From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 75DB49435A for ; Thu, 23 Feb 2023 14:54:21 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 582C724F18 for ; Thu, 23 Feb 2023 14:54:21 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 23 Feb 2023 14:54:20 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 19C7B4829F for ; Thu, 23 Feb 2023 14:54:20 +0100 (CET) Message-ID: <3701e1b9-703b-a687-caf7-d71521cba2e0@proxmox.com> Date: Thu, 23 Feb 2023 14:54:18 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0 To: pve-devel@lists.proxmox.com References: <20230222124903.326612-1-c.heiss@proxmox.com> Content-Language: en-US From: Friedrich Weber In-Reply-To: <20230222124903.326612-1-c.heiss@proxmox.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.560 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.102 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [linuxcontainers.org, config.pm, proxmox.com, lxc.pm] Subject: Re: [pve-devel] [PATCH v4 container/manager 0/3] fix #3413: Add `Disconnect` option for LXC networks X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2023 13:54:21 -0000 As I also missed that feature, I applied the patches to my PVE instance with pre-existing containers -- all interfaces stayed up as expected, and disconnecting/reconnecting interfaces for running and stopped containers via the Web UI worked nicely. Tested-by: Friedrich Weber On 22/02/2023 13:49, Christoph Heiss wrote: > Add a `Disconnect` option for network interfaces on LXC containers, much > like it already exists for VMs. This has been requested in #3413 [0] and > seems useful, especially considering we already support the same thing > for VMs. > > One thing to note is that LXC does not seem to support the notion of > setting an interface down. The `flags` property would suggest that this > possible [1], but AFAICS it does not work. I tried setting the value as > empty and to something else than "up" (since that is really the only > supported option [2][3]), which both had absolutely no effect. > > Thus force the host-side link of the container network down and avoid > adding it to the designated bridge if the new option is set, effectively > disconnecting the container network. > > The first patch is cleanup only and does not change anything regarding > functionality. > > Testing > ------- > Testing was done by starting a LXC container (w/ and w/o `link_down` > set), checking if the interface has (or not) LOWERLAYERDOWN set inside > the container (`ip address eth0`) and if packet transit works (or not) > using a simple `ping`. Same thing after toggeling the option on the > interface. Further, the interface(s) should (or should not) be listed > in `brctl show`. Same thing was done for hotplugged interfaces to a > running container. > > Also tested with `ifreload -a` (thanks Wolfgang!) thrown in, which did > nothing unexpected: If `link_down` was set, interfaces stayed in > LOWERLAYERDOWN and unplugged from the bridge, and stayed UP and plugged > into the bridge when `link_down` was unset. > > [0] https://bugzilla.proxmox.com/show_bug.cgi?id=3413 > [1] https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAO > [2] https://github.com/lxc/lxc/blob/08f0e769/src/lxc/confile.c#L453-L467 > [3] https://github.com/lxc/lxc/blob/08f0e769/src/lxc/confile.c#L5933-L5952 > > v1: https://lists.proxmox.com/pipermail/pve-devel/2023-February/055762.html > v2: https://lists.proxmox.com/pipermail/pve-devel/2023-February/055795.html > v3: https://lists.proxmox.com/pipermail/pve-devel/2023-February/055839.html > > pve-container: > > Christoph Heiss (2): > net: Pass network config directly to net_tap_plug() > net: Add `link_down` config to allow setting interfaces as disconnected > > src/PVE/LXC.pm | 37 +++++++++++++++++++++++-------------- > src/PVE/LXC/Config.pm | 6 ++++++ > src/lxcnetaddbr | 9 +-------- > 3 files changed, 30 insertions(+), 22 deletions(-) > > pve-manager: > > Christoph Heiss (1): > lxc: Add `Disconnect` option for network interfaces > > www/manager6/Parser.js | 3 +++ > www/manager6/lxc/Network.js | 13 +++++++++++++ > 2 files changed, 16 insertions(+) > > -- > 2.39.1 > > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > >