patience, replies and efforts.

I have learned at least something new about vlan capable bridges and 
that Proxmox supports it. And I know tomorrow I will share this with 
some other senior Linux admin who has been using Proxmox for a long time 
that also did not know about this (as I also consulted with him).

Kind regards,

Stephan

>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>